The letter came from a collections agency. That was the first time anyone in the house knew anything was wrong. A credit card had been opened in her name — not just used, opened — and racked up $4,200 in charges before the issuer flagged it. By the time the fraud department called, the bill had been sold twice.
She pulled her credit report. Two more accounts. A phone plan. A utility account. Someone had her Social Security number, her birthdate, her address, and enough information to impersonate her to four different creditors. The breach that started this might have happened three weeks earlier — a data broker, a health insurer, a tax filing in a state she'd never lived in — and she'd never know which one it was.
The recovery took four months. She is still dealing with it.
Why three weeks matters
The average identity theft isn't discovered for 287 days, according to a 2024 Javelin Strategy study commissioned by AARP.[5] By then, the damage is distributed across enough accounts, inquiries, and institutions that untangling it requires sustained effort — not a single phone call.
Three weeks is actually early. That's the window where a motivated attacker is still working with current data — opening accounts, filing false tax returns, accessing existing financial accounts — before the victim's credit file has been flagged or frozen.
The attackers know this. They're not trying to hide forever. They're trying to move fast while the window is open. The 90-day window after a data breach — before most victims have noticed anything — is the highest-value period for identity exploitation.
The single most effective early-warning tool is a credit freeze. It doesn't prevent data from being stolen, but it prevents new accounts from being opened in your name. It's free, it takes effect immediately, and it can be lifted in hours when you need to open a legitimate account. Most people don't do it because they don't know it exists.
The recovery sequence — what actually happens
Identity theft recovery is not a single event. It's a sequence of parallel processes that run at different speeds, with different institutions, on different timelines. Here's what the sequence actually looks like:
The discovery moment varies — a collections letter, a fraud alert from a bank, a credit monitoring notification, an IRS rejection of a tax return. Whatever the trigger, the first action is to pull all three bureau reports (Equifax, Experian, TransUnion) and review every inquiry and account. Any account that isn't yours gets flagged. Any inquiry you didn't initiate gets disputed. This phase involves calling each bureau, filing disputes, and establishing a paper trail that the fraud is not yours.
File an Identity Theft Report with the FTC at IdentityTheft.gov — this generates a recovery plan and creates the federal record you'll need for creditor disputes. File a police report with your local department. Many creditors require a police report number before they'll remove fraudulent accounts. Lock all existing financial account access (bank accounts, investment accounts, retirement accounts) and change passwords and PINs. Enable two-factor authentication on everything. Consider moving payroll direct deposit to a separate account while the recovery runs.
Dispute fraudulent accounts with each creditor directly, using the FTC report and police report as supporting documentation. Creditors have 30 days to respond under the Fair Credit Reporting Act, but many take longer. Follow up in writing — certified mail, not phone calls, because written disputes create a stronger record. This is the phase where people give up, and where the fraud accounts stay on the credit file permanently. Persistence matters.
Once fraudulent accounts are removed or marked fraud, the credit file begins to recover. Credit scores drop during an identity theft incident — sometimes dramatically if the fraudulent accounts carry high balances — and recovery is measured in months, not weeks. Identity monitoring services (LifeLock, IdentityForce, the credit bureau monitoring products) catch new attempts but don't prevent the first breach. A family that has been through this needs ongoing monitoring, not just the initial remediation.
The household variables that change everything
Identity theft doesn't hit a single person. It hits a household. The recovery is harder when:
Children's SSNs are involved. Children's Social Security numbers are ideal for identity theft — they have no credit history, the fraud may not be discovered until the child is 18 and tries to open their first account, and parents rarely monitor a child's credit because there's no reason to. If your child's information is in the mix, you need to run credit checks for minors with each bureau and place fraud alerts or freezes on their files. It's not the same process as adult identity theft and it's often missed.
