ScamWatch

If you feel you're being scammed in United States: Contact the Federal Trade Commission (FTC) at 1-877-382-4357 or report online at reportfraud.ftc.gov

What to Do When You’ve Given Remote Access: A Recovery Checklist for Victims

Mother using telemedicine to care for a sick child at home, combining health and comfort.

Immediate concern: why this matters

Granting remote access to an unknown or unverified person gives them control over files, passwords, email, banking sessions and other connected devices — and often happens during tech-support or refund scams. If this has happened to you, quick containment and the right sequence of actions can limit financial loss and identity theft. Follow the checklist below to isolate the incident, secure accounts, and report the crime for possible recovery.

Step 1 — Contain the incident (first 30–60 minutes)

Act fast. The goal in the first hour is to stop further access and preserve evidence:

  • Disconnect the device from the internet: Unplug Ethernet, turn off Wi‑Fi and, if possible, power the device down. This prevents the attacker from continuing remote control or exfiltrating data.
  • Uninstall remote-access tools if you can safely do so: If the scam used software such as TeamViewer, AnyDesk, or similar, uninstall it and change any related settings (for example, remove allowlisted partners and disable unattended access). If you are unsure how, take a photo or note of any IDs or messages the scammer showed you before removing software.
  • Do not immediately log back into sensitive accounts on the affected device: Use a different, trusted device (phone or another computer) to access email and banking, or use your bank’s official app on a mobile device.

Why these steps matter: Attackers may have installed monitoring or keylogger software that continues to run; isolating and avoiding the compromised device reduces further damage and prevents the attacker from seeing new passwords or multi-factor prompts.

Step 2 — Clean up, secure accounts, and protect finances

After containment, take these prioritized actions:

  1. Change passwords from a safe device: For email, banking, social media, cloud storage, and any accounts that use the same or similar passwords — change them immediately and make each password unique. Use a password manager to generate and store strong passwords.
  2. Enable multi-factor authentication (MFA): Turn on MFA for email, bank, and cloud accounts (authenticator app or hardware key preferred over SMS). This blocks many post-compromise login attempts.
  3. Contact your bank and card issuers immediately: Tell them you were the victim of a scam and that an attacker may have had access to accounts or card numbers. Ask to freeze or monitor accounts, reverse unauthorized charges, and place fraud alerts where appropriate. Scammers often instruct victims to move money (including into crypto); notify institutions about any attempted transfers.
  4. Scan and/or rebuild the affected device: Run updated antivirus and anti-malware scans. If malicious software is found or you remain unsure of the device’s integrity, back up personal files (carefully), then reinstall the operating system or restore from a clean image — or have a trusted technician perform a forensic cleanup. Reinstall remote-access software only if you trust the account and settings.
  5. Check for SIM updates or SIM swap fraud: If the scammer knew or requested phone-based codes, contact your mobile carrier to confirm account security and add a PIN or port freeze if available. Consider moving MFA from SMS to an authenticator app or hardware key.

Note on cryptocurrency and transfers: Scammers often ask victims to move funds into crypto or “safe” wallets. Crypto transfers are typically irreversible — notify your financial institution and law enforcement immediately if you were directed to transfer funds.

Step 3 — Report, document, and monitor

Reporting helps investigators and could increase your chance of recovery. Keep records of every interaction (emails, phone numbers, payment receipts, screenshots):

  • File a complaint with IC3 and the FTC: Submit details to the FBI’s Internet Crime Complaint Center (IC3) and the Federal Trade Commission so agencies can track trends and potentially act on large scams. Include any identifying information such as phone numbers, email addresses, websites, and payment destinations.
  • Contact local police: File a local police report and provide copies of documentation — this can help with bank disputes and insurance claims.
  • Monitor credit and accounts: Place a fraud alert or credit freeze if identity information was exposed and check your credit reports regularly. Sign up for transaction alerts from your bank and review statements for repeated or small-amount test charges.
  • Preserve evidence: Keep copies of the scammer’s communications, pop-up text, remote-access session IDs, and timestamps. These make reporting and law-enforcement follow-up more useful.

After recovery — hardening and prevention

Once systems are clean and accounts secured, adopt these longer-term protections: enable MFA across critical accounts, use a password manager, keep software up to date, limit administrative privileges on everyday accounts, and never accept unsolicited tech-support calls or pop-ups. If you rely on third-party IT support, verify contact details independently and use vendor-specific secure portals rather than ad-hoc remote sessions.

Related Articles

Close-up of a contactless payment using a smartphone and QR code scanner in a modern retail setting.

Fake QR Codes and Payment Phishing: How Scammers Use QR Stickers to Redirect You to Tech Support and Checkout Pages

Scattered keyboard keys spelling 'SCAM' on a red-lit wooden surface, symbolizing online fraud.

Why “Allow This App” Is the New Phishing: Consent‑Phishing, OAuth Scams & an Admin Playbook

A woman wearing headphones focused on her laptop in a dimly lit room with neon lights.

LLM‑Assisted Spear‑Phishing: How Attackers Use Personal Data + Prompts to Bypass Filters — Detection Templates for Security Teams