Skip to content
FedWatch

Incident Response Guide

Cyber Incident Response Guide

Section titled “Cyber Incident Response Guide”

What to do if you suspect your accounts, devices, or data have been compromised. Don’t panic—this guide will walk you through each step.

Prevention is the best option! See the Digital Force Protection Guide for preventive measures.

Quick Navigation

Section titled “Quick Navigation”
  1. Identify - What happened?
  2. Secure - Stop the bleeding
  3. Restore - Recover from the incident
  4. Report - Notify appropriate parties
  5. Learn - Prevent future incidents

Identify the Problem

Section titled “Identify the Problem”

Online Account Issues

Section titled “Online Account Issues”

Signs:

  • Locked out of your account
  • Money missing from financial accounts
  • Changes or activities you didn’t make
  • Login notifications from unknown locations
  • Password reset emails you didn’t request

Action: Secure Your Online Accounts

Device Behavior Issues

Section titled “Device Behavior Issues”

Signs:

  • Computer acting on its own (mouse moving, unexpected restarts)
  • Ransomware message
  • Fake antivirus or update messages
  • New plugins, toolbars, or applications you didn’t install
  • Device running slowly or behaving abnormally
  • Unexpected pop-ups
  • Searches being redirected

Action: Secure Your Local Devices

Data Leaks and Breaches

Section titled “Data Leaks and Breaches”

Signs:

  • Private information shared online without permission
  • Personal images or media shared without consent
  • Notifications from companies about breaches
  • Your information appearing in data breach databases

Action:

  1. Alert family and friends to be cautious
  2. Freeze Your Credit
  3. Secure Your Online Accounts

Social Engineering and Scams

Section titled “Social Engineering and Scams”

Phishing:

  • Email or message asking for personal/financial information
  • Do not respond or click links
  • Mark as spam and delete
  • Secure Your Network if you interacted

Financial Scams:

  • Requests for money or banking information
  • Pressure using fear or urgency
  • Read about common scams

Lost or Stolen Device

Section titled “Lost or Stolen Device”

Action:

  1. Secure Your Online Accounts immediately
  2. Try to locate using tracking service
  3. Consider remotely wiping the device
  4. Report to police if stolen

Secure Your Environment

Section titled “Secure Your Environment”

Secure Your Online Accounts

Section titled “Secure Your Online Accounts”

Immediate steps:

  1. Change Passwords

    • Update passwords for ALL important accounts
    • Start with email (it’s the recovery for everything else)
    • Use a password manager

  2. Enable Multi-Factor Authentication (MFA)

    • Use authenticator apps, not SMS
    • Hardware keys are best

  3. Check for Breaches

  4. Prioritize These Accounts:

    • Email accounts (especially recovery emails)
    • Financial accounts (banks, credit cards, crypto)
    • Mobile carrier account (prevents SIM swapping)
    • Social media (prevents impersonation)

  5. Review Account Activity

    • Check login history
    • Review connected apps and devices
    • Revoke unknown sessions

Secure Your Local Devices

Section titled “Secure Your Local Devices”

  1. Disconnect from Internet

    • Unplug network cable or turn off Wi-Fi
    • Prevents further unauthorized access

  2. Run a Malware Scan

    • Use reputable antivirus software
    • Malwarebytes is recommended

  3. Update Software

    • Operating system
    • All applications

  4. Review Installed Programs

    • Uninstall anything you don’t recognize
    • Check browser extensions

  5. Change Device Passwords

    • Use strong, unique passwords

  6. Consider Professional Help

    • If unsure, seek assistance

Secure Your Network

Section titled “Secure Your Network”

  1. Change Router Passwords

    • Admin password
    • Wi-Fi password

  2. Update Router Firmware

  3. Disable Remote Management

  4. Review Connected Devices

    • Remove any unknown devices

  5. Set Up Guest Network

    • Isolate main devices from guests

Identity Protection

Section titled “Identity Protection”

  1. Freeze Your Credit

  2. Review Financial Statements

    • Look for unauthorized transactions
    • Set up transaction alerts

  3. Remove Personal Information

Restore

Section titled “Restore”

Account Recovery

Section titled “Account Recovery”
  1. Reset passwords and security questions
  2. Use masked emails for sensitive accounts
  3. Set up fresh MFA tokens

Data Recovery

Section titled “Data Recovery”
  1. Restore from backups if available
  2. Use data recovery software if needed
  3. Consult professionals for critical data

Severe Compromise

Section titled “Severe Compromise”

In severe cases:

  • Reinstall operating system to ensure all malware is removed
  • Replace the device if hardware compromise is suspected
  • Get new phone number if SIM swapped

Report

Section titled “Report”

Who to Contact

Section titled “Who to Contact”

Financial Institutions:

  • Inform of unauthorized activity
  • Request new cards if needed
  • Set up fraud alerts

Law Enforcement:

  • File a police report for identity theft or significant fraud
  • Get a copy of the report for your records

Affected Parties:

  • Let friends and family know if they might be impacted
  • Warn them about potential impersonation

Official Reporting:

  • FTC - For scams and fraud
  • IC3 - FBI’s Internet Crime Complaint Center
  • IdentityTheft.gov - Identity theft reporting

Learn

Section titled “Learn”

Review What Happened

Section titled “Review What Happened”
  • How did the incident occur?
  • What was the entry point?
  • What could have prevented it?

Implement Preventive Measures

Section titled “Implement Preventive Measures”
  • Strong, unique passwords everywhere
  • MFA on all important accounts
  • Regular backups
  • Keep software updated
  • Be cautious with emails and links
  • Regular security checkups

Stay Updated

Section titled “Stay Updated”
  • Follow security news
  • Learn about new threats
  • Update your practices

Monitor Ongoing

Section titled “Monitor Ongoing”

Regular Checks

Section titled “Regular Checks”
  • Monitor bank statements weekly
  • Review account activity monthly
  • Check credit reports quarterly
  • Search for your information in breach databases

Tools

Section titled “Tools”
  • Credit monitoring services
  • Identity theft protection
  • Have I Been Pwned notifications
  • Network monitoring apps

For Activists Specifically

Section titled “For Activists Specifically”

If You Suspect Targeting

Section titled “If You Suspect Targeting”
  • Document everything
  • Reach out to digital security organizations
  • Consider legal consultation
  • Connect with other activists who’ve faced similar situations

Resources

Section titled “Resources”

Quick Reference Card

Section titled “Quick Reference Card”

If compromised, do this NOW:

  1. ✅ Disconnect from internet (if device issue)
  2. ✅ Change email password from a DIFFERENT device
  3. ✅ Enable MFA on email
  4. ✅ Change passwords on financial accounts
  5. ✅ Freeze credit
  6. ✅ Run malware scan
  7. ✅ Document everything
  8. ✅ Alert close contacts if impersonation risk