What to Do If You’ve Fallen Victim to Cybercriminals

I’m writing this blog because I regularly get messages from people of all ages, and a lot of those conversations start with: “I’ve got an unusual question—can this stay between us?”
From experience, I can tell you that these “unusual” questions are rarely unique. Many people are dealing with similar issues, even if they feel alone in it.

Unfortunately, I also hear a particular sentence far too often—one that reveals just how flawed our approach to cybersecurity can be:
“Why would anyone want to hack me? I don’t even have anything.”

Let me be crystal clear: this kind of thinking is dangerous.
Cybercriminals aren’t only looking for millionaires. Even if your bank account is emptier than your fridge before payday, you are still valuable.
Your identity can be used for fraud. Your online accounts can be hijacked and used to attack others. Your data can be bundled and sold on the dark web like expired groceries at a sketchy flea market.

That’s why everyone—yes, even you—should know what to do after a cyberattack. Below is a list of specific steps.
(Note for readers: I live in the UK, so I’ll list UK institutions. If you’re elsewhere, look up the equivalents in your country.)

Immediate Steps:

1. Secure your finances.

• Contact your bank immediately and ask to freeze or close any compromised accounts.
• Request new cards and fresh account credentials.

2. Secure your phone number.

• Call your mobile provider and request a new SIM card.
• Set a PIN on the SIM to prevent unauthorized swaps. Yes, SIM swap attacks are a thing and yes, they’re as dumb as they sound.

3. Create a new communication hub.

• Set up a new email address for personal use.
• Use it for the next few months and only share it with trusted contacts and institutions.
• Protect it with a strong, unique password. And no, “password123” doesn’t count.

Within the Next Few Hours/Days:

4. Strengthen your logins.

• Change passwords on all important services. Use a password manager—because your brain cannot be trusted.
• Enable two-factor authentication (2FA)—preferably through an app like Google Authenticator, not via SMS.
• Update your security questions—especially if your dog’s name is guessable by anyone with access to your Instagram.
• Check your email settings—make sure messages aren’t being forwarded to someone else’s shady inbox.

5. Report the incident.

• Report fraud to Action Fraud (UK’s national reporting centre): actionfraud.police.uk or call 0300 123 2040.
• In urgent situations (like theft in progress), call 999.
• Forward suspicious emails to report@phishing.gov.uk and dodgy texts to 7726.

6. Protect your identity.

• Register with Cifas Protective Registration (https://www.cifas.org.uk/pr). This adds extra checks when anyone tries to apply for credit using your details. It’s like putting a big “NOPE” sign on your name.

Long-Term and Additional Steps:

7. Clean your devices.

• Run deep antivirus and anti-malware scans on your computer and phone.
• Update your operating system and all apps. Yes, that includes the ones you haven’t opened since 2017.
• Log out of all active sessions (Gmail, Facebook, etc.), then log back in.
• If you're not tech-savvy, consult a professional. In severe cases, restore your system from a trusted backup.

8. Warn your inner circle.

• Let your friends and family know not to click on sketchy links allegedly from you.
• This will save them from malware, scams, and possibly your embarrassment.

9. Monitor your credit.

• Regularly check your statutory credit report with UK agencies (Experian, Equifax, TransUnion) for unauthorized activity. If someone tries to open a yacht loan in your name, you’ll want to know.

Summary:

These are the steps I personally recommend based on experience. Feel free to follow them—but remember, getting help from a cybersecurity expert can make the process much smoother and more tailored to your situation.
In my next post, I’ll cover how to prevent attacks like these in the first place.