Someone Opened a Credit Card in Your Name. Here’s What to Do First, and What Can Wait.

You pulled your credit report, or you got a letter from a bank you’ve never used, or a collection agency called about a debt you’ve never heard of. Something is on your credit file that shouldn’t be there.

You’re not sure how bad this is. You’re not sure what to do first. And the guides you’re finding online all give you the same flat checklist: ten steps in no particular order of urgency, each one presented as if it matters exactly as much as the last.

I spent 20 years building identity protection products from the inside. I sat in the rooms where the recovery process got designed. Here’s the version of this guide that prioritizes what actually matters, in the order it actually matters.

Before You Pick Up the Phone: Confirm What You’re Looking At

Not everything unfamiliar on a credit report is fraud. Before you start making calls, take five minutes to rule out the simpler explanations.

Hard inquiries you don’t recognize

A hard inquiry means a company pulled your credit file, usually because you or someone applied for credit in your name. But the company name on the inquiry doesn’t always match the brand you’d recognize. An auto insurance quote can generate one. A cell phone plan application can generate one. Check whether the inquiry date matches any legitimate application you made, and search the company name online before assuming fraud.

Accounts you don’t recognize

This is a stronger signal. Credit card issuers sometimes report under a parent company name that doesn’t match the card brand. But an account you genuinely never opened, especially one with a balance, late payments, or derogatory marks, is the real red flag.

Look at the specific data fields: the account open date, the reported balance, the creditor name, and the account status. If none of those match anything you’ve done, you’re looking at fraud.

Collection notices for debts you don’t owe

This is often the first sign people actually notice. A collection agency contacts you about a debt you’ve never heard of, from a creditor you’ve never used. That usually means a fraudulent account went delinquent and got sold to collections. The original fraud may have happened months or even years ago.

If you’ve confirmed you’re looking at something that genuinely isn’t yours, here’s the sequence that matters.

The First 24 Hours: What Actually Matters Right Now

Every recovery guide you’ll find online presents the steps as a flat list. In practice, some of these steps are significantly more time-sensitive than others. Here’s what to do first, and why.

Call the fraud department at the institution where the fraudulent account appears

This is step one because it stops the bleeding. Tell them the account was opened through identity theft. Ask them to close or freeze it immediately. Ask them to stop reporting it to the credit bureaus. And ask them to send you copies of the application, delivery address, card-activation details, and transaction records associated with the account.

That last part matters more than most guides let on. Federal law gives identity theft victims the right to request certain records related to fraudulent accounts from the business involved. After a proper written request, a company may be required to provide records such as account applications, invoices, statements, or transaction records connected to the fraud. Those records can help you document the identity theft, understand the scope of the fraud, and strengthen your dispute documentation later.

Get a case number or reference number before you hang up. Write down the name of the representative and the date and time of the call.

Place a fraud alert at one bureau

Contact any one of the three major credit bureaus, Equifax, Experian, or TransUnion, and place a one-year initial fraud alert. Under federal law, the bureau you contact must notify the other two. One call covers all three files.

A fraud alert tells lenders to take extra steps to verify your identity before opening new credit in your name. It’s not a guarantee that new accounts won’t be opened, but it raises the bar. And it’s fast: one phone call or online request, done in minutes.

Freeze your credit at all three bureaus

A fraud alert asks lenders to be more careful. A freeze blocks them from accessing your file entirely. Do both.

Unlike a fraud alert, a freeze must be placed separately with each bureau. Online or phone requests must be processed within one business day under federal law. The freeze prevents additional fraudulent accounts from being opened while you sort out the existing ones. It doesn’t affect your existing accounts, your credit score, or your ability to use the cards and loans you already have.

Our credit freeze guide walks through the full process at each bureau, including the phone numbers, websites, and mailing addresses.

Secure your own accounts

If someone had enough of your personal information to open a credit card in your name, they may also have enough to access your existing accounts. Change passwords on your email, banking, and any financial accounts. Enable two-factor authentication everywhere it’s available.

Start with email. Email is the master key to most of your online life. Most account recovery flows route through it. If someone controls your email, they can reset passwords on nearly everything else.

Why this order, and what can wait

The goal of the first 24 hours is containment: stop new accounts from being opened, shut down the fraudulent one, and lock down your existing accounts. The documentation and dispute work comes next.

The Next Few Days: Building Your Documentation

Once you’ve contained the immediate damage, the recovery process shifts from emergency response to documentation. This is where most guides rush through, and it’s where the process most commonly breaks down later if you skip steps.

