The phone call you don't want is from a credit card company you don't have an account with, asking why you've missed two payments. Someone has applied for credit in your name, used the address details from a data breach, gone through identity verification using publicly available information, and the lender hasn't realised yet that the application was fraudulent. The first you know about it is the late-payment letter, four months in, by which point the debt is in collections and your credit file has a default on it.
This is roughly how most UK identity theft works in 2026. It isn't romantic. There's no hooded figure in a basement; there's a database leak, a list of names and addresses sold on a forum, an automated application process that doesn't catch the obvious red flags, and a few months of damage before anyone notices.
The most useful thing UK adults can do about it costs nothing. The free credit monitoring services run by the three credit reference agencies catch fraudulent credit applications within days, which is enough time to dispute them before they do real damage. The paid identity protection products on the market mostly add marginal value on top of free monitoring; some of them add genuine value for specific situations.
What credit reference agencies are for, and why three
When you apply for credit anywhere in the UK — a credit card, a loan, a mortgage, a phone contract, even a tenancy reference — the lender checks one of three agencies for your credit history.
Experian is the largest. ClearScore is its consumer-facing free product (also via the Experian app directly).
Equifax is the second. ClearScore actually serves Equifax data in some product variants; the dominant free Equifax product is via Credit Karma UK in some forms or the Equifax direct app.
TransUnion is the third. Credit Karma UK is its free consumer-facing product.
Critically, lenders don't all check the same agency. Some check Experian, some check Equifax, some check TransUnion, some check two or three. Which means a fraudulent credit application that appears in your Experian file might not show up in your Equifax file, and vice versa. To catch fraudulent applications reliably, you need to be monitoring all three.
This is the single most important thing in this entire article: sign up for free monitoring at all three agencies. The set-up takes about 30 minutes total. The ongoing cost is zero. The coverage catches roughly 80% of UK identity fraud attempts within days.
The free apps each send notifications when:
- A new credit account is opened in your name
- A new credit search (hard inquiry) is run on your file
- Your address changes
- A default or missed payment is registered
Configure email and push notifications. The first time someone runs a hard credit check in your name without your knowledge, you'll get an alert that day. From there, you can phone the lender, dispute the application, and prevent it.
Cifas Protective Registration
Cifas is a UK fraud prevention agency that maintains a database of confirmed fraud cases and protective registrations. Lenders consult it during credit applications. A Cifas Protective Registration on your file flags any application in your name as requiring additional verification — typically a phone call or document check before approval.
Cost: £25 for two years. Single payment. Covers all UK credit applications.
The Cifas registration is genuinely worth having if:
- You've been the victim of identity theft and the fraudsters might still have your details.
- Your details have appeared in a recognised data breach (the gov.uk Have I Been Pwned check shows whether your email has).
- You've lost your wallet, passport, or driving licence and the documents are unaccounted for.
- You've had post going missing or your home has been broken into.
For UK adults without these specific risk factors, free credit monitoring is enough; the £25 Cifas registration adds incremental protection without being essential.
What paid identity protection actually adds
Paid identity protection products at £6-£15/month bundle a few features beyond free credit monitoring:
Dark web monitoring. Scans data breach dumps for your email, phone, NI number, and other identifiers. Alerts when matches are found. Useful but mostly retrospective — by the time the data appears in a breach dump, it's often been circulating among fraudsters for weeks. The free Have I Been Pwned service does the same email check at no cost.
Faster alerts. Some paid products alert within minutes of a credit search, versus next-day for free services. Marginal benefit; the difference rarely matters because dispute windows are days, not minutes.
Identity restoration support. A staff member helps you navigate the post-fraud admin: contacting lenders, disputing entries on your credit file, dealing with police reports. Genuinely useful if it happens, but the help is also free via Action Fraud and the credit reference agencies' fraud teams.
Fraud insurance. Most policies pay up to £25,000-£100,000 for direct financial losses from identity fraud. UK banking law (the Payment Services Regulations) already requires UK banks to refund victims of unauthorised transactions in most cases, which means the practical value of fraud insurance is limited to scenarios the bank wouldn't refund — which are rare.
The honest assessment: paid identity protection is genuinely useful for specific high-risk users (frequent international travellers, public figures, people with complex business interests) but isn't transformational for most UK adults. The free monitoring + Cifas + sensible password hygiene combination covers most of what matters.
The free Experian, ClearScore, Credit Karma routine
Set up once, monitor passively. About 30 minutes of one-time work, zero ongoing cost.
Sign up for an Experian account at experian.co.uk. Verify identity with the standard checks. Enable email alerts in settings.
Sign up for ClearScore at clearscore.com (covers Equifax data). Same process; enable alerts.
Sign up for Credit Karma UK at creditkarma.co.uk (covers TransUnion data). Same process; enable alerts.
Each app shows your credit score (a number that doesn't really matter — lenders use their own internal scoring), but more importantly shows the underlying credit file: open accounts, recent applications, address history, public records (CCJs, bankruptcies). Once a quarter, glance at each to verify nothing has changed unexpectedly.
When the alert fires for an unknown account or application, phone the credit reference agency's fraud team and follow their dispute process. They've handled it many times; the process is faster than people expect.
What 2FA and password hygiene actually do
Identity theft monitoring catches fraud after it starts. Account takeover prevention stops it happening in the first place, and it's largely free.
The fundamentals:
Strong unique passwords on every financial account. The only realistic way to do this is a password manager (Bitwarden, free; 1Password, £36/year; some others). One master password, every other password generated and stored. The investment is roughly an hour of setup; the security improvement is dramatic.
Two-factor authentication on every financial account that supports it (which is most of them in 2026). Authenticator app (Google Authenticator, Authy, 1Password's built-in TOTP) rather than SMS where possible — SMS 2FA is vulnerable to SIM-swap attacks. Hardware keys (YubiKey) for the highest-value accounts.
A separate email address for financial accounts. The financial-only email isn't given out for shopping, sign-ups, or social media, which keeps it out of most data breach dumps. Costs nothing if you use a Gmail/Outlook subaccount.
These three actions block about 95% of account takeover attempts. They're free. They're tedious to set up. Most UK adults haven't done them.
For more on password managers specifically, see the password manager guide.
When you suspect you've been targeted
The first hours matter. The longer fraud goes uncaught, the harder it is to undo.
The sequence:
Phone Action Fraud on 0300 123 2040, or report online at actionfraud.police.uk. This generates a crime reference number, which lenders and credit reference agencies need to process disputes.
Contact each bank or credit card provider where you suspect fraudulent activity. Most have 24-hour fraud lines. Freeze the affected accounts; the fraud team will handle the rest.
Contact the credit reference agencies (Experian, Equifax, TransUnion). Add fraud markers to the file. Each has a fraud team that processes disputes.
Set up Cifas Protective Registration. £25 for two years; flags future applications in your name.
Change passwords on all financial accounts. Password manager makes this faster.
Enable 2FA where it isn't already. Authenticator app, not SMS.
Monitor credit files weekly for the next 6-12 months. The same fraudsters often try again with similar identity details.
Keep a written record of every call, every reference number, every dispute. Identity fraud admin can take 6-18 months to fully resolve; documentation matters.
The fraud patterns to recognise
A few common 2026 UK fraud patterns:
HMRC tax scams. Phone calls or texts claiming you owe HMRC and threatening immediate prosecution unless you pay. HMRC doesn't operate this way. Hang up, ignore. Real HMRC contact uses post and your online tax account.
Royal Mail / parcel scams. Texts claiming a parcel is held pending a small payment. The fee is usually £1.99 — designed to harvest payment card details, not collect the £1.99. Ignore.
WhatsApp impersonation. "Mum it's me, lost my phone, this is my new number, can you transfer money for X?" Always verify by phone (not text) using the actual known number.
Bank impersonation. Calls or texts claiming suspicious activity on your account, requesting you move money to a "safe account" or share verification codes. Banks don't operate this way. Hang up; phone the number on the back of your card to verify.
Phishing emails about subscription services. "Your Netflix subscription has been cancelled, click here to update payment." Don't click. Log into the actual service via your saved bookmark.
The pattern across all of these: legitimate organisations don't pressure you to act immediately, don't request verification codes, don't ask you to move money to "safe" accounts, and don't conduct sensitive business through unsolicited inbound contact. Slow down, hang up, verify through known channels.
What I'd actually do
For most UK adults: free Experian + ClearScore + Credit Karma monitoring with email alerts enabled, password manager (Bitwarden or 1Password), authenticator-app 2FA on financial accounts, awareness of the common scam patterns. Total cost: £0-£36/year.
After a data breach affecting you, or after losing wallet/documents: add Cifas Protective Registration at £25 for two years.
For frequent international travellers, public figures, business owners with complex finances: paid identity protection (Experian Premium at £8-£15/month or similar) for the additional alerts and identity restoration support.
The thing not to do: pay £80-£150/year for identity protection without first enabling the free monitoring services that catch most fraud anyway. The marketing for paid products implies they replace the basics; in fact they add to the basics, and the basics are free.
The other thing not to do: assume that because you've never been a victim, you won't be. Identity fraud is increasingly indiscriminate. The fraudsters don't pick targets carefully; they run breach data through automated application systems and see what works. The protection doesn't depend on you being a high-value target; it depends on whether your details have leaked into a breach dump that's been sold on a forum, which for most UK adults has already happened multiple times.
This article is general consumer information about UK identity protection. UK Cifas, credit reference agencies, and Action Fraud are official UK fraud prevention resources.
Affiliate disclosure: Morningfold has affiliate partnerships with Experian, Norton, and Cifas. See editorial standards.