How to Recover From a Phishing Attack: 6 Essential Steps

Acting quickly and covering all bases is key to recovering from falling for a phishing scam and can save you from having your identity stolen.
Updated 22 November 2021
How to Recover From a Phishing Attack: 6 Essential Steps
Share to

Phishing Statistics 2021

90% of data breaches are caused by phishing
3.4 billion phishing emails are sent every day

1.4 million phishing websites are created every month

Source: Digital InTheRound, 2021

Sections on this page
  1. How Do I Know if I’ve Been Phished?
  2. Change Your Passwords
  3. Ensure 2FA is Set Up
  4. Ignore 2FA Codes That You Receive
  5. Contact the Company
  6. Continually Monitor Your Account
  7. Collect Evidence and Report the Scam
  8. Frequently Asked Questions

A phishing attack can happen in many ways, including via email, over the phone, after visiting a website, and even via text message. Whenever you discover that you’ve fallen victim to a phishing scam, it’s essential to act quickly and remain vigilant to protect your information, accounts, and money. 

How Do I Know if I’ve Been Phished?

Sometimes it’s difficult to know if you’ve been phished—it could take months before you notice your accounts have been compromised. However, there are some key signs that you’ve been phished, including:

  • After entering your information on a website, you’re not given confirmation from the company as expected. 
  • You downloaded a file from an email, but there was nothing in it, or your computer started acting up shortly afterward. 
  • A government representative called you unsolicited, and you gave them your information to clear your name or pay off a debt. 
  • You receive a two-factor authentication (2FA) code on your phone for one of your online accounts even though you weren’t trying to log in. 
  • You receive a password reset email from one of your accounts or an alert that your password has been changed. 
  • You receive an email alert saying someone has logged into your account from an unrecognized device. 

Any time you’re sent a suspicious email or text, land on a sketchy website, or receive a phone call that doesn’t seem right, you’re likely being phished or scammed in some way, so it’s important to be cautious. 

If you do happen to fall for a phishing scam, don’t panic, but do act quickly. 

The key to recovering from a phishing scam is to act quickly and stop the scammers in their tracks before they successfully steal your identity (which can take years to recover from). 

Remove Malware from Your Devices

If you think your phishing attack resulted from malware being installed on your devices (whether your computer, phone, or tablet), it’s important to remove it immediately. 

Change Your Passwords

Depending on the scam, you may have given someone your login information for your account, including your password. Even if you didn’t give someone your password, you might have given them information that helped them answer your security questions that are there to stop people from changing your password. 

Whether you entered your password onto a phishing website or told someone you thought was legitimate your information, it’s essential to change your passwords immediately before the scammer has time to access your account. 

If you try to log into your account but find the password has been changed, that means the scammer has beaten you to it. You should still try to change your password, but the scammer may have altered your contact information (i.e., email and phone number) to lock you out. 

Change Your Password for All Accounts

If you use the same password for more than one account, you’ll need to change your passwords on all of them—if the scammer can access one of your accounts, you can be sure they’re going to try to access more. 

Be sure to use unique and strong passwords for all of your accounts—using the same login for multiple accounts opens you up to more scams.

Ensure 2FA is Set Up

If you can log into your account, make sure two-factor authentication is set up to give your account an extra layer of security. With 2FA enabled, the scammer won’t be able to log in with just your username and password—they’ll need this additional code which is sent to your phone or email. 

Keep Your 2FA To Yourself

If you receive a two-factor authentication (2FA) code, but you didn’t try to log into your account, this is a sign someone has your username and password and is trying to log in. Don’t ever give anyone your 2FA code, even if they claim they’re from a legitimate company.

It’s usually safest to have your 2FA codes sent to your phone vs. email, as your email is more likely to be compromised. However, there is such a thing called SIM hijacking, where scammers steal your phone number by pretending to be you to a cell phone carrier. 

Ignore 2FA Codes That You Receive

If you receive 2FA codes when you haven’t been trying to log into any of your accounts, then you can be sure someone has your login information and is trying to access your accounts. Ignore these requests—don’t give your code to anyone—and change your password to said account immediately. 

Sometimes, scammers impersonating actual companies will say they need your 2FA code to fix your account. They may seem like they’re being helpful, but they’re just trying to gain access to your account. Legitimate companies will never ask for your password or your 2FA codes. 

Contact the Company

Once you know someone has potentially hacked your account, you should inform the company as soon as possible. They can help you secure your account and prevent unauthorized use. 

For example, if someone has managed to get your username and password for your credit card account, call your bank immediately and let them know. They can lock your account, cancel your credit card (and issue you a new one), and change your login credentials so the scammer no longer has access. 

It’s crucial that you report the breach immediately—if you don’t, you may be liable for any fraudulent charges or activity.

Call the Right Number

Whenever you contact a company, make sure you’ve got the correct contact information. Scammers are known to impersonate companies, leaving fake numbers for you to call them back on. There have also been fake sites set up to trick people into calling the wrong number. 

Always get contact information from the actual website or app. When in doubt, don’t ever call the number:

  • Given to you by an unsolicited caller (or left on your voicemail)
  • Found in an email that you can’t confirm is legitimate
  • Texted to you
  • Found on a website that you can’t confirm is legitimate

Note that you’ll need to provide the company with identifying information, such as the last four digits of your Social Security number (SSN), so they can verify that it’s really you. 

Continually Monitor Your Account

Even after you’ve secured your accounts by changing your passwords and enabling 2FA, you need to continue monitoring them, looking for any suspicious activity. This could be things like:

  • Opening emails in your inbox, even though you haven’t read them. 
  • Sent emails that you didn’t authorize. 
  • Unauthorized purchases on your credit card. 
  • Money transfers from your Venmo account that you didn’t make. 
  • Messages sent from your social media accounts that you didn’t send. 
  • New “Friends” on Facebook that you didn’t add. 

If you notice any strange activity, report it to the website, company, etc., immediately. In some cases, your account may need to be deactivated since it’s compromised. 

If you notice unauthorized purchases on your bank account or credit card, dispute the charge with your bank. You should be able to get most (if not all) of the money back. 

Collect Evidence and Report the Scam

Keep notes and records of anything suspicious following a phishing attack, including information about the attack itself. 

Be sure to:

  • Note down the time and date of any occurrences.
  • Take screenshots of any emails, text messages, websites, etc., that you think may have been the culprit of the phishing attack. 
  • Note as much information about the attack as possible, for example:
  • Who you spoke to on the phone 
  • The phone number they called you from 
  • The phone number you were given to call them back on
  • What information they asked for
  • What information you provided them

Report the scam to the authorities, such as the Federal Trade Commission (FTC), the FBI’s Internet Crime Complaint Center (IC3), and your local police. Provide them with as much information as possible. 

Frequently Asked Questions

What is phishing?

Phishing is when a scammer attempts to steal your sensitive information. This is usually done by impersonating a legitimate company and tricking you into volunteering this information. Phishing usually starts with an email, but attacks can also come in the form of text messages, fake websites, and phone calls (vishing). 

What should I do after being phished?

After being phished, you need to act quickly. You'll need to:

  • Change your passwords
  • Report the scam
  • Enable 2FA
  • Continue to monitor your accounts for suspicious activity

About This Article


Share This Article to Help Others


Featured Reads