Extended Fraud Alert: Eligibility and How to Apply

An extended fraud alert is a formal credit file notation that restricts lender access for seven years and is governed by the Fair Credit Reporting Act (15 U.S.C. § 1681c-1). Unlike the 90-day initial fraud alert available to any consumer who suspects fraud, the extended alert is reserved for confirmed victims of identity theft. This page describes eligibility standards, the application process, operational effects on credit files, and the decision boundaries separating extended alerts from related but distinct consumer protections.

Definition and scope

An extended fraud alert is a seven-year notation placed on a consumer's credit reports at all three nationwide consumer reporting agencies — Equifax, Experian, and TransUnion — requiring creditors to take reasonable steps to verify identity before extending credit. The legal basis is 15 U.S.C. § 1681c-1(b), which distinguishes extended alerts from the 90-day initial fraud alert established under § 1681c-1(a).

The Federal Trade Commission (FTC) administers consumer-facing identity theft recovery infrastructure, including standardized documentation pathways, through IdentityTheft.gov. The FTC's program operates under 16 C.F.R. Part 603, which implements the FCRA's fraud alert and identity theft protection provisions.

Placement of an extended fraud alert carries two automatic consequences under federal statute:

  1. The consumer is removed from prescreened credit and insurance offer lists for five years (15 U.S.C. § 1681b(e)(5)).

The extended alert differs from a credit freeze (security freeze), which is a separate FCRA mechanism under § 1681c-1(i) that blocks access to the file entirely rather than requiring identity verification.

How it works

Placement requires a documented identity theft report — not merely a suspicion of fraud. The FTC accepts reports through IdentityTheft.gov, which generates a standardized FTC Identity Theft Report meeting the evidentiary threshold required by the FCRA.

The application process follows these discrete steps:

  1. File an identity theft report. Submit a complaint to the FTC at IdentityTheft.gov or file a police report with a local law enforcement agency. The FTC report alone satisfies the statutory documentation requirement under 15 U.S.C. § 1681c-1(b)(1)(A).
  2. Contact one nationwide consumer reporting agency. Under the FCRA, contacting a single bureau triggers an obligation on that bureau to notify the other two. In practice, consumers may contact all three directly to ensure consistency.
  3. Submit the identity theft documentation. The requesting bureau will require a copy of the qualifying identity theft report and government-issued identification.
  4. Confirm placement at all three bureaus. Each agency must acknowledge placement within three business days of receiving the request (15 U.S.C. § 1681c-1(b)(2)).
  5. Provide a telephone number for creditor verification. The FCRA permits the consumer to designate a contact number that creditors must call before processing new credit applications while the alert is active.

The alert remains active for seven years from the placement date. Consumers may request removal before expiration by contacting any of the three bureaus with identifying information. For context on how identity protection services interact with fraud alerts, see the Identity Protection Providers section of this provider network.

Common scenarios

Extended fraud alert placement is appropriate across a defined set of circumstances where an identity theft event has already produced documented harm. The following scenarios represent the primary use cases recognized within FTC guidance:

Confirmed account fraud. A consumer discovers that a fraudster opened credit accounts, took out loans, or filed fraudulent tax returns using stolen personal information. An FTC Identity Theft Report documents the confirmed event and satisfies the eligibility threshold.

Data breach with realized harm. A consumer whose data was exposed in a breach and who subsequently experienced fraudulent account openings qualifies. A breach exposure alone — without confirmed fraudulent use — typically supports only an initial 90-day alert, not an extended one. The distinction rests on whether documented identity theft has occurred.

Criminal identity theft. When a perpetrator uses a victim's identity during a law enforcement encounter, producing a criminal record in the victim's name, the resulting documentation generally satisfies the FTC report requirement.

Medical identity theft. Fraudulent use of a victim's identity to obtain healthcare services or insurance benefits constitutes identity theft under FTC definitions, supporting extended alert eligibility when documented through an FTC report.

For consumers uncertain whether their situation reaches the extended alert threshold, the How to Use This Identity Protection Resource page describes how this provider network is structured to support navigating the service landscape.

Decision boundaries

The extended fraud alert occupies a specific position within a set of overlapping but legally distinct consumer protection mechanisms. Selecting the appropriate tool requires understanding the boundaries between them.

Extended Fraud Alert vs. Initial Fraud Alert

Dimension Initial Fraud Alert Extended Fraud Alert
Duration 90 days 7 years
Eligibility Suspicion of fraud Confirmed identity theft (documented)
Documentation required None FTC Identity Theft Report or police report
Prescreened offer opt-out None 5 years (automatic)
Legal authority 15 U.S.C. § 1681c-1(a) 15 U.S.C. § 1681c-1(b)

Extended Fraud Alert vs. Security Freeze

A security freeze under 15 U.S.C. § 1681c-1(i) blocks all third-party access to the credit file unless the consumer lifts or temporarily thaws the freeze. An extended fraud alert permits creditor access subject to identity verification. Consumers who need to apply for credit without delay during a protected period typically prefer the alert mechanism, since a freeze requires active management to allow legitimate applications to proceed.

Extended Fraud Alert vs. Credit Lock

Credit locks are contractual products offered by the bureaus directly and are not governed by FCRA statutory protections. They carry no federal right of free placement, no mandatory restoration timeline, and no statutory enforcement pathway. The extended fraud alert, by contrast, is a federally mandated right with no fee and enforceable through the FCRA's private right of action under 15 U.S.C. § 1681n.

Active duty alert. Service members who are on active military duty may request a separate active duty alert lasting 12 months under 15 U.S.C. § 1681c-1(c). This is neither an initial nor an extended alert; it exists as a distinct statutory category with its own eligibility standard.

The page describes how these consumer protection mechanisms are categorized within this reference structure.

 ·   · 

References

Read Next

Identity Protection Listings ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Protection Authority Identity Protection Providers The identity... Identity Protection Directory: Purpose and Scope ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Protection Authority Identity Protection Network: Purpose and Scope... Credit Freeze vs. Fraud Alert: Key Differences ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Protection Authority Credit Freeze vs.