File an identity theft report at IdentityTheft.gov

The FTC’s identity theft tool does more than just record your report. It generates a personalized recovery plan, creates an official FTC Identity Theft Report, and provides sample letters you can send to credit bureaus, debt collectors, and businesses.

That FTC Identity Theft Report is your most important document going forward. It’s what enables the faster dispute process I’ll describe in the next section. It’s what stops debt collectors in their tracks. It’s what entitles you to request business records from the company that opened the fraudulent account. Save it as a PDF. Print a copy. You’ll reference it repeatedly over the coming weeks.

File a police report

Not every police department will take a report for identity theft, especially if the fraud originated online or out of state. But having one on file is useful for several reasons: some creditors and bureaus still request it, it qualifies you for an extended fraud alert that lasts seven years instead of one, and it unlocks additional consumer rights under the Fair Credit Reporting Act.

Bring your FTC Identity Theft Report and a government-issued ID when you go. If your local department won’t take a report, document that you attempted it. Some states have specific procedures or affidavits for identity theft that supplement the federal process.

Pull your credit reports from all three bureaus

You’re entitled to free credit reports when you have a fraud alert in place, separate from your regular annual free reports through AnnualCreditReport.com. Pull all three. Fraudulent accounts don’t always appear on all three files, and the details sometimes differ across bureaus.

Go through each report line by line. Make a list of every item that shouldn’t be there: account name, account number, date opened, balance, and which bureau it appears on. Also check for unfamiliar addresses, phone numbers, or employers listed in your personal information section. Those can indicate the scope of the identity theft.

Start a paper trail

This is the practical advice most guides skip, and it’s the thing that will save you the most frustration over the coming weeks.

Get a folder, physical or digital, and start logging every interaction: dates of phone calls, names of representatives, reference numbers, what was said, what was promised. Send important communications by certified mail so you have proof of delivery.

The recovery process takes weeks to months. Your memory of call details from week one will be unreliable by week six. The log is what keeps you organized and gives you leverage if a company claims they never received something or promised something different.

The Dispute Process: What Actually Happens and How Long It Takes

This is the section where most recovery guides stop being useful. They tell you to “file a dispute” and move on. That’s like telling someone to “file their taxes” without explaining what happens after you submit the forms. Here’s what actually happens behind the scenes, and why the process takes as long as it does.

Two paths, and the distinction matters

There are two ways to dispute a fraudulent account on your credit report, and most guides don’t explain the difference.

The first is an ordinary credit report dispute under Section 611 of the Fair Credit Reporting Act (FCRA). You tell the bureau that information on your report is inaccurate. The bureau contacts the company that reported the information (called the “furnisher” in industry language, meaning the company that supplied the data to the credit bureau) and asks them to verify it. The bureau has 30 days to complete this investigation, extendable to 45 if you provide additional information during the process. After the investigation, the bureau has five business days to notify you of the result.

The second path is an identity theft block request under FCRA Section 605B. This is specifically for information that resulted from identity theft. When you submit a complete packet, which includes proof of your identity, your FTC Identity Theft Report, identification of the fraudulent information, and your statement that the account is not related to any transaction by you, the bureau must block that information within four business days.

What happens behind the scenes

When you file an ordinary dispute, the bureau sends your claim to the furnisher and asks them to verify the account. The furnisher reviews their records and responds. If they can’t verify the information, the item gets removed. If they verify it as accurate, it stays.

Here’s what most people don’t realize: “verified” usually just means the furnisher confirmed that their own records match what they reported. It does not mean they conducted a detailed investigation into whether the account was actually legitimate. They checked their database, the data matched, and they responded “verified.” In practice, this is the point where the process most commonly fails for identity theft victims, because the furnisher’s records show exactly what the fraudster set up.

This is why the identity theft block path, combined with a parallel dispute sent directly to the furnisher with your FTC report and supporting documentation, tends to produce better results. You’re giving both the bureau and the furnisher clear evidence that this is identity theft, not just a routine accuracy question.

The timeline nobody tells you

A single fraudulent account dispute can take 30 to 45 days through the ordinary process, or as few as four business days through the identity theft block path. But most victims aren’t dealing with a single item on a single bureau’s report.

If you have multiple fraudulent accounts across multiple bureaus, you’re running parallel disputes, each on its own clock. Complex cases with several accounts can stretch to 90 days or longer before everything is resolved. If a dispute comes back “verified” and you disagree, you can re-dispute with additional evidence, which effectively resets the clock.

Set your expectations honestly: this is a process measured in weeks to months, not days. Knowing that going in is better than discovering it at week three when you expected to be done.

When the process breaks down

The dispute process has specific failure points worth knowing about.

