If someone realises they’ve been hacked after a phishing scam, the goal is simple: stop further access, regain control, and reduce follow-on fraud. The steps below are written like an incident responder would handle a real case in the UK. Immediate actions: the first 15–60 minutes 1) Stop the bleeding: isolate the affected device and session If you clicked a link, entered credentials, or downloaded a file, disconnect the affected device from Wi-Fi/mobile data. Don’t keep “testing” passwords on that device. If malware is present, it can capture new logins. 2) Use a clean device and start with your email first Email is the “master key” because password resets for other accounts go there. Use a trusted device (or a different user account/profile) to sign in and secure accounts. If you can’t log in, begin account recovery immediately. 3) Reset passwords in the correct order (and make them unique) Do email first, then anything that can move money or reset other accounts: Email (Gmail/Outlook/iCloud) Password manager (if you use one) Banking & payments (bank app, PayPal, cards, Apple/Google Pay) Social media (to prevent further phishing from your account) Shopping (Amazon/eBay) and any account with stored cards NCSC’s phishing guidance focuses on changing passwords and taking action if you’ve shared sensitive info. 4) Turn on 2-step verification (2SV/MFA) everywhere it matters Prioritise email and banking first.This blocks many attacks even if the password is already known/stolen. NCSC provides UK guidance on phishing and enabling 2SV. 5) Kick the attacker out: sign out of other sessions + revoke access In each important account’s security settings: Sign out of all devices/sessions Remove unknown devices Remove unknown connected apps / third-party access Containment and clean-up: the next 2–24 hours 6) Check for “persistence” (this catches a lot of real-world cases) Attackers often set things up so they keep access after you change passwords: Email forwarding Inbox rules/filters (e.g., “archive anything from the bank”, “forward to attacker”, “mark as read”) New recovery email/phone number Newly created “app passwords” (where supported) Advertisement Bestseller #1 Hacking and Security: The Comprehensive Guide to Penetration Testing and Cybersecurity (Rheinwerk Computing) £48.49 Buy on Amazon 7) Scan the affected device and remove suspicious changes Run a full malware scan Update OS + browser Remove unknown browser extensions If you installed anything suspicious, consider a factory reset/rebuild (especially if the account compromise keeps recurring) 8) If money or bank details are involved: contact the bank immediately If card/bank details were entered, or transactions look wrong: Call the number on the back of your card / the official banking app Ask about freezing cards, chargebacks, fraud monitoring, and new card/account details where needed NCSC explicitly advises telling your bank and reporting it via UK reporting routes if you’ve shared sensitive information/been scammed. 9) Warn your contacts If your email/social account was used to send messages: Post/notify: “My account was compromised—don’t click recent links or accept requests.” Report it properly: UK routes that actually help 10) Report the phishing message (this supports blocking/takedowns) Expert quote (GOV.UK): “Forward suspicious emails to report@phishing.gov.uk.” Email: forward to report@phishing.gov.uk (Suspicious Email Reporting Service) Text messages: forward to 7726 (free) to report to your mobile provider 11) Report the crime if you’ve been hacked and/or lost money Use the UK’s national reporting routes (via Report Fraud / Action Fraud pathways) as referenced by NCSC guidance. 12) Watch for “recovery scams” (being targeted again is common) Expert quote (FCA): “Fraudsters could try and target you again, or they may sell your details to other criminals.” Be wary of anyone claiming they can “recover” funds for a fee, or asking you to install remote access tools. If this affects a business or customer data 13) Start an incident log straight away Write down: Timeline, affected accounts/devices, actions taken, and potential data exposed. 14) Know the ICO’s 72-hour expectation (where reporting is required) Expert quote (ICO): report a notifiable breach “without undue delay… and within 72 hours.” Hardening: the next 7 days (reduce repeat compromise) 15) Move to stronger sign-in methods Use a password manager Unique passwords everywhere 2SV/MFA on all key accounts (email, banking, socials, shopping) 16) Add monitoring and tripwires Enable account alerts (new login/device, payment changes) Review bank statements and credit activity closely for a few weeks Advertisement Bestseller #1 From Likes to Sales – Digital Marketing Simplified: Modern Cutting-Edge Strategies for Small Business Growth in SEO, AI, Influencer, and Social Media Marketing £12.64 Buy on Amazon Bestseller #2 Social Media Marketing: A Step by Step Strategy for What Works, What Gets Seen, and Real Growth Without Burnout Buy on Amazon Pictures you can legally embed (with sources) Use these as Featured Image / inline images in WordPress (Block Editor: add an Image block, then paste the image URL; add the source link in the caption). NCSC – Phishing attacks infographic (good “top of article” visual)Image: (shown above) — Source: NCSC phishing guidance page NCSC – 2-Step Verification visual (ideal next to the “enable MFA” section)Image: (shown above) — Source: NCSC 2SV guidance NCSC – Infographics library (pick additional UK-gov visuals for passwords, backups, etc.)Source page: NCSC infographics hub References and official UK guidance (for your “Further reading” section) NCSC: Phishing (respond & recover) NCSC: “If you’ve shared sensitive information” GOV.UK: Report suspicious emails/websites (report@phishing.gov.uk, 7726) Report Fraud: how to report suspicious activity (incl. 7726 steps) FCA: Protect yourself from scams (repeat targeting/recovery scams) ICO: First 72 hours breach response (72-hour reporting) Quick “double-check” checklist (copy/paste) Email secured first (password changed + 2SV on) Signed out of all devices/sessions Email forwarding/rules checked and removed Banking/payment accounts secured + bank contacted if money/details involved Phishing reported (report@phishing.gov.uk / 7726) Crime reported via UK reporting routes if hacked/loss occurred Device scanned/cleaned and updated Post navigation What Is Multi-Factor Authentication (MFA)? What is Ransomware?