Part 1: When You Get Hacked

What Friends, Family, and Neighbors Need to Do in the First 24 Hours

This question comes up all the time. Not from security professionals, but from friends, neighbors, parents, coworkers. Regular people who wake up to a strange email alert, a locked account, or a bank notification that immediately feels wrong.

Throughout my career I’ve had the privilege of working closely with security professionals who know how to protect Fortune 500 companies and government entities. They get asked this constantly by civilians. Their honest answer is usually some version of “it depends”.

That answer makes sense in a corporate setting. There are trained teams, documented playbooks, legal guidance, and clear roles. There are incident response plans. There are tools. There are people whose job it is to know exactly what happens next.

For everyday people, none of that exists.

There’s no help desk for your personal life. No command center. No clean checklist taped to the wall. Just stress, uncertainty, and a very real fear of making things worse.


Here’s the thing. What matters most isn’t doing everything perfectly. It’s doing the right things first, in the right order, so the damage doesn’t spread.


This article isn’t about how to avoid a bad day. We all believe it won’t happen to us. For the sake of this article, it didn’t happen to you. It happened to your friend. Or your parents.


Why this matters more than most people realize


Here’s the straight answer, without hype.


Consumer cyber loss is already measured in tens of billions of dollars per year, and it keeps climbing.


In the United States alone, reported consumer cybercrime losses exceeded $12.5 billion in 2023, according to the FBI’s Internet Crime Complaint Center. That number only reflects incidents people actually reported. Most don’t.


Globally, when you include unreported cases, indirect costs, and recovery fallout, consumer losses are estimated at $40 to $60 billion or more every year.


That surprises people because consumer attacks don’t usually look dramatic. There’s no headline breach. No press release. Just a locked account, drained funds, or a device that suddenly can’t be trusted. That’s exactly why damage spreads.


Direct financial loss


These are the dollars people actually see disappear.

  • Ransom payments from personal ransomware, sextortion, or device lockouts.
  • Bank and credit fraud.
    Crypto theft.
  • Account takeover that drains funds.

 

Typical impact per victim looks like this:

  • $500 to $5,000 for common account fraud.
  • $10,000 or more for identity theft involving tax or loan fraud.
  • $500 to $2,000 for personal ransomware or extortion.


Many people never recover all of it.


Indirect loss is where the real damage hides


This is the part almost no one expects.

  • Time spent restoring accounts and devices.
  • Credit monitoring and legal fees.
  • Lost wages and productivity.
  • Emotional stress and long-term credit damage.
  • Replacing compromised hardware.

 

Multiple studies show indirect costs run two to four times higher than the initial loss.


What that really means is simple.


A $2,000 fraud incident often becomes a $6,000 to $8,000 dollar life disruption.


Ransomware is no longer just a business problem


Over the last five years, the attack surface shifted.

  • Personal devices are targeted because backups are weak or nonexistent.
  • Cloud accounts like email, Apple ID, and Google are used as control planes.
  • Extortion often doesn’t involve encryption anymore


Today’s consumer ransomware is usually psychological leverage plus account lockout.

  • Threats of exposure.
    Impersonation.
  • Permanent account destruction.
  • It works because most people don’t have a recovery plan.


The reporting gap

  • Only 10% to 20% of consumer cybercrime is ever reported.
  • Many people don’t realize what happened.
  • Others are embarrassed or assume nothing can be done.


So when you see a $12.5 billion dollar headline number, you’re looking at the floor, not the ceiling.


That’s the backdrop for everything that follows.


Is there such a thing as an personal incident response plan for consumers?


Short answer: not really. Not in the formal way it exists for companies.


Incident response plans were designed for organizations with teams, lawyers, IT staff, and authority. They assume structure.


Individuals don’t have that.


There’s no Security Operations Center (SOC) for your family. No escalation tree. No legal counsel on standby. No incident response binder sitting on a shelf.


What consumers have instead is a gap.


When an individual gets hacked, the experience is chaos. Accounts lock. Money moves. Devices feel unsafe. Everyone asks what to do first, and most people guess. That’s the opposite of incident response.


So while there’s no standard, widely adopted incident response plan for consumers, the need absolutely exists.


What this really means is that a personal incident response plan looks different.

  • It isn’t a PDF.
  • It isn’t technical.
  • It isn’t written for experts.


It’s a short, practical checklist that answers three questions under stress

  • What do I secure first?
  • Who do I contact right now?
  • What do I not touch until I understand what happened?


A workable personal incident response plan usually covers five things.

  1. Account containment.
  2. Device trust.
  3. Financial and identity protection.
  4. Evidence preservation.
  5. Recovery and hardening.


Some nonprofits and security advocates are starting to package this idea into consumer-friendly guides. It’s early and fragmented, but it’s moving in the right direction. One example is Cyber Helpline, which helps individuals navigate incidents without selling products or pushing panic.


What’s missing is the digital equivalent of a fire escape plan. Something you can glance at on your phone at two in the morning when adrenaline is high and judgment is low.


That’s the gap.


First, slow down and take control

Slow Down, Calm Down, Do the Next Right Thing.

Under stress, people skim and act too fast. Pause before you click anything—this reduces panic and protects sequencing.


The biggest mistake people make is reacting randomly. Reinstalling apps. Calling the wrong company. Changing one password while leaving everything else wide open.


The first 24 hours are about containment, not perfection.


Before you do anything else, don’t do these things.

