How long should I do these checks for?

Quarterly for 24 months minimum after the initial incident, annually thereafter. Criminal sucker-lists are sold and re-used for years. CIFAS data shows identity-fraud applications appearing on victim files 2-5 years after the original breach is common. Quarterly check at minimum for the high-risk window; annual after.

When does identity-fraud risk return to baseline?

Approximately when the compromised data becomes too stale to be commercially valuable. For bank-account details: 12-24 months (banks rotate fraud-prevention systems). For ID document numbers: 5-10 years (passport, driving licence). For National Insurance number: never — NI numbers don't change. CIFAS Protective Registration renewable every 2 years addresses the most active window.

What if I find something concerning?

Don't panic but act same-day. Most check findings are either legitimate (you forgot about a transaction) or low-severity (a credit application you didn't make has been flagged and stopped). Three steps: (1) verify it's actually unauthorised, not something you've forgotten; (2) contact the relevant institution (bank, lender, credit agency); (3) if it's confirmed fraud, file an Report Fraud report and add the new reference number to your master file. Most identity-fraud applications are stopped at the application stage — your CIFAS registration is doing what it should.

What does 'free statutory credit report' mean?

Under UK law you have the right to request a free copy of your credit file from each of the three major credit reference agencies (Experian, Equifax, TransUnion) once per month. This is separate from any paid 'monitoring' subscription they sell. The free statutory report shows the same core file information — credit accounts, public records, search history. For scam survivors, the free monthly report is sufficient for the quarterly + annual check routine.

Post-Scam Health Check — UK Annual Fraud Review Routine

Why ongoing checks matter

Three structural facts about post-scam risk:

Criminal sucker-lists are commercial assets. Your contact details, the fact that you've been scammed, and any ID data captured all have ongoing resale value on criminal forums for years.
Identity-theft applications appear on victim files 2-5 years after the original breach. CIFAS publishes annual fraud reports confirming this delayed-onset pattern.
Recovery scams target known victims. The FCA logged 4,465 fake-FCA recovery-scam reports in just H1 2025. The pool of targets is people known to have been previously scammed.

The check routine below adds about 30 minutes per quarter. Worth it for the 24-month high-risk window.

The quarterly checklist (run every 3 months for 24 months)

1. Pull free credit reports from all 3 UK agencies

Statutory free report from each, monthly entitlement:

Experian — free monthly statutory report
Equifax — free monthly statutory report
TransUnion — free monthly statutory report (or via Credit Karma which pulls from TransUnion)

What to look for: new credit accounts you didn't open, hard credit searches you didn't authorise, address changes, name variants, new associated persons.

2. Check CIFAS Protective Registration status

Confirm it's still active. CIFAS Protective Registration runs for 2 years per fee payment — note the renewal date in your calendar with a 30-day reminder. Setup walkthrough if not done.

3. Bank-statement spot-check

Pull the last 3 months of every active account (current account, savings, ISA, credit card). Look for: small recurring debits you don't recognise (£0.50–£5 monthly is the classic test-the-card pattern); direct debits with unfamiliar names; standing orders you didn't set up.

4. Email security review

For each email address you use for banking or ID verification:

Check haveibeenpwned.com for new breaches in your address.
Confirm 2FA is on for your email itself (the highest-leverage account because email reset flows depend on it).
Review forwarding rules and filters; scam-takeover attempts often leave silent forwarding rules so the criminal sees the new password emails.

5. Phone number / SIM swap check

If your mobile number is associated with any 2FA: call your mobile carrier and ask whether any SIM swap, port-out, or number-change request has been logged in the last 3 months. SIM-swap fraud is one of the few attack vectors that defeats SMS-based 2FA.

6. Open-banking authorisations review

If you use Wise, Monzo, Revolut, Starling — review the "connected apps" / "open banking authorisations" list in each. Revoke anything you don't recognise or no longer use.

7. Recovery-scam contact review

Have you been contacted in the last 3 months by anyone offering to recover your previous losses? Especially anyone claiming to be "FCA-approved", "ex-FBI", "blockchain forensic experts" or asking for an upfront fee? All recovery offers asking for upfront payment are scams. Forward any such messages to Report Fraud and add to your master log. See recovery scam warning.

The annual deep-check (run every 12 months for 5 years)

In addition to the quarterly routine:

Full credit-file deep-dive — open every line item, verify your understanding of each entry. Anything unfamiliar gets queried with the agency.
HMRC tax summary cross-check — log into your HMRC personal tax account. Verify your employment record, NI contributions, and self-assessment status all match what you expect. Identity-fraud via PAYE / Self Assessment is a documented attack vector.
DWP entitlements cross-check — if you receive benefits, log in and verify your payment record and active claims. Some identity-fraud variants involve making claims in the victim's name.
Pension provider check — log into your pension provider portal; verify your address, beneficiary nomination, and current value haven't been changed without your knowledge.
Email password rotation — change the password on every email account associated with banking 2FA. Use a password manager.
Documented compromise audit — review your master log of the original incident. Any ID documents you uploaded to a phishing site within the last 12 months that you haven't yet replaced — replace this year.

What to keep on a master log

One small document (paper or in your password manager) with:

Original incident date and Report Fraud reference number.
List of every credential or piece of data compromised.
List of every protective action taken (CIFAS registered DD/MM/YYYY, bank changed DD/MM/YYYY, etc.).
Quarterly-check completion dates and findings.
Any subsequent suspicious contact, with date and Report Fraud reference if reported.

This becomes invaluable evidence if a fraud surfaces years later. It also accelerates conversations with banks / FOS / Report Fraud who can see the documented timeline.

Calendar reminders to set right now

Quarterly: 3, 6, 9, 12, 15, 18, 21, 24 months after original incident. Title: "Post-scam quarterly check (7 points)".
CIFAS renewal: 30 days before your 2-year registration expires.
Annual deep-check: every 12 months, on the original incident anniversary.
5-year sunset: optional reminder to review whether you should still maintain the active routine.

Post-scam health check