How do I secure all my accounts after falling victim to a scam?
Work systematically through your most critical accounts first: change passwords, enable two-factor authentication, revoke unexpected access, and monitor for any changes made during the period of compromise.
Last reviewed: 10 June 2026
Explanation
After a scam involving account access — whether through phishing, a remote-access session, or a compromised device — your goal is to re-establish control across your digital accounts before the attacker can do lasting damage. Doing this methodically rather than in a panic produces better results.
Start with the highest-impact accounts: your primary email account, then your bank and credit accounts, then any accounts where your email is used for password recovery. Your email is the master key — anyone who controls it can reset almost everything else via 'forgot password'. Change to a strong, unique password and immediately enable two-factor authentication using an authenticator app.
For each account, also review: active sessions (sign out all others), connected third-party apps (revoke anything unfamiliar), recovery email and phone number (ensure they point to accounts you control), and recent account activity for any changes made. Attackers often make small changes — adding a forwarding rule, changing the recovery contact — designed to maintain persistence.
As you work through accounts, use a password manager to generate and store unique passwords. This process also gives you an opportunity to delete accounts you no longer use, reducing your attack surface. After the immediate response, set a calendar reminder to check account activity across your key accounts monthly.
Common red flags
- You gave a scammer access to your device via a remote-access app
- You entered credentials on a phishing page
- A device or account was compromised and you are unsure what was accessed
- You notice small unexplained changes to account settings (recovery contacts, forwarding rules)
What to do now
- Change your email account password first, using a device you are confident is clean
- Enable authenticator-app 2FA on your email, then your bank, then all key accounts
- Sign out all other sessions on each account and revoke unknown connected apps
- Check recovery email and phone numbers in every account and correct any that were changed
- Check your email for forwarding rules and delete any you didn't create
- Review your bank and card statements for any transactions during the compromise window
- Use a password manager from this point forward to maintain unique passwords across accounts
Frequently asked questions
How many accounts do I need to change passwords on?
Any account where you used the same or a similar password to one that was compromised, and any account the scammer could have accessed on your device or in your email. A password manager's breach monitoring feature can identify affected accounts.
Should I close accounts I haven't used in years?
Yes — dormant accounts you no longer monitor can be compromised without you noticing, and old accounts sometimes contain payment details. Closing them reduces your attack surface.