Free Ebook cover Cybersecurity Fundamentals for Absolute Beginners

Cybersecurity Fundamentals for Absolute Beginners

New course

14 pages
All courses > Information Technology > Cyber Security ::

Responding to Incidents: Immediate Steps and Recovery Habits

Capítulo 14

Estimated reading time: 13 minutes

+ Exercise

What “Incident Response” Means