The tax identity was targeted. A fraudulent tax return filed in your name means someone else filed before you did — and they're collecting your refund. The Treasury Inspector General for Tax Administration found that the IRS paid $5.7 billion in fraudulent identity theft refunds over a recent three-year period[7] — the system is active, it's being exploited, and if your SSN is in the mix, you need to act before filing season. The IRS has an Identity Protection PIN (IP PIN) program that adds a layer of verification to your tax filings and closes off this attack surface entirely.[3] It's worth enrolling in proactively — you don't need to have been a victim first.
Business accounts were compromised. If the attacker accessed a small business account — a D&B listing, a business credit card, an EIN used to open commercial accounts — the recovery process involves business creditors, not personal ones, and the rules are different. Business identity theft often requires an EIN correction process with the IRS and business credit bureau disputes that most consumers have never heard of.
The 287-day problem and how to shrink it
The 287-day discovery gap exists because most people don't check their credit reports. They don't have monitoring set up. They don't get fraud alerts unless they've already been hit. They find out when something shows up on a credit report — which means the damage is already there.
The alternative is systematic early detection. It doesn't require a service. It requires a habit:
Pull your credit reports. You're entitled to one free report per bureau per year at AnnualCreditReport.com. The standard advice to space them out (one bureau every four months) is good advice. You're looking for accounts you didn't open and inquiries you didn't initiate. That's it. That's the search.
Set up fraud alerts. A fraud alert with one bureau extends to all three. It's free. It lasts 90 days and can be renewed. It doesn't freeze your file, but it requires creditors to verify your identity before opening new accounts. It's not as strong as a credit freeze, but it's simpler and has less friction.
Freeze your credit. This is the nuclear option and it's the right one. A credit freeze prevents any new account from being opened in your name. It doesn't affect your existing accounts. It doesn't prevent you from opening new accounts when you need to (you lift the freeze temporarily). It doesn't cost anything. The federal law that mandated free credit freezes took effect in 2018. There is no reason not to do this.
Detection is the problem. The recovery is hard because the discovery is late. Anything that shrinks the discovery window — monitoring, freezes, regular report pulls — reduces the total damage.
What SafeHaven does about it
For households already in the system, identity theft monitoring is part of the ongoing threat picture. The Analyst tracks alerts across the family's credit exposure and notifies when new activity shows up — not just when something is fraudulent, but when something is new and needs eyes on it.
The credit freeze check is part of intake. We confirm that freezes are in place for all adult household members and walk families through placing them on behalf of minor children. We run an initial credit file audit on intake and document what's there, so that any new account appearing in the future has a baseline to compare against.
For households that have been through an incident, the recovery is documented and tracked. The Analyst maintains the timeline of what's been filed, what's been removed, and what residual exposure remains. Most people trying to handle this alone lose track of what they've done. We don't.
The goal isn't to prevent every breach — that's not possible. The goal is to shrink the window between breach and detection, make the recovery faster when it does happen, and ensure the household has a documented record that makes the dispute process simpler, not harder.
Sources
- FTC Consumer Sentinel Network Data Book 2024 — 5.2 million fraud and identity theft reports, $2.7 billion in losses. ftc.gov
- FBI IC3 2024 Annual Report — identity theft complaints, confirmed losses, victim demographics. ic3.gov
- IRS Identity Protection PIN (IP PIN) Program — enrollment eligibility and process. irs.gov/identity-protection-pin
- National Taxpayer Advocate (IRS), Annual Report to Congress — identity theft refund fraud systemic findings. taxpayeradvocate.irs.gov
- AARP Fraud Watch Network / Javelin Strategy & Research, 2024 Identity Theft Study — 287-day average discovery gap. aarp.org
- Georgia Attorney General Consumer Protection Division — synthetic identity fraud patterns and consumer guidance. consumer.georgia.gov
- Treasury Inspector General for Tax Administration (TIGTA), Refund Fraud Report — $5.7 billion in fraudulent identity theft refunds over three-year period. oversight.gov
- AARP Advocacy, S. 2392 Synthetic Identity Fraud老太太 Prevention Act — proposed legislation for minor SSN protection. aarp.org