If your identity is stolen, place a fraud alert or credit freeze with Equifax Canada and TransUnion Canada right away, contact the fraud department of any affected bank or lender, change your account passwords, file a police report, and report the incident to the Canadian Anti-Fraud Centre. Do all five in the first day if possible — the sooner a freeze is in place, the fewer new fraudulent accounts a criminal can open in your name while you handle everything else.
Most identity theft guides stop at detection — how to tell your information was exposed, which monitoring tool to buy, how a breach happened. That's a different problem from the one you're facing if you're reading this article. You already know, or strongly suspect, that someone is actively using your identity right now: opening accounts, filing fraudulent claims, or racking up charges you never made. This guide is about what comes after that moment — the actual recovery process, in order, with realistic timelines and the scenario-specific steps that generic checklists tend to skip.
Who wrote this guide
This article was written and reviewed by IT Cares certified technicians based on our work helping clients across Canada secure devices and accounts after a breach or account takeover. We are not a credit-repair company and we don't sell identity-theft insurance — this guide reflects the same steps we'd walk a client through on the phone.
How to Confirm Identity Theft Actually Happened
Not every strange notice or odd charge means your identity has been stolen, but a cluster of the signs below is a strong signal to move straight to the recovery steps rather than wait for more evidence. Identity theft rarely announces itself with a single dramatic event — it tends to surface as a string of small, individually explainable anomalies that only look alarming once you line them up together.
Unfamiliar accounts or charges
A credit card statement with a purchase you don't recognize, a new line of credit you never applied for, or a subscription you never signed up for showing up on a bank statement are the most direct signals. A single small unfamiliar charge can be a merchant error or a forgotten free trial; several across different accounts, or one tied to a completely new account you never opened, is not a coincidence.
Credit report anomalies
Requesting your free credit report from Equifax Canada or TransUnion Canada and finding an account, credit inquiry, or address you don't recognize is one of the clearest confirmations available, because it means someone used your identifying information to interact directly with a lender. A sudden, unexplained drop in your credit score with no corresponding change in your own borrowing behavior is worth the same level of attention.
CRA notices about unfiled income or a return you didn't submit
A letter from the Canada Revenue Agency referencing employment income you never earned, a tax return already filed under your name before you filed your own, or a notice of reassessment for a filing you don't recognize is a serious and specific form of confirmation — tax fraud requires someone to have your SIN, not just a password or card number.
Collection calls for debts that aren't yours
A collections agency contacting you about an unpaid account you never opened is frequently how synthetic and classic identity theft first surfaces, sometimes months or years after the fraudulent account was originally created. Don't dismiss this as a mistaken identity or wrong number without checking your credit file first — collections agencies work from real account records, even when the account itself was opened fraudulently.
Being denied credit unexpectedly
A credit application being declined for reasons that don't match your actual financial history — too much existing debt you don't recognize, an income mismatch, or a note about a delinquent account you've never heard of — is often the first moment a victim discovers something is wrong, because lenders check your credit file more thoroughly than you typically do yourself.
📊 IT Cares field note: The clients who recover fastest are the ones who treat the first odd sign as reason enough to pull a credit report immediately, rather than waiting for a second or third confirmation. Identity theft investigations get measurably harder the longer fraudulent activity is allowed to continue undetected, simply because there are more accounts and more institutions to untangle by the time you start.
Was a hacked device how this started?
If a phishing email, malware, or a compromised account is what led to this, our certified technicians can check your devices for active compromise and secure your accounts the same day — from $119.99.
The First 24 Hours: A Crisis-Response Checklist
Work through these steps in the order given. Every hour a fraudulent identity stays active increases the number of accounts and institutions you'll eventually have to untangle, so speed matters more here than in almost any other part of the recovery process.
Place a fraud alert or credit freeze with Equifax Canada and TransUnion Canada
Contact both Canadian credit bureaus directly through their official websites or phone lines and request a fraud alert (lighter touch, expires after a period) or a full credit freeze (stronger, stays in place until you lift it). This single step does more to stop new fraudulent accounts than anything else on this list.
