What is identity theft, and how do I tell if it has happened to me?

Quick answer

Identity theft is when someone uses your personal information — name, date of birth, ID number, banking details — to open accounts, take out credit, file false tax returns, or commit crimes in your name; signs include unexpected denied credit, unfamiliar accounts on your credit report, mail about loans you never asked for, tax notices for income you did not earn, and calls from collections agencies about debts that are not yours.

What it's NOT

Identity theft is NOT the same as a single fraudulent credit-card charge (that is card fraud, simpler to fix) and it is NOT only a US phenomenon — France's CNIL and the Banque de France report rising cases every year, especially since the major French data breaches of 2024. And it is NOT something you can fix entirely on your own; the bank, the credit registry, and sometimes police need to be involved, but you can act fast and recover fully.

More context

Identity theft is the broad name for any crime where someone uses your personal information to act as you — opening accounts, taking credit, claiming refunds, signing contracts, sometimes evading justice in your name. It is a slower-burn problem than simple card fraud (which most people experience as a refused chip-and-pin and a replacement card in the mail). When it happens, the damage often unfolds across months: the loan you never took out turning up on a credit application years later, the tax notice for income you never earned, the phone line your name unexpectedly carries.

The categories that matter, in practice:

  • Financial-account fraud. A criminal opens a bank account, a credit card, a personal loan, a mobile-phone subscription, or a “Buy Now Pay Later” account in your name. The bills default, and your name takes the credit-score hit.
  • Tax and benefits fraud. Filing a false tax return or claiming benefits in your name, often to redirect a refund. The IRS, French Direction Générale des Finances Publiques, UK HMRC all see this; the resolution time can run into a year.
  • Medical identity theft. Less common in France’s universal-coverage system; very common in the US private-insurance system, where stolen identities are used to claim treatments that then attach to the victim’s medical history.
  • Criminal identity theft. A criminal stopped by police identifies as you, the citation or even arrest goes on your name. Rare but slow to undo.
  • Synthetic identity fraud. A criminal combines a real ID number (often a child’s, who will not check for years) with fabricated other details to build a “person” who can take credit. This is the fastest-growing variant in the US and Europe.

How criminals get the data, in 2026:

  1. Large data breaches. France saw a string of major ones in 2024 — telcos, banking, public services, healthcare — exposing tens of millions of records of name + DOB + address + sometimes ID details. Once a dataset like that is on dark-web markets, it gets resold and reused for years.
  2. Targeted phishing for ID documents. “Please upload a photo of your ID to verify your account” — from a fake bank, a fake delivery, a fake job offer, a fake renter-screening site. Once they have the photo, they have what they need to apply for credit.
  3. Account takeover that exposes documents. A reused password gets your email; your email contains the ID photos you sent your bank ten years ago; the attacker now has them.
  4. Physical theft. Stolen wallets, mailboxes (in France, vol au courrier), unshredded paper records.

The signals you should react to immediately:

  • Mail from any bank, lender, telecom, or utility about an account you did not open.
  • A credit application denied for reasons you do not recognise (because the same identity was just used).
  • A collections agency calling about a debt you do not remember.
  • A tax notice or refund delay you do not expect.
  • Multiple small unfamiliar transactions on your account (“testing” transactions before bigger ones).
  • A new utility or phone bill in your name at an address you do not know.

The first 48 hours, if you suspect identity theft:

  1. Document what you saw. Letter, notice, email — screenshot or photograph.
  2. Contact every financial institution you have an account with. Ask for fraud flags on your accounts. Change passwords.
  3. In France: contact the Banque de France, query the FICOBA registry (lists every bank account opened in your name) and FICP (incidents of credit), and consider an opposition Préventive at the CNAJF / FNCI for cheques. The CNIL has a step-by-step page.
  4. File a complaint. In France, the pré-plainte en ligne for cyber-related offences, then an appointment at your local commissariat. Police take this seriously and a written complaint is what banks usually require to clear fraudulent debts.
  5. Notify the regulator if a data breach was the source. CNIL in France; equivalents elsewhere.

Who pays: in France, EU PSD2 and Article L. 133-19 of the Code monétaire et financier mean the bank usually absorbs the loss if you reported promptly and were not grossly negligent. In the US, federal law caps consumer liability for credit-card fraud at $50 and most issuers waive it. The deadline to dispute is generous on paper (13 months in France) but acting in the first 48 hours dramatically improves the practical outcome.

