Identity theft — first 24 hours

Most identity-theft outcomes are determined in the first 24 hours. The faster you cut the attacker's access to your accounts, alert the institutions that can freeze fraudulent transactions, and document what happened, the more recoverable the situation is. This page is a sequenced checklist. Work through it in order — don't skip to step 5 before you've done step 2.

First 30 minutes — stop the bleeding

1. Lock the email account on the account that's been compromised

   If your email is compromised, the attacker can reset passwords on every account that uses it for recovery. Change the email password from a clean device (not the one you suspect is compromised). If you can't access the email, contact the email provider's account-recovery process. Until the email is back under your control, every other account using it for recovery is at risk.

2. Lock the mobile carrier account

   SIM-swap attacks intercept SMS 2FA codes. Call your carrier from a landline or another phone, ask them to put a port-out lock on the number, and require an in-store PIN for any future SIM changes. For most Irish carriers (Vodafone, Three, Eir, GoMo) this is a 10-minute call.

3. Lock the bank cards

   Open your banking app from a clean device. Freeze every card. If you can't, call the 24/7 fraud line printed on the back of the card. The number is also on the bank's website — type it in, don't click links from emails.

4. Take screenshots of everything you've seen

   Suspicious emails, error messages, transaction alerts, unfamiliar account logins. Save them somewhere outside the compromised devices (e.g. email them to a fresh address you control, or photograph the screen with another phone). The screenshots become evidence later.

First 6 hours — secure the rest of the perimeter

1. Change passwords on every high-value account

   Bank, Revenue, MyGovID, Microsoft/Google account, Apple ID, social media. Use a password manager (1Password, Bitwarden, Apple Keychain) so the new passwords are strong and not reused.

2. Enable 2FA where it isn't already on

   Use an authenticator app (Microsoft Authenticator, Google Authenticator) rather than SMS where possible — SMS 2FA is bypassable via SIM swap.

3. Check what the attacker did with the accounts they touched

   For each compromised account: review recent activity, look for added recovery emails or phone numbers, look for filter rules that auto-delete certain emails (a common technique to hide alerts from you), check for new app authorisations.

4. If MyGovID was compromised, force-reset it

   Work through our account locked and password reset guides. Then file a Subject Access Request to the Department of Social Protection to see the activity log — see SAR template.

5. If banking accounts were touched, get a fraud incident reference

   The bank's fraud line will issue a reference number. Keep it; you'll need it for any insurance claim and for chargeback disputes.

First 24 hours — report and document

1. Report to An Garda Síochána

   Visit your local station in person where possible — you'll come out with a PULSE incident number. The PULSE reference is what banks, insurers and (later) the courts will ask for. Online-only reports are possible but slower.

2. Notify Central Credit Register if accounts were opened in your name

   The Central Credit Register (centralcreditregister.ie) holds a record of any consumer credit issued in your name. If you suspect synthetic-identity fraud (new loans, credit cards opened by an attacker using your details), request your credit report. Spot anything you don't recognise: contact that lender directly.

3. Notify FraudSMART if a scam pattern is involved

   FraudSMART (fraudsmart.ie) maintains a national scam-pattern register. Reporting helps protect others; the report is also useful evidence later.

4. Write the timeline down

   From your first awareness of the incident to the steps you took, in order, with timestamps. This single document becomes the foundation of every later claim, complaint or legal step.

5. Tell people who need to know

   If your employer's systems may be affected (your work email, single-sign-on accounts): inform IT. If you've shared accounts with family: warn them their recovery channels may now be compromised.

What to do if you're not sure yet whether it's real

The most common false alarm is a phishing email that looks alarming ("your account will be suspended") but hasn't actually compromised anything. If you haven't entered credentials into a suspicious site, opened an attachment from one, or had a real transaction you didn't authorise, you may be looking at attempted fraud rather than completed fraud.

Even so: change the password and enable 2FA on the targeted account. The marginal cost is five minutes; the upside is real.

What not to do

• Do not click any "click here to verify" link in the alert email or text — even if it looks official. Type the institution's website by hand.
• Do not respond to anyone offering to recover your account for a fee. There are no legitimate "recovery services" for compromised MyGovID, bank or social-media accounts. They're a second scam targeting people already in distress.
• Do not close the affected accounts before you've documented their state. Closing erases evidence.
• Do not assume the problem is over once you've changed one password. Work through the full checklist.

Where to get further help

• FraudSMART helpline — fraudsmart.ie publishes the most up-to-date contact channels.
• MABS (Money Advice and Budgeting Service) — if the fraud has caused unmanageable debt; free, confidential.
• Citizens Information — free explainer on your legal rights as a fraud victim.
• A solicitor — for civil-law remedies, e.g. if a company's negligence caused the breach.

Related

• Protect yourself — preventative checklist
• Your data rights
• Filing a complaint with the DPC