Contact every financial institution directly affected
Call the fraud department — not the general customer service line — of any bank, credit card issuer, or lender tied to a compromised account. Ask them to freeze or close the account, dispute and reverse any fraudulent charges, and add a note to the file requiring extra verification going forward.
Change passwords and enable two-factor authentication
Change the password on every account tied to the compromised information, starting with your primary email and online banking, since email is the recovery path for almost everything else. Turn on two-factor authentication using an authenticator app wherever it's offered.
File a report with your local police service
File an identity theft report even though active investigation of an individual case is unlikely. Banks, credit bureaus, and other institutions frequently require the report number as documented proof of the incident when you dispute a fraudulent account or charge.
Report the incident to the Canadian Anti-Fraud Centre
File a report with the CAFC in addition to, not instead of, your local police report. This feeds a national fraud-tracking database and can help connect an isolated-looking incident to a broader pattern investigators are already tracking.
Document everything
Start a written log the moment you begin: every phone call, the date and time, the name of the person you spoke with, any case or reference number given, and a short summary of what was said. You will refer back to this log constantly over the following weeks — treat it as the single most useful tool in this entire process.
When to get help beyond these steps
If you suspect a hacked device or a phishing attack is what exposed your information in the first place, that's a separate problem from the recovery steps above — and one worth closing before you're done, since a still-compromised device can undo the account security work you're doing right now. IT Cares can check your devices for active malware and help secure affected accounts remotely across Canada.
Credit Freeze vs. Fraud Alert: What's the Actual Difference
These two terms get used almost interchangeably in casual conversation, but they are meaningfully different tools, and picking the right one for your situation matters.
| Feature | Fraud Alert | Credit Freeze |
|---|---|---|
| What it does | Requires lenders to take extra verification steps before approving new credit in your name | Blocks access to your credit report entirely until you personally lift it |
| Strength | Lighter touch — a lender can still choose to proceed after verification | Strongest available protection — new credit essentially cannot be approved while active |
| Duration | Typically expires after a set period and needs renewal | Stays in place indefinitely until you actively request it be lifted |
| Best used when | You suspect exposure (e.g., a company breach) but have no confirmed misuse yet | You have confirmed fraudulent activity and want maximum protection immediately |
| Trade-off | Less friction if you need to apply for legitimate credit soon | You must remember to lift it yourself before any legitimate credit application |
In Canada, both tools are requested directly through Equifax Canada and TransUnion Canada — there is no single national "credit bureau," so both need to be contacted separately to get full coverage. For anyone working through the recovery steps in this guide because of confirmed misuse rather than suspected exposure, a full freeze with both bureaus is generally the more appropriate choice; a fraud alert is more suited to the "I might be exposed but nothing has happened yet" situation covered in our dark web monitoring guide.
Don't forget to lift it later
A credit freeze that's never lifted becomes its own inconvenience the next time you genuinely need new credit — a mortgage, a car loan, even a new phone plan that runs a credit check. Keep your freeze confirmation details from both bureaus somewhere you'll actually find them again, since you'll need to contact each one separately to lift it when the time comes.
Identity Theft vs. Account Takeover: Why the Distinction Matters
These two terms get used interchangeably, but the recovery path is different enough that it's worth being precise before you spend time on the wrong set of steps. Account takeover means someone gained access to one specific account — your email, a social media profile, an online banking login — usually through a phishing attempt, malware, or a reused password from an old breach. Identity theft means someone is using your underlying personal information (SIN, date of birth, address, government ID) to impersonate you across institutions you may have no account relationship with at all, such as opening a new credit card at a bank you've never used.
The overlap between the two is common and important: account takeover is frequently the entry point that leads to identity theft, because an attacker who controls your email can often use it to reset passwords, intercept verification codes, and harvest enough personal details to escalate from "I have your inbox" to "I can open credit in your name." If your situation started with a suspicious login alert, a locked-out email account, or a device that's been behaving strangely, treat the account-takeover side as a parallel track that needs closing at the same time as the credit-and-identity steps in this guide — not as something to circle back to later. Our guides on recovering a hacked Gmail account and warning signs your computer is hacked cover that side of the recovery in detail.
