Incident response

Contain first, investigate second

Use this timeline when something is actively going wrong. The goal is to stop further damage before deep analysis.

Containment objective

<15 min

Evidence package objective

<60 min

Agency report objective

<24 hours

0-15 minutes

  1. 1. Stop further transfers or credential changes initiated by attacker.
  2. 2. Call bank/payment provider fraud line from a trusted number.
  3. 3. Reset compromised credentials and revoke active unknown sessions.

15-60 minutes

  1. 1. Capture screenshots, message headers, wallet/payment IDs, and timestamps.
  2. 2. Notify trusted contacts of impersonation risk to prevent follow-on scams.
  3. 3. Isolate compromised device if malware activity is suspected.

1-24 hours

  1. 1. File agency reports (FTC/IC3/CISA as applicable) with complete evidence.
  2. 2. Enable credit freeze or fraud alert when identity data is exposed.
  3. 3. Review mailbox forwarding, recovery methods, and admin role changes.

Official reporting channels

ReportFraud.ftc.gov

Report scams, identity theft, and fraud in the U.S.

IC3.gov

Report internet-enabled crime directly to the FBI IC3.

CISA Report Phishing

Report phishing or suspicious cyber activity to CISA.

next: reporting matrixnext: community support

Guided journey

Step 7 of 9: Help