Credit file security essentials to protect against fraud
Place a security freeze at Equifax, Experian, and TransUnion to stop nearly all new-account fraud against you. Too many business owners and guarantors discover bogus accounts because they treated credit file security as optional.
A freeze blocks most hard inquiries from prospective creditors and makes it hard for identity thieves to open credit without your knowledge. Use the same discipline you apply to cash controls: standardize freezes, plan temporary lifts, and watch for changes that signal trouble.
Know the difference between credit files, freezes, and alerts
Terminology confusion wastes time and creates compliance risk. A credit file is the consumer report a bureau such as Equifax, Experian, or TransUnion, keeps on you, including history, inquiries, and personal data. A credit score is a number a model calculates from that file, such as a FICO or VantageScore.
A security freeze restricts access to your file so new credit applications usually fail unless you temporarily lift the freeze. It does not affect your score and it stays in place until you lift it.
A fraud alert is a free notice that tells lenders to verify identity. An initial alert lasts one year and propagates to all three bureaus when you place it with a single bureau, while an extended alert for identity theft lasts seven years. A credit lock is a paid, bureau-specific app feature, and regulators treat it as no stronger than a security freeze.
Make credit freezes your default defence
A credit freeze is free to place or lift, does not affect your score, and stays in place until you remove it. By law, nationwide bureaus must place a freeze within one business day for secure electronic or phone requests, send written confirmation within five business days, and temporarily lift a freeze within one hour for online or phone requests. For a bureau-specific walkthrough, see TransUnion’s instructions to freeze credit, which is useful when you only need to lift at the bureau a lender will pull.
Under a freeze, existing creditors can still access your file for account maintenance and collections, and some government or court orders can still pull it. You will also keep receiving pre-screened offers unless you opt out.
What generally stops is most new-account hard pulls by prospective creditors without your lift. Employment, tenant-screening, and insurance inquiries are outside typical new-credit checks, so expect to lift the freeze briefly to allow those.
Set up and manage freezes at all three bureaus
Build a simple process so you control access to your file. Verify identity, create secure online accounts at each bureau, and store credentials and PINs in a password manager shared with authorized finance leaders.
Document an SOP for temporary lifts that records which bureau a lender will pull, start and end dates, and a re-freeze confirmation. Use statutory timing to your advantage, because online and phone lifts must be processed within one hour and initial placements within one business day.
Prepare identity documents, bureau accounts, and secure storage
- Have government ID, Social Security number, and proof of address ready, because mismatches can trigger manual review.
- Create online accounts at Equifax, Experian, and TransUnion using unique, long passwords or passkeys, and turn on multi-factor authentication.
- Store portal credentials and any PINs in a company-approved password manager with shared access for the risk lead and backup.
Place freezes at Equifax, Experian, and TransUnion
- Initiate each freeze online through the bureau portals, and answer knowledge-based authentication questions carefully to avoid delays.
- Expect the freeze to be in effect within one business day for electronic or phone requests and to receive written confirmation within five business days.
- Record the date and time you placed the freeze and save confirmation numbers, then verify status in each portal before assuming protection is active.
Manage temporary lifts without derailing deals
- Ask the lender which bureau they will pull before you apply, and request a lender-specific or date-bound lift only at that bureau to minimize exposure.
- For rate shopping, set a short window of forty-eight to seventy-two hours across relevant bureaus and calendar the re-freeze. Online and phone lifts must be processed within one hour by law.
- Confirm the re-freeze after the window closes and note the confirmation in your SOP log for auditability.
Use fraud alerts to add verification
An initial fraud alert lasts one year and, when you place it with any one bureau, propagates to all three, prompting lenders to verify identity before opening new accounts. An extended fraud alert lasts seven years for verified identity-theft victims. Both alert types are free, and active-duty alerts protect deployed service members during their deployment.
Use alerts alongside freezes when you expect regular soft inquiries or want additional verification signals. Use alerts alone temporarily if you cannot access bureau portals to place a freeze immediately.
Monitor credit files weekly for early warning
Pull free weekly credit reports from each bureau through AnnualCreditReport.com, which now offers weekly access. Baseline your file by confirming personal information, addresses, and open accounts, and set alerts for new accounts, inquiries, and public records where your monitoring tools allow.
Create a simple SOP you run every time something looks wrong. Capture screenshots, dispute inaccuracies in writing with each bureau, and calendar thirty-day investigation deadlines.
Use a playbook for breaches and identity theft
When in doubt, freeze now and investigate next. Place freezes at all three bureaus, then add an initial fraud alert to force lender callbacks. Use IdentityTheft.gov to generate a recovery plan, close or reissue compromised cards and accounts, and consider filing a police report to support an extended fraud alert.
Preserve logs, screenshots, and correspondence, and notify lenders, insurers, and your bank’s fraud team. Once documentation is in hand, consider an extended fraud alert for seven years.
Standardize freezes, monitoring, and fast thaws
Make a three-bureau freeze your default, monitor your files, and keep a documented thaw and re-freeze SOP so underwriting can proceed on your terms. Layer in fraud alerts when appropriate and treat weekly monitoring and your breach playbook as standard controls, not emergency measures. Disciplined credit file security remains a low-cost, high-impact control that protects owners, guarantors, and lenders without sacrificing speed.