The furnisher verifies without investigating. This is the most common problem. The company responds with a generic verification because their records show the account exists. Your FTC Identity Theft Report and any business records you’ve obtained from the lender are your best tools for pushing back.

The bureau treats your dispute as routine. If you didn’t clearly frame it as identity theft with supporting documentation, the bureau may process it through the slower ordinary dispute path instead of the four-day block path.

Documentation gets lost. Certified mail with return receipt solves this. If you submitted online, screenshot your confirmation.

A resolved item reappears. This is called “reinsertion,” which is when a credit bureau adds back information it previously removed. There are specific legal requirements around it. Under the FCRA, a bureau that reinserts previously deleted information must notify you within five business days and provide you with the name and contact information of the furnisher that requested reinsertion.

If a bureau or furnisher fails to fix a plainly fraudulent item after the normal dispute window, the CFPB complaint portal is the cleanest federal escalation path. Companies generally respond to CFPB complaints within 15 days. The CFPB recommends waiting until the bureau’s normal 30-to-45-day investigation window has passed before filing a complaint, so the two processes don’t overlap.

If you’re dealing with a furnisher that stonewalls after repeated good-faith efforts, a consumer protection attorney who specializes in FCRA cases may be worth consulting. Many offer free initial consultations, and FCRA cases can be taken on contingency.

After the Immediate Recovery: What to Watch For

The information used to open one fraudulent account may be used again. Recovery doesn’t end when the dispute is resolved.

Monitor your credit reports for at least 12 months

The fraud alert you placed entitles you to additional free credit reports beyond your regular annual allotment. AnnualCreditReport.com currently provides free weekly online access from all three bureaus. Use it. Check regularly for at least a year after the incident.

Keep your credit freeze in place until you have a specific reason to lift it. It costs nothing, doesn’t expire, and continues working quietly in the background.

Consider whether a paid identity protection service makes sense

If your information is already in criminal circulation, ongoing monitoring and restoration support have concrete value. A monitoring service can watch for your SSN appearing in new verification transactions, alert you to changes across all three bureau files, and provide a restoration specialist if something happens again.

This isn’t a universal recommendation. If you’ve handled the recovery yourself and have disciplined habits, a credit freeze plus regular report checks may be enough. But if this incident revealed that your personal information is broadly compromised, or if you’ve been victimized before, the ongoing surveillance and professional recovery support are worth paying for.

Our piece on whether identity protection is worth it walks through that decision in detail. When you’re ready to compare specific services, our identity protection comparison covers what each provider actually offers at the feature level.

Check for downstream fraud

The same stolen information that enabled a fraudulent credit card can be used for other purposes. Check for these specifically:

Tax identity theft. Has anyone filed a tax return using your Social Security number? The IRS Identity Protection PIN program can prevent this going forward, and it’s free.

Employment identity theft. Is your SSN showing up in someone else’s employment records? You can review your Social Security earnings history through your my Social Security account at ssa.gov.

Medical identity theft. Has someone used your identity for medical services? Request and review your medical records at least once a year, and watch for explanation of benefits statements for services you didn’t receive.

Each of these fraud types requires different recovery steps. If your SSN was used for employment or tax fraud, the process is distinct from credit fraud recovery and involves different agencies.

The Honest Bottom Line

The identity theft recovery process is designed to work, but it’s not designed to be easy. It rewards documentation, persistence, and knowing which steps carry the most weight.

The most important things I can tell you from 20 years of watching people go through this: the first 24 hours matter more than most guides suggest, and the overall timeline is longer than most guides admit. Knowing both of those things puts you ahead of where most people start.

Prioritize containment first. Build your documentation carefully. Use the identity theft block path, not just the ordinary dispute process, when you have a clearly fraudulent account and your FTC report in hand. Keep a paper trail of everything. And set your expectations for a process that takes weeks to months, not days.

If you haven’t frozen your credit yet, start with our credit freeze guide. It’s the single most effective free step you can take to prevent this from happening again. If you’re weighing whether ongoing monitoring makes sense for your situation, our piece on whether identity protection is worth it covers that question directly.

---

Tom Reardon spent over 20 years in product and operations at major identity protection providers. He writes at MyScamGuide.com to give consumers the honest picture the industry’s marketing never did.

---

Recommended resources:

• IdentityTheft.gov: FTC’s official recovery resource, identity theft report generator, and sample letters
• AnnualCreditReport.com: free credit reports from all three bureaus
• IRS Identity Protection PIN: free SSN protection for tax filing
• CFPB identity theft guidance: consumer rights and dispute process
• CFPB complaint portal: for escalating dispute failures with bureaus or furnishers