Identity theft protection: The free steps that matter most

The most effective identity-theft defense is free. A credit freeze at all three bureaus blocks the single most damaging attack vector — fraudulent new credit accounts in your name — for $0 and about 15 minutes of work. Add the IRS IP-PIN, multi-factor auth on financial accounts, and a password manager, and you've covered 80–90% of the realistic threat.

Paid identity-theft services add a smaller layer on top. They're worth it for some people, overkill for others. Here's how to think about each.

The free stack — do all six

1. Freeze credit at all three bureaus
2. Enroll in the IRS Identity Protection PIN
3. Set up a password manager
4. Enable MFA on every financial + email account
5. Add a SIM-swap port-out PIN with your phone carrier
6. Review free annual credit reports

Each is detailed below. Together they take ~2 hours to set up the first time, and ~15 minutes/year of ongoing maintenance.

1. Credit freeze (the single biggest win)

A credit freeze locks your credit report so no new lender can pull it. Without a credit pull, no credit card, loan, mortgage, auto financing, or store credit can be opened in your name. Even if a thief has your full name, DOB, SSN, and address, they can't open new accounts.

How to freeze (free, ~5 min per bureau)

• Equifax: equifax.com/personal/credit-report-services/credit-freeze/
• Experian: experian.com/freeze
• TransUnion: transunion.com/credit-freeze
• Also worth freezing: Innovis (innovis.com), ChexSystems (chexsystems.com, blocks new bank accounts), NCTUE (nctue.com, blocks new mobile/utility accounts).

When you need to open new credit

Each bureau lets you temporarily lift the freeze online — usually instant or up to 24 hours. When applying for a new credit card or mortgage, just unfreeze the bureau the lender uses (or all three if you don't know), apply, then re-freeze. Zero cost, no permanent reduction in protection.

2. IRS Identity Protection PIN (IP-PIN)

A 6-digit code the IRS requires on your tax return for it to be accepted. Without your IP-PIN, the IRS rejects any return filed under your SSN. Effectively eliminates tax-refund fraud — one of the most common identity-theft monetization paths.

• Enroll at irs.gov/ippin with ID.me verification.
• The IRS issues a new IP-PIN each January; you use it on that year's return.
• If you lose your IP-PIN, you can retrieve it online or request a reissue.
• One-time setup, lifetime benefit. Roughly 10 minutes.

3. Password manager

The single biggest source of account compromise is password reuse — a breach at one site exposes credentials that work at others.

• Free options: Bitwarden (free tier), iCloud Keychain (Mac/iOS), Google Password Manager (Chrome). All sufficient for personal use.
• Paid: 1Password ($36/year), Dashlane (~$60/year). Worth it for the family-sharing features.
• Rule: Every site gets a unique 16+ character password the manager generates. You don't memorize them — you memorize one strong master password.

4. Multi-factor authentication (MFA)

Enable MFA on every account that touches your money or your identity. Email, every bank, every brokerage, every credit card login, your password manager itself, your Apple/Google ID.

Which kind of MFA

• Best: Hardware security key (YubiKey, ~$30–$50). Phishing-resistant. Use as primary on your most critical accounts (primary email, password manager, primary bank).
• Strong: Authenticator app (Authy, Google Authenticator, Microsoft Authenticator). Phishing-vulnerable but immune to SIM swaps.
• OK: SMS MFA. Better than nothing but vulnerable to SIM-swap attacks. Use only when no app option is offered.
• Avoid as PRIMARY: security questions ("mother's maiden name") — easily defeated by social media research.

5. SIM-swap port-out PIN

A SIM swap is when an attacker tricks your mobile carrier into transferring your phone number to their SIM card. Once they control your number, they can receive SMS MFA codes and break into accounts.

All major US carriers let you add a "port-out PIN" (called Number Transfer PIN at T-Mobile, NumberShield at AT&T, Account PIN at Verizon). With one set, the carrier won't transfer your number without it — defeating the SIM-swap path.

• Verizon: Account settings → Number Lock / Account PIN
• AT&T: Account settings → NumberShield
• T-Mobile: Profile → Privacy and Notifications → Number Transfer PIN

6. Annual credit report review

AnnualCreditReport.com is the only federally-authorized source for free credit reports from Equifax, Experian, and TransUnion. One per bureau per year (or now weekly under post-pandemic rules). Look for:

• Any account you didn't open
• Hard inquiries you don't recognize
• Addresses or employers you've never had
• Personal info changes you didn't make

For ongoing monitoring without paying a service, Credit Karma offers free credit-score and credit-report monitoring (TransUnion + Equifax) with alerts when new accounts appear.

Free credit monitoring at Credit Karma →

The paid services — what they actually add

Paid identity-protection services (LifeLock by Norton, Aura, IdentityForce, Allstate Identity Protection) typically run $10–$30/month and bundle some mix of:

• Credit monitoring across all 3 bureaus with real-time alerts
• Dark-web monitoring (alerts when your SSN/email/passwords appear in known data dumps)
• Identity-theft insurance ($1M typical reimbursement cap for direct losses + recovery costs)
• Recovery specialists who help you unwind fraud — paperwork, calls to creditors, freeze coordination
• Address/court-records/social-media monitoring

When paid is worth it

• You've already been breached. Recovery support is real value when you're untangling existing fraud.
• You want the insurance. $1M coverage for direct losses + restoration costs (especially attorney/CPA fees) is a real protection layer.
• You don't trust yourself to monitor regularly. The "set it and forget it" appeal matters for some people.
• High public profile or wealth. If you're a high-value target, the layered defense and recovery support is justified.

When you can skip it

• You've done all six free steps above.
• You have a homeowner's or renters insurance policy with an identity-theft endorsement (often $25–$50/year add-on, much cheaper than standalone).
• Some premium credit cards (Chase Sapphire, Amex Platinum) bundle identity monitoring as a perk.

If you become a victim — the 24-hour playbook

1. Go to IdentityTheft.gov (FTC's official site). Generate a recovery plan and Identity Theft Report — your standard documentation for creditor disputes.
2. Place a fraud alert + freeze at all three bureaus immediately.
3. Contact the affected institutions. Each fraudulent account: dispute it, close it, request written confirmation.
4. File a police report at your local precinct. Required by some creditors for dispute documentation.
5. Change passwords at every financial site, starting with your primary email (the recovery vector for everything else).
6. Add the IRS IP-PIN if you haven't already — file Form 14039 to flag your account.
7. Document everything. Keep a log of calls, dates, names, confirmation numbers. Recovery often takes 6–18 months for serious cases.

One thing most people get wrong

Paying for "dark web monitoring" doesn't prevent identity theft. It tells you AFTER your data has already leaked. Useful as one signal, but the prevention value of a credit freeze is orders of magnitude higher — and free.

Spend the $0 effectively before spending the $20/month.

The bottom line

Do all six free steps. The credit freeze alone defeats the most damaging attack vector — fraudulent new accounts in your name. The IRS IP-PIN defeats tax-refund fraud. The password manager + MFA defeats account takeover. The phone-carrier PIN defeats SIM swaps. Annual credit-report review catches anything that slips through.

Paid services are a nice-to-have layer on top, not a substitute for the basics. If you want the insurance and recovery support, they're worth considering. If you're trying to maximize protection per dollar spent, $0 is hard to beat.

Related reading

• How to check your credit score for free
• What affects your credit score
• Credit utilization ratio
• Renters vs. homeowners insurance
• How to build credit from scratch