What to do when something goes wrong.
Recognizing a Security Incident
Before you can respond, you need to identify that something has happened:
| Incident Type | Signs |
|---|
| Account compromise | Unexpected password changes, login alerts |
| Malware infection | Slow device, strange behavior, ransom message |
| Identity theft | Unfamiliar accounts, unexpected bills |
| Data breach notification | Email from company about breach |
| Phishing success | Entered credentials on fake site |
| Device theft | Missing phone, laptop, tablet |
| Financial fraud | Unauthorized transactions |
General Response Framework
For any security incident, follow these steps:
| Step | Action | Purpose |
|---|
| 1. Stay calm | Don't panic | Clear thinking required |
| 2. Contain | Limit further damage | Stop the bleeding |
| 3. Document | Screenshot, note times | Evidence for later |
| 4. Assess | Determine scope | Know what's affected |
| 5. Remediate | Fix the problem | Remove threat |
| 6. Recover | Restore normal operations | Get back to normal |
| 7. Learn | Prevent recurrence | Improve security |
Account Compromise
Signs of Account Compromise
| Sign | What It Means |
|---|
| Password changed (not by you) | Attacker has access |
| Login from unknown location | Someone else logged in |
| Messages sent you didn't write | Attacker using account |
| Account recovery changed | Attacker locking you out |
| New devices logged in | Attacker's device added |
| Missing emails | Attacker deleting evidence |
| Step | Action |
|---|
| 1 | Change password immediately (from clean device) |
| 2 | Enable or strengthen 2FA |
| 3 | Check and remove unknown devices |
| 4 | Review account recovery options |
| 5 | Check for forwarding rules (email) |
| 6 | Review recent activity |
| 7 | Change passwords for related accounts |
If Locked Out
| Step | Action |
|---|
| 1 | Use account recovery option |
| 2 | Use backup codes if available |
| 3 | Contact platform support |
| 4 | Prepare identity verification |
| 5 | Document timeline for support |
After Regaining Access
| Task | Purpose |
|---|
| Enable 2FA | Prevent future compromise |
| Review all settings | Check for malicious changes |
| Check connected apps | Remove unknown connections |
| Update recovery options | Ensure you can recover |
| Change password on reused sites | Contain damage |
Malware Infection
Signs of Malware
| Sign | Type Indicated |
|---|
| Ransom message | Ransomware |
| Pop-up ads everywhere | Adware |
| Very slow performance | Cryptominer, general malware |
| Programs launching on their own | Trojan, RAT |
| Antivirus disabled | Sophisticated malware |
| Unknown programs installed | Various malware |
| High network usage | Data theft, botnet |
| Step | Action |
|---|
| 1 | Disconnect from network (unplug ethernet, disable WiFi) |
| 2 | Don't turn off device (preserve evidence) |
| 3 | Note any messages or ransom demands |
| 4 | Document what happened |
Malware Removal
| Step | Action |
|---|
| 1 | Boot into Safe Mode |
| 2 | Run antimalware scan |
| 3 | Use second-opinion scanner |
| 4 | Remove identified threats |
| 5 | Check startup programs |
| 6 | Run additional scans |
| 7 | Update all software |
When to Reinstall
| Situation | Recommendation |
|---|
| Ransomware | Wipe and reinstall |
| Rootkit detected | Wipe and reinstall |
| Unknown infection severity | Consider reinstall |
| Sensitive data on device | Reinstall for certainty |
| Repeated reinfection | Reinstall, investigate source |
Ransomware Specific Response
| Step | Action |
|---|
| 1 | Disconnect immediately |
| 2 | Document ransom message |
| 3 | Check NoMoreRansom.org for decryptor |
| 4 | Report to authorities (ic3.gov) |
| 5 | Restore from backup (if available) |
| 6 | Do not pay (usually) |
| 7 | Wipe and reinstall |
Identity Theft
Signs of Identity Theft
| Sign | Meaning |
|---|
| Unfamiliar accounts on credit report | Someone opened accounts in your name |
| Collection calls for unknown debts | Fraudulent accounts went unpaid |
| Medical bills for services not received | Medical identity theft |
| IRS notification about multiple returns | Tax identity theft |
| Mail for accounts you didn't open | New fraudulent accounts |
| Denied credit unexpectedly | Credit damaged by fraud |
| Step | Action |
|---|
| 1 | Place fraud alert with one credit bureau |
| 2 | Review credit reports from all three bureaus |
| 3 | Freeze credit at all bureaus |
| 4 | Report to identitytheft.gov |
| 5 | File police report |
| 6 | Contact fraud departments of affected companies |
| 7 | Document everything |
| Bureau | Fraud Alert | Freeze |
|---|
| Equifax | 1-800-525-6285 | equifax.com/personal/credit-report-services/credit-freeze/ |
| Experian | 1-888-397-3742 | experian.com/freeze/ |
| TransUnion | 1-800-680-7289 | transunion.com/credit-freeze |
Note: Placing a fraud alert with one bureau notifies all three. Freezes must be done separately.
Long-Term Recovery
| Task | Timeline |
|---|
| Dispute fraudulent accounts | Ongoing as discovered |
| Follow up on disputes | 30-45 days for response |
| Monitor credit reports | Weekly initially, then monthly |
| Consider identity theft protection | If not using freeze |
| Keep records | 7+ years |
| File taxes early | Prevent tax ID theft |
Financial Fraud
Signs of Financial Fraud
| Sign | Type |
|---|
| Unauthorized transactions | Credit card or bank fraud |
| Missing money | Account compromise |
| Unauthorized transfers | Wire fraud |
| New accounts you didn't open | Identity theft |
| Changed account information | Account takeover |
| Step | Action |
|---|
| 1 | Call bank/card issuer immediately |
| 2 | Report unauthorized charges |
| 3 | Cancel card, get new number |
| 4 | Review recent statements |
| 5 | Document all fraud |
| 6 | File dispute for charges |
| 7 | Monitor account activity |
| Step | Action |
|---|
| 1 | Contact bank immediately |
| 2 | Freeze account if possible |
| 3 | Change online banking password |
| 4 | Review all recent transactions |
| 5 | File fraud report with bank |
| 6 | Request new account number |
| 7 | Update automatic payments |
Fraud Recovery Rights
| Type | Protection |
|---|
| Credit card fraud | $50 max liability (often $0) |
| Debit card fraud | $50 if reported in 2 days, more after |
| Unauthorized ACH | 60 days to report |
| Check fraud | Varies by bank |
Data Breach Response
When You Receive Breach Notification
| Step | Action |
|---|
| 1 | Read notification carefully (what was exposed?) |
| 2 | Change password for that service |
| 3 | Change password anywhere it was reused |
| 4 | Enable 2FA if not already enabled |
| 5 | Monitor for unusual activity |
| 6 | Consider credit freeze if SSN exposed |
| 7 | Watch for phishing using breach info |
What to Do Based on Data Exposed
| Data Exposed | Actions Needed |
|---|
| Email only | Watch for phishing, change password |
| Email + password | Change everywhere, enable 2FA |
| Financial data | Monitor accounts, consider new card |
| SSN | Freeze credit, monitor credit reports |
| Medical records | Review EOBs, watch for medical ID theft |
Credit Monitoring After Breach
| Option | When to Use |
|---|
| Free monitoring from breached company | Accept if offered |
| Credit freeze | Best protection for SSN exposure |
| Free annual credit reports | annualcreditreport.com |
| Paid credit monitoring | If not using freeze |
Lost or Stolen Device
| Step | Action |
|---|
| 1 | Try to locate (Find My iPhone/Android) |
| 2 | Mark as lost if feature available |
| 3 | Remote wipe if definitely stolen |
| 4 | Change passwords for accounts on device |
| 5 | Contact carrier to suspend SIM |
| 6 | Report theft to police |
| 7 | Remove device from account trusted devices |
Accounts to Secure
| Priority | Account |
|---|
| Highest | Email (gateway to others) |
| Highest | Banking apps |
| High | Password manager (if not requiring password) |
| High | Social media |
| Medium | Shopping sites with saved cards |
| Medium | Cloud storage |
Insurance and Replacement
| Task | Details |
|---|
| File police report | Required for some insurance |
| Contact insurance | Homeowners or device insurance |
| Document everything | Serial numbers, IMEI |
| Consider remote wipe | Protect data |
Reporting Incidents
Where to Report
| Incident Type | Report To |
|---|
| Internet crime | ic3.gov (FBI) |
| Identity theft | identitytheft.gov (FTC) |
| Fraud | reportfraud.ftc.gov |
| Data breach affecting you | State attorney general |
| Child exploitation | CyberTipline.org (NCMEC) |
| IRS impersonation | phishing@irs.gov |
| Local crime | Local police |
| Information | Why Needed |
|---|
| Timeline of events | Understand what happened |
| Screenshots | Evidence |
| Email headers | Trace source |
| Financial impact | Damage assessment |
| Accounts affected | Scope of incident |
| Steps already taken | Know current status |
Post-Incident Actions
| Task | Purpose |
|---|
| Change all potentially affected passwords | Prevent further access |
| Enable 2FA everywhere | Prevent future incidents |
| Run malware scans | Ensure devices are clean |
| Review account activity | Find any missed compromise |
| Update security software | Close vulnerabilities |
Learning from the Incident
| Question | What to Improve |
|---|
| How did this happen? | Address root cause |
| What warning signs were missed? | Improve detection |
| What slowed response? | Prepare for next time |
| What data/access was at risk? | Reduce exposure |
| Were backups helpful? | Improve backup strategy |
Preventing Recurrence
| Improvement | Benefit |
|---|
| Enable 2FA on all accounts | Block credential theft |
| Use password manager | Unique passwords everywhere |
| Regular backups | Ransomware recovery |
| Keep software updated | Close vulnerabilities |
| Security awareness | Recognize threats |
Building Your Response Plan
| Information | Where to Store |
|---|
| Account list with recovery info | Password manager |
| Bank/card contact numbers | Phone contacts |
| Insurance policy numbers | Secure document |
| Device serial numbers | Secure document |
| Backup codes | Password manager |
| Trusted contacts | Memorized or secure storage |
| Type | Number/Contact |
|---|
| Primary bank | Card hotline number |
| Credit bureaus | Listed above |
| Identity theft | identitytheft.gov |
| FBI IC3 | ic3.gov |
| Local police | Non-emergency line |
Key Takeaways
- Stay calm - Panic leads to mistakes
- Contain first - Stop the bleeding before investigating
- Document everything - Screenshots, times, actions taken
- Know your contacts - Bank numbers, police, reporting sites
- Act quickly - Speed limits damage for many incidents
- Change passwords from clean devices - Don't use compromised systems
- Enable 2FA after incidents - Prevent recurrence
- Freeze credit proactively - Best identity theft protection
- Report incidents - Helps you and helps others
- Learn and improve - Every incident is a lesson