Prevention is the long-running boring habit, not a single product. Treat your ID number, your social-security number, and your full DOB as semi-secret — given only to institutions legally entitled. Be suspicious of any “verification” asking you to upload an ID photo to a process you did not initiate. Use unique passwords on accounts that hold your identity (a password manager does this for free). Turn on two-factor authentication on the master accounts that gate all the others (email, bank, government portal). Periodically check the registries that catalog accounts in your name. None of this is exciting; all of it is what actually works.

People also ask

What are the early signs my identity has been stolen? +

Several quiet signals you should react to immediately: (1) Mail from a bank, lender, or telecom about an account you did not open. (2) A credit-card or loan application you did not make being denied (because the same name + number was just used elsewhere). (3) Calls from collections agencies about debts you do not recognise. (4) A tax notice for income you did not earn. (5) An unexpected utility bill or phone-line bill in your name. (6) Your bank flagging multiple small unfamiliar transactions ('testing' transactions). Any one of these on its own can be coincidence; two together are not.

What do I do in the first 48 hours if I think my identity has been stolen? +

Five steps. (1) Document what you saw, with screenshots / photos of the suspicious letter or notice. (2) Contact every financial institution where you have an account and ask for fraud alerts to be flagged. (3) In France, contact the Banque de France to inscribe in the 'Fichier Central des Chèques' if a chequebook is involved, and consider the FICOBA registry to see all accounts opened in your name. (4) File a police report (pré-plainte en ligne in France, then a meeting at your local commissariat). (5) Report to the CNIL if it followed a data breach. Save reference numbers from each — banks and lenders will ask.

How do criminals get the data they need for identity theft? +

Three main sources. (a) Data breaches — large datasets including name, DOB, ID-number, address, sometimes more. The major French breaches of 2024 (telcos, banks, public services) leaked tens of millions of records. (b) Phishing — convincing people to upload a photo of their ID under the pretext of 'verification' for a bank, a delivery service, or a job offer. (c) Physical theft — stolen wallets, mailboxes, old paper records. The first two now dwarf the third.

Will the bank take the loss, or do I? +

Generally the bank, if you report promptly. In France, under the Code monétaire et financier (Article L. 133-19), you are not liable for unauthorised transactions you reported promptly, except in cases of gross negligence (writing your PIN on the card, sharing your password). In the EU, PSD2 sets a similar standard. In the US, federal law caps consumer liability for credit-card fraud at $50 and most banks waive even that. Reporting fast is what protects you — within 13 months of the disputed transaction is the formal deadline in France, but acting in the first 48 hours dramatically improves the outcome.

How can I prevent identity theft proactively? +

Five habits. (1) Treat your ID number, social security number, and full DOB as semi-secret — give them only when legally required (banks, hospitals, employers), not to random websites. (2) Be suspicious of any 'verification' that asks you to upload a photo of your ID, especially if you initiated nothing. (3) Use unique passwords ([password manager](/en/library/everyday/password-manager/)) and [2FA](/en/library/everyday/two-factor-authentication/) on accounts that hold your real identity (bank, email, government portals). (4) Shred or burn paper documents with your details before throwing them out. (5) Periodically check your credit report and account list — in France, an annual FICOBA + FICP review is the equivalent of a US credit-monitoring habit.

Also explained

What is a data breach, and what do I do if my information is in one?

A data breach is when an organisation that holds your personal information loses control of it — your email, password, phone number, address, sometimes your credit-card or ID details end up in a leaked file that attackers download and reuse; the practical response is to change the password on that account, change it anywhere else you reused it, and turn on two-factor authentication.

What is phishing, and how do I recognise it?

Phishing is when someone sends you a fake message — usually email, SMS or chat — that looks like it comes from your bank, your boss, a delivery service or a friend, hoping you click a link, enter a password or transfer money before you notice the small details that give it away.

What is a password manager, and is it safe to use one?

A password manager is an app that generates a unique strong password for every account and remembers them for you behind one master password — yes, it is much safer than reusing the same password, even though all your passwords sit in one place.
← Back to everyday cybersecurity