How to Place a Fraud Alert on Your Credit Report
A fraud alert is a federally regulated consumer protection tool that flags a credit file at the major credit reporting agencies, triggering a verification requirement before new credit is extended in the consumer's name. Governed by the Fair Credit Reporting Act (15 U.S.C. § 1681c-1), the fraud alert mechanism operates across Equifax, Experian, and TransUnion and represents one of the primary first-response tools available under federal consumer protection law. This page details the classification structure, placement process, applicable scenarios, and the operational boundaries that distinguish fraud alerts from related instruments such as credit freezes.
Definition and scope
Under the Fair Credit Reporting Act (FCRA), a fraud alert is a notation placed in a consumer's credit file that requires any creditor using that file to take reasonable steps to verify the consumer's identity before opening new credit accounts or, in some cases, before increasing credit limits on existing accounts. The statutory basis is 15 U.S.C. § 1681c-1, which establishes three distinct alert types:
- Initial fraud alert — Active for 1 year; available to any consumer who suspects they may be or are about to become a victim of fraud or identity theft.
- Extended fraud alert — Active for 7 years; available only to consumers who have already been victims of identity theft and who submit an identity theft report as defined by the FTC.
- Active duty alert — Active for 1 year; available exclusively to members of the military on active duty, allowing service members to protect their credit files while deployed.
The Federal Trade Commission (FTC) administers consumer education and complaint infrastructure around fraud alerts, while the Consumer Financial Protection Bureau (CFPB) oversees FCRA enforcement against credit reporting agencies (CRAs) under authority granted by the Dodd-Frank Act.
A key structural feature of fraud alerts: once a consumer contacts one of the three major CRAs to place an initial or extended alert, that agency is required by statute to notify the other two. The placement is not a per-bureau task.
For a broader orientation to the identity protection service landscape, the identity protection providers on this network catalog providers operating within this regulatory framework.
How it works
The placement process involves a structured sequence governed by the FCRA and FTC procedural guidance:
- Contact one major CRA. The consumer contacts Equifax, Experian, or TransUnion directly — by phone, online portal, or written request. Only one contact is required; the first CRA is legally obligated to notify the other two under 15 U.S.C. § 1681c-1(b)(3).
- Identity verification. The CRA collects sufficient identifying information to confirm the requester's identity. For an extended alert, an identity theft report — typically the FTC's IdentityTheft.gov affidavit or a police report — must be submitted.
- Alert is posted. The CRA posts the fraud alert notation to the file within a reasonable processing window. For initial alerts, this is typically processed within 24 hours of verified submission.
- Free credit report trigger. Upon placing an initial fraud alert, the consumer is entitled to 1 free credit report from each of the 3 major CRAs. An extended alert entitles the consumer to 2 free reports per CRA within a 12-month period, pursuant to 15 U.S.C. § 1681j(d).
- Creditor obligation activates. Once the alert is in place, any entity that pulls the file for a credit decision must take reasonable steps to verify that the applicant is the legitimate file owner. What constitutes "reasonable steps" is not defined with precision in the statute, which is a noted ambiguity in FCRA enforcement practice.
- Renewal or removal. Initial alerts expire at 1 year unless renewed. Extended alerts expire at 7 years. Consumers may also request early removal by contacting the CRA directly.
Active duty alerts function identically to initial fraud alerts in terms of placement mechanics but are exclusive to service members and include an opt-out from prescreened credit offer lists for 2 years (15 U.S.C. § 1681c-1(e)).
Common scenarios
Fraud alerts are deployed across a range of circumstances within the identity theft and financial fraud spectrum:
- Suspected data breach exposure. A consumer learns their personal data appeared in a known breach and places a 1-year initial alert as a precautionary measure before confirmed misuse occurs.
- Lost or stolen wallet. Physical loss of documents containing a Social Security number, driver's license, or credit cards triggers an initial alert to reduce fraudulent account openings during the window of exposure.
- Post-identity theft response. A consumer who has received an FTC identity theft report number through IdentityTheft.gov transitions from an initial alert to a 7-year extended alert to maintain long-term file protection.
- Military deployment. A service member preparing for active duty places an active duty alert to prevent account fraud during a period when monitoring personal credit is operationally impractical.
- Tax identity theft follow-up. After IRS notification of a fraudulent return filed under a consumer's Social Security number, a fraud alert is placed alongside an IRS Identity Protection PIN request, as recommended by the IRS Taxpayer Guide to Identity Theft.
The page describes how recovery scenarios like these are categorized within this network's organizational structure.
Decision boundaries
Fraud alerts and credit freezes are frequently conflated, but they operate through distinct mechanisms and impose different burdens. A credit freeze — also called a security freeze — entirely restricts access to a credit file by new creditors; a fraud alert allows file access but imposes a verification obligation. The practical difference is significant:
| Feature | Fraud Alert | Credit Freeze |
|---|---|---|
| File access by creditors | Permitted, with verification step | Blocked entirely |
| Placement cost | Free (FCRA-mandated) | Free (since 2018 Economic Growth Act) |
| Duration (initial) | 1 year | Indefinite until lifted |
| Requires contact with all 3 CRAs | No — one contact triggers all three | Yes — each CRA must be contacted separately |
| Requires identity theft documentation | Only for extended alert (7 years) | No |
The appropriate instrument depends on the threat level assessed. An initial fraud alert is appropriate where exposure is suspected but unconfirmed. A credit freeze is the more restrictive tool for consumers who have confirmed misuse or who want categorical file lockdown. Under 15 U.S.C. § 1681c-1 and the CFPB's FCRA guidance, both tools can be used simultaneously — they are not mutually exclusive.
Fraud alerts do not protect against all forms of identity misuse. Account takeover on existing accounts, medical identity theft, and tax fraud occur without triggering the new-credit verification mechanism that a fraud alert activates. The how to use this identity protection resource page outlines how different identity threat types map to different protective mechanisms within this reference network.
Consumers in states with additional state-level protections — California's Consumer Credit Reporting Agencies Act (Cal. Civ. Code § 1785.11.1) is a notable example — may have access to extended or modified alert rights beyond the federal FCRA floor. State-level variation is not resolved by federal placement procedures; consumers must consult state-specific statutes or applicable state attorney general guidance.