Identity theft compounds: every day you don’t lock down the bleed, criminals open new accounts, take out loans, and harvest more data. This is the full UK recovery checklist — CIFAS, the three credit reference agencies, mobile port-out lockdown, email and 2FA hardening, Companies House director check, ICO complaint, ongoing monitoring — in priority order.
Last reviewed: 13 May 2026 · ScamSupport research
The 24-hour window matters most
The single most important thing about identity-theft recovery is that the speed at which you act determines how much further damage criminals can do. Every hour between data compromise and lockdown is an hour during which they can open a new credit card, take out a payday loan, register a phone number in your name, or impersonate you to a bank. The recovery sequence below is in priority order; the first six steps should be done within 24 hours.
Step 1 — CIFAS Protective Registration
CIFAS Protective Registration costs £25 for 2 years and flags your name + address across the entire UK financial-services industry. Any bank, lender, credit-card issuer or insurance company that runs a CIFAS check will see the flag and must apply enhanced verification before opening anything in your name. This is the single highest-value step you can take.
See our CIFAS Walkthrough for the full step-by-step on filing it. The process takes about 15 minutes online; the registration is active within 24-48 hours.
When CIFAS Protective Registration is essential
You’ve been the victim of a confirmed identity theft (new accounts opened in your name).
Your data has been compromised in a known data breach (especially banking, government, or major retailer breaches).
You’ve lost a physical document containing identity data (passport, driving licence, recent utility bill).
You’ve been phished and supplied sensitive personal data (DOB, address, bank details, NI number).
You’ve been a victim of a scam where the criminal harvested your personal details (most romance, pig-butchering, investment scams).
Step 2 — Lock cards and freeze the bleed
Call every bank, credit card issuer and lender where you hold an account and have them place a fraud alert on the account, lock any cards that may have been compromised, and reissue cards with new numbers. Use your bank’s emergency fraud line, not the customer-service line. The numbers are typically printed on the back of your card and on the bank’s website.
If you don’t know which cards may have been compromised: lock all of them. Reissuance is free and takes 3-5 working days. The cost of doing it unnecessarily is small; the cost of leaving a compromised card live can be substantial.
Step 3 — Pull your credit files from all three CRAs
The UK has three credit reference agencies. Each holds a separate file. Identity thieves typically focus on one (because it’s the cheapest to query for their fraud target) so a clean file at one CRA doesn’t mean a clean file at the others.
Experian — free 30-day trial at experian.co.uk, then £14.99/month (cancel before trial ends). Or pay £2 for a one-off statutory credit report.
Equifax — free credit-report access at equifax.co.uk. The basic CreditScore service is free, the detailed report sometimes requires a paid tier.
TransUnion — free via Credit Karma at creditkarma.co.uk. Also available directly via TransUnion’s statutory disclosure route for £2.
Review each file for:
Accounts you don’t recognise (loans, credit cards, mobile contracts, mail-order accounts).
Hard searches you didn’t initiate (recent enquiries from lenders).
Addresses you don’t recognise (criminals often add a fake address to the file as a stepping stone).
County Court Judgments (CCJs) or insolvency markers you didn’t know about.
If you find anything: file a Notice of Correction with the CRA (free) and dispute the entry. The CRA has 28 days to investigate. Pair with police / Report Fraud reports if the underlying issue is criminal.
Step 4 — Mobile port-out lock + SIM-swap protection
Mobile number takeover (SIM swap) is the single largest gateway to bypassing 2FA. A criminal who controls your mobile number can intercept SMS codes for banking, email, and crypto exchanges — effectively gaining the keys to most online accounts.
Every UK mobile network supports a port-out PIN / port-out lock. Call your provider (EE, O2, Vodafone, Three, Tesco Mobile, etc.) and:
Set a port-out PIN. A separate code that’s required to port the number to another network. Add this to your provider’s account.
Set an account PIN / password that’s required for any account changes by phone (including SIM swaps).
Ask the provider to flag the account as fraud-risk. Most networks will add a note requiring multi-factor verification for any SIM-swap or port-out request.
Switch from SMS 2FA to authenticator-app 2FA wherever possible (see Step 6 below). SMS 2FA is the weakest 2FA method; an authenticator app is account-bound, not number-bound.
Step 5 — Companies House director-misuse search
A growing identity-theft pattern is criminal registration of a UK limited company in the victim’s name. The criminal uses the company for VAT fraud, bounceback-loan fraud, or to apply for a business bank account that’s used to launder scam proceeds. The victim only finds out months later when HMRC contacts them about the company’s tax obligations.
File a complaint immediately via Companies House. The dispute process can result in the company being struck off and the directorship removed.
Contact HMRC’s Fraud Hotline on 0800 788 887 to flag potential tax fraud associated with the company.
File an Report Fraud report citing identity theft and company registration fraud.
Set up a free Companies House monitoring alert so you’re notified of any future filings in your name.
Step 6 — Email and 2FA lockdown
Your email is the master key. If criminals have access to your primary email, they can reset most other passwords. Treat email lockdown as urgent.
Change your email password to a long, unique passphrase — ideally generated by a password manager.
Enable 2FA via an authenticator app (Google Authenticator, Authy, 1Password, Bitwarden). Avoid SMS-based 2FA for high-value accounts; if you have it set, move to app-based 2FA.
Review all active sessions and devices via your email provider’s security panel. Sign out all sessions you don’t recognise.
Review forwarding rules and filters. A common tactic is to set a forwarding rule that copies all incoming email (including 2FA codes and password reset emails) to a criminal-controlled inbox. Delete any forwarding rule you didn’t set up.
Check “recently signed in” locations. Geographic anomalies (logins from unfamiliar countries) are red flags.
Set up account recovery options — a backup phone, a recovery email, a recovery key. Make sure these are accounts you control.
For every other significant account (banking, social media, crypto, government services): change the password and enable app-based 2FA. Use a password manager so each account has a unique password.
Step 7 — Subject Access Requests (SARs) to compromised services
If you know how your data was compromised (e.g. a specific data breach, a phishing email, a fake job-offer flow), file Subject Access Requests under the UK GDPR to:
The service that was breached: they must tell you what data of yours they hold, when it was last accessed, and whether they detected unauthorised access.
The bank that processed the fraudulent transactions (or the bank you suspect the criminals are using): they may be able to tell you which account opened in your name and what activity occurred.
Mobile network: pull the full log of recent account changes, including SIM swap attempts and port-out activity.
Government services (HMRC, DVLA, Passport Office) if you suspect identity has been used to interact with these.
SARs are free; the recipient has 1 month to respond. The information can be decisive for civil claims, ICO complaints, and ongoing police investigation.
Step 8 — Report to authorities
Report Fraud: file a report at reportfraud.police.uk or 0300 123 2040. Get the crime reference number. You need it for almost every other step.
Local police: if there’s evidence of ongoing fraud (e.g. mail arriving for accounts you didn’t open) or if specific suspects are known. Call 101 for non-emergency.
Information Commissioner’s Office (ICO): if your data was compromised by a data controller’s negligence. File at ico.org.uk. ICO complaints can result in regulatory action against the controller and may underpin a compensation claim.
National Cyber Security Centre (NCSC): forward any phishing emails that led to the compromise to report@phishing.gov.uk. NCSC takes down the originating sites.
If a bank or financial firm was negligent and contributed to the loss: complain to that firm, then escalate to the Financial Ombudsman Service after 8 weeks or final response.
Step 9 — Address-redirection check
A subtle identity-theft tactic is to redirect your mail via Royal Mail’s redirection service. Criminals submit a redirection in your name to a new address; this gives them access to bank cards, statements, and verification letters sent through the post for weeks or months.
Check whether any redirection has been set up against your address. Contact Royal Mail’s redirection team on 03457 740 740. If you find a redirection you didn’t set up: cancel it immediately and file a Royal Mail fraud report. This is one of the most under-reported identity-theft vectors.
Step 10 — Ongoing monitoring (12-24 months)
The risk of new fraudulent activity persists for 12-24 months after the initial compromise. Sustained monitoring matters.
Monthly credit-file review at all three CRAs. Most offer free monthly summary or trial monitoring.
Use a credit-monitoring service if you can’t commit to monthly manual review. Multiple free options (Credit Karma for TransUnion; ClearScore for Equifax; Experian Credit Score). These flag changes to your file automatically.
Bank statement review: scan each monthly statement for transactions you don’t recognise, no matter how small. Criminals often test compromised cards with £1 charges before larger transactions.
Inbox monitoring: any unexpected “welcome” email from a service you didn’t sign up to, password reset email you didn’t request, or notification of an address change you didn’t make — treat as a serious red flag and re-trigger the lockdown sequence.
Companies House alert: keep monitoring for any new filings in your name.
Renew CIFAS Protective Registration at the 2-year mark if any residual risk remains.
If money was actually stolen during the identity theft
Identity theft is usually the precursor to financial loss. If money has been stolen from your accounts or in your name:
Bank transfers: file a PSR Mandatory Reimbursement claim. See our PSR guide and use the PSR Claim Wizard.
Unauthorised loans / credit applications in your name: each lender has a fraud-marker process. You’re not liable for fraud applications you didn’t make; the lender writes off the debt and removes it from your credit file. The CIFAS marker (Step 1) supports this.
Open a credit card or loan in your name at a lender that doesn’t pull CIFAS. Many subprime lenders are less rigorous.
Apply for a payday loan online. Same logic. Smaller-margin lenders have less fraud investment.
Take out a mobile contract (or several) to harvest a phone number tied to your identity, then use that number for further fraud.
Set up a bank account in your name at a fintech with weaker KYC, then use the account as a mule.
Register a limited company at Companies House for tax fraud or bounceback-loan applications.
Sell your data on the black market: even after the criminal’s direct use, the data continues to circulate. CIFAS registration limits the damage from this secondary circulation.
What if the criminal is still active?
Sometimes you only discover the identity theft because the criminal is actively using your data and you start receiving the consequences. In that case:
Don’t engage directly. Don’t reply to texts or calls from anyone claiming to be debt collectors, banks, or service providers about accounts you don’t recognise. Treat all incoming communications as potentially compromised.
Document everything. Screenshot every text. Forward every email to report@phishing.gov.uk. Keep voicemail recordings.
Tighten 2FA on everything immediately. Move from SMS to app-based.
If you receive court orders, debt-collection letters, or HMRC letters about activities you didn’t do: respond formally citing identity theft, attaching the Report Fraud crime reference. Don’t ignore them — the silence-as-acceptance default can compound the damage.
Contact a citizens-advice service (citizensadvice.org.uk) for free guidance on the legal correspondence side.
Frequently asked questions
What should I do first if my identity has been stolen?
File a CIFAS Protective Registration immediately (£25 for 2 years) — it flags your name across the UK financial-services industry. Lock any potentially compromised cards. Pull your credit files from all three CRAs (Experian, Equifax, TransUnion). Set up a mobile port-out PIN. Change your email password and enable app-based two-factor authentication. Speed matters: every hour is one in which criminals can open new accounts or do more damage.
What is CIFAS Protective Registration?
CIFAS Protective Registration is a UK-wide fraud-prevention marker you place against your identity. Any bank, lender, credit-card issuer, or insurance company that runs a CIFAS check will see the flag and apply enhanced verification before opening anything in your name. It costs £25 for 2 years and takes about 15 minutes to file online.
How do I check my UK credit file for fraud after a scam?
Pull your file from all three Credit Reference Agencies — Experian (experian.co.uk), Equifax (equifax.co.uk), and TransUnion (via Credit Karma at creditkarma.co.uk). Each holds a separate file; a clean file at one doesn't mean clean at the others. Statutory credit reports cost £2 each. Look for unfamiliar accounts, hard searches you didn't initiate, addresses you don't recognise, and CCJ markers.
What is a mobile port-out PIN and why do I need one?
A port-out PIN is a separate code your mobile network requires before they'll transfer your number to another network. It prevents SIM-swap attacks — a major identity-theft vector where criminals take over your phone number to intercept SMS-based 2FA codes for banking, email, and crypto exchanges. Every UK mobile network (EE, O2, Vodafone, Three) supports setting one.
Can criminals register a UK company in my name as part of identity theft?
Yes. A growing pattern is criminal registration of UK limited companies in victims' names, used for VAT fraud, bounce-back-loan fraud, or to open business bank accounts for money laundering. Search your name on Companies House (find-and-update.company-information.service.gov.uk) and report any unfamiliar company immediately via Companies House plus HMRC's Fraud Hotline on 0800 788 887.
How long does identity-theft recovery take in the UK?
The first 6 steps (CIFAS registration, card lock, credit-file pull, mobile port-out PIN, Companies House check, email and 2FA lockdown) should be completed within 24 hours. Full remediation including dispute resolution with each affected lender, credit-file cleanup, and ongoing monitoring takes 12-24 months. Renew CIFAS Protective Registration at the 2-year mark if residual risk remains.