What to gather before you start making calls
Having the right documents in hand before you start working through the First 24 Hours checklist saves real time, since almost every institution will ask for some version of the same information. Gather, if you can:
- Government-issued photo ID (driver's license, passport, or provincial ID card) — most fraud departments and credit bureaus require this to verify you are who you say you are before acting on your file.
- Recent account statements for anything showing suspicious activity, ideally with the specific transaction, date, and amount circled or noted.
- Any letters or notices referencing the fraud — a CRA reassessment notice, a collections letter, a denial-of-credit letter — since these often carry reference numbers you'll need to quote later.
- A dedicated notebook or document for the running log described in step 6 of the First 24 Hours checklist. Digital or paper both work; what matters is that it's a single place, not scattered sticky notes or memory.
- A list of every account you can think of that might share the compromised password or personal detail, even ones you consider low-priority — old forums, loyalty programs, anything tied to the exposed email address.
How Long Does Identity Theft Recovery Actually Take?
This is the question almost every victim asks first, and the honest answer is that it depends heavily on which category of identity theft you're dealing with — the timeline for a single stolen card is nothing like the timeline for a stolen SIN woven into a fabricated credit file.
- Single fraudulent charge or one compromised card: Often resolved within days to a few weeks — the bank reverses the charge, reissues a card, and the incident is effectively closed.
- New account(s) opened in your name: Typically weeks to a few months, since each affected lender or company runs its own dispute and verification process independently.
- Tax fraud involving your SIN: Often several months, because it requires a direct investigation and correction process with the CRA on top of any related credit-bureau work.
- Synthetic identity theft: Frequently the slowest category, sometimes taking well over a year to fully identify every account and institution touched by the fabricated file, since the file itself was never designed to point clearly back to you.
- Child identity theft: Can take a long time to fully resolve simply because it's often discovered years after the fact, meaning the fraudulent activity has had years, not weeks, to compound.
What genuinely speeds recovery up, across every category, is the documentation habit from step 6 of the First 24 Hours checklist. Institutions and agencies move faster when you can hand them a clean, dated record of exactly what happened, who you already spoke with, and what was already resolved — versus reconstructing the whole story from memory on every new call.
Scenario-Specific Recovery: When Identity Theft Isn't the Standard Case
The First 24 Hours checklist covers the universal steps. The scenarios below layer on additional, specific actions depending on exactly what was stolen or how the fraud is playing out.
Stolen SIN
A Social Insurance Number is the closest thing Canada has to a master key for identity verification, and unlike a password or card number, it cannot simply be changed after exposure. If your SIN specifically was stolen — as opposed to just a card number or an old password — treat the credit freeze step as non-negotiable rather than optional, since a SIN alone is often enough to open new credit in your name at institutions that don't cross-check other details closely. Contact Service Canada directly to ask about their current guidance for a compromised SIN; in rare, severe cases where the number is being actively and repeatedly misused, a new SIN can be issued, though this is not a routine or first-line response.
Tax fraud (CRA)
If a tax return was filed in your name before you filed your own, or you receive a notice referencing income you never earned, contact the Canada Revenue Agency directly through their official fraud-reporting channels rather than simply replying to the notice. Keep every letter, case number, and confirmation the CRA sends you — tax fraud disputes are almost entirely driven by paper trail, and the CRA's own process for reversing a fraudulent filing can take considerable time. Report the incident to the Canadian Anti-Fraud Centre as well, since tax fraud is frequently one piece of a broader identity compromise rather than an isolated event.
Medical identity theft
Less commonly discussed than financial identity theft, this occurs when someone uses your name, health card number, or insurance details to receive medical care, prescriptions, or file claims under your identity. The danger here extends beyond financial cost — a fraudulent diagnosis or treatment record mixed into your actual medical file can affect future care decisions if it isn't caught and corrected. Request a copy of your medical records and insurance claim history if you suspect this, and contact your provincial health insurance provider directly to flag and correct any entries that aren't yours.
Synthetic identity theft
This is the hardest category to catch early because it doesn't look like classic identity theft at all. Instead of directly impersonating you, a fraudster combines your real, stolen SIN with a fabricated name, birthdate, or address to build an entirely new credit file — one that isn't obviously "yours" to a lender running a routine check, but that is still tied back to your real SIN underneath. It typically surfaces only when a collections call or a credit denial happens to trace back to your SIN buried inside someone else's fabricated identity. If you suspect this, a full credit freeze and a direct request to Equifax Canada and TransUnion Canada to investigate any file associated with your SIN — not just files under your exact legal name — is essential, since a synthetic file may not appear under a standard name-based search.
Child identity theft
A child's SIN typically has no credit history attached to it at all, which is exactly what makes it valuable to a fraudster — misuse can go completely undetected for years, since nobody is checking a child's credit file the way they would check their own. It most often surfaces when a parent requests a credit report for a teenager or young adult applying for their first credit card, student loan, or apartment lease, and discovers an existing file already full of accounts the child never opened. If you have any reason to suspect this — a collections letter addressed to a minor, or simple caution given a data breach at a school or pediatric provider — request a manual credit file check for your child through Equifax Canada or TransUnion Canada rather than waiting for a problem to surface on its own later.
Not Sure If Your Device Is Part of the Problem?
IT Cares helps clients across Canada determine whether a hacked device, phishing email, or malware infection is what led to identity theft in the first place — and secures affected accounts the same day.
Long-Term Monitoring: Preventing a Repeat Incident
Recovering from an active identity theft incident is only half the work — the other half is reducing the odds of it happening again, since the same exposed piece of information (a SIN, an old breached password) can be reused by criminals more than once.
- Pull your free credit report periodically from both Equifax Canada and TransUnion Canada, not just once during the crisis — new fraudulent activity can surface well after the initial incident is considered "resolved."
- Run your email through free breach-check tools like Have I Been Pwned periodically, and enable free ongoing breach alerts — our dark web monitoring guide covers exactly how to set these up in under five minutes and explains what a paid monitoring subscription does and doesn't add on top.
- Use a password manager with unique passwords per account so that one future breach at any single company can't cascade into multiple compromised accounts through password reuse.
- Keep the freeze/alert in place until you have a specific reason to lift it, and know exactly how to lift it (and re-freeze it afterward) when you do need to apply for legitimate credit.
- Review account statements on a fixed schedule — monthly, at minimum — rather than only when something feels off, since small test charges often precede larger fraudulent ones and are easy to miss if you're not looking on a regular cadence.
If a hacked account or device is what triggered this whole situation, closing that loop matters as much as the credit and financial steps above. See our guides on warning signs your computer is hacked and recovering a hacked Gmail account for the device- and account-security side of this same incident — identity theft and account takeover very often start from the same root cause.
Put it on a calendar, not just a to-do list
The single biggest reason long-term monitoring habits quietly stop is that they depend on remembering to do them, and memory fades once the immediate crisis is behind you. A recurring calendar reminder — quarterly for a credit report pull, monthly for a statement review — outperforms a mental note or a one-time resolution every time. If you manage this for a household, set the reminder to cover every adult (and, where relevant, any child whose SIN may have been part of the original exposure) rather than just the person who experienced the initial incident, since a shared address or family plan can mean more than one person's information was exposed together.
Comments (3)
The credit freeze vs fraud alert table finally made this clear for me. Called both Equifax and TransUnion the same day and got a full freeze in place within the hour.
Went through the CRA tax fraud scenario after getting a reassessment notice for income I never earned. The "keep every reference number" advice was the single most useful thing here — I needed it on every follow-up call.
Had no idea child identity theft was even a thing until my son applied for his first credit card and it got flagged. Requesting his credit file directly is what confirmed it.
Leave a Comment