  • Don’t pay anyone who claims they can fix this immediately.
  • Don’t install cleanup tools suggested by popups or emails.
  • Don’t click secure your account links sent to you.
  • Don’t assume one password change solves the problem.

 

Speed matters. Direction matters more.


Step 1: Lock down your core accounts.


Start with your email. Always email.


If someone controls your email, they can reset passwords for almost everything else you own.

It’s the master key to your digital life.

Do this first:

  • Change your email password
  • Change passwords for your Apple ID or Google account
  • Update banking, financial, and social media passwords
  • Use new, unique passwords for every account
  • Double-check that MFA is actually enabled, don’t assume. This turns an assumption into evidence.
  • Sign out of all other devices and sessions

 

Do this from a device you believe is clean. If you’re unsure which device is safe, borrow one from someone you trust. This protects control-health, avoids contamination, and removes assumptions.

Until this step is done, nothing else really matters.

Step 2: Protect your money and your credit

Once access is secured, assume there may be financial exposure until you confirm otherwise.

Check:

  • Bank accounts
  • Credit cards
  • Payment apps
  • Any transactions you don’t recognize

Report anything suspicious immediately. Banks and card issuers are built for this. Acting fast works in your favor.

Next, call your bank. Don’t wait.

Even if you don’t see fraudulent transactions yet, assume exposure until proven otherwise.

Tell your bank you’ve experienced a suspected account compromise and ask them to:

• Monitor for malicious or unusual activity
• Place temporary debit limits on your accounts
• Enable real-time alerts for any money leaving the account
• Flag the account for heightened fraud review

This is about slowing things down. Limits and alerts buy you time and prevent a small problem from turning into a drained account.

If money has already left your account, escalate immediately.

Ask your bank to contact the nearest U.S. Secret Service field office to attempt to freeze the funds.

The Secret Service investigates financial fraud and has direct relationships with banks and payment networks. Speed matters here. The faster this happens, the better the odds of stopping or recovering fraudulent transfers.

Most people don’t realize this option exists. It does. And it only works if you act fast.

Then do the step most people skip.

Place a fraud alert or credit freeze with the credit bureaus.

This stops new credit from being opened in your name without your approval.

Equifax

equifax.com/personal/credit-report-services

1-800-685-1111

Experian

experian.com/freeze/center.htm

1-888-397-3742

TransUnion

transunion.com/credit-freeze

1-888-909-8872

 

A credit freeze is free, reversible, and one of the strongest moves you can make in the first day.

That one action can keep a bad situation from turning into a long-term mess.

Step 3: Clean the devices you actually use

If malware or a bad browser extension is still on your phone or laptop, the attacker can walk right back in.

Stick to the basics:

  • Run a full antivirus or anti-malware scan
  • Remove unfamiliar apps and browser extensions.
    • Pay special attention to browser extensions, they’re a common source of reinfection and undermine device trust
  • Update your operating system and apps
  • Back up clean data
    • Make sure your backup predates the incident. Restoring from a compromised backup can reintroduce risk.
  • Reset the device if anything still feels off

 

Resetting isn’t overreacting. It’s often the fastest way to be sure.

Caution: Don’t reset anything until your core accounts are secured from a clean device. This protects the recovery path and prevents re-compromise.

One important rule: change your passwords first from a known-clean device. Resetting too early can put you right back where you started.

If your files are locked or encrypted, don’t assume paying will fix it. Focus on account control and backups first. Decisions come later.

Step 4: Warn the people around you

This part may feel awkward, but it matters more than people realize.

Attackers often use compromised accounts to send phishing messages to friends, family, and coworkers. That’s how one incident quietly turns into many.

Ideally, you should not use the compromised account to warn people. Use a secure backup email account instead. If you don’t have one, create a new free email account just for this purpose.

The goal is simple: stop the spread without giving the attacker another chance to impersonate you.

Send a simple message:

“I was hacked. Please don’t click any recent links or messages from me.”

Also check your sent messages and social posts for anything you didn’t send.

Don’t delete suspicious messages yet, they may be needed for reporting or recovery. Preserving evidence avoids losing context responders may need.

You’re not admitting failure. You’re cutting off the blast radius by notifying your friends and relatives that it happened to you and could very well happen to them.

Step 5: Fix the root cause before day two

Most people stop once things feel quiet again. That’s why repeat incidents happen.

Before the first 24 hours are over:

  • Start using a password manager
  • Stop reusing passwords
  • Be cautious with unexpected emails, texts, and login prompts
  • Leave auto-updates turned on
  • Enable alerts for logins and account changes

 

This isn’t about becoming paranoid or technical. It’s about being harder to hit next time.

The takeaway

Most consumer hacks aren’t personal. They’re opportunistic.

What that really means:

  • Order matters
  • Speed beats perfection
  • You only need to know the next right step

 

That’s why I share this with friends and neighbors when they call in a panic. A clear plan for the first 24 hours can save weeks or months of fallout.

If this helped you, pass it on. Someone you know is going to need it.

I want to thank our SafeHouse Initiative contributors who helped peer review this article, especially Jeff Edwards Dorian Naveh Tawana Johnson David Proestos Jeff McCue Matthew Quammen and Roger Grimes who has generously shared his knowledge on this topic over the years.

#CyberAwareness #OnlineSafety #Hacked #IdentityProtection #IncidentResponse #CyberHygiene #BackupAndRecovery #FraudPrevention #DigitalSafety #Resilience #SafeHouseIntiative #ZeroDownSoftware

Latest Post