Fraud alerts are legally non-binding: creditors can ignore them and issue credit to thieves anyway

When identity theft victims place a fraud alert on their credit file, the alert merely instructs creditors to take "reasonable steps" to verify the applicant's identity before issuing credit. But there is no enforcement mechanism or penalty for creditors who skip this step, and many do because extra verification slows down their approval pipeline. A fraud alert does not block access to the credit report the way a freeze does, so a thief can still apply, get approved, and max out accounts in the victim's name while the alert is active. Victims who chose fraud alerts over freezes -- often because they were actively applying for credit themselves and could not freeze -- discover too late that the alert provided no actual protection. This persists because the FCRA defines fraud alerts as advisory rather than mandatory, and creditors face minimal liability for ignoring them since proving they failed to take "reasonable steps" requires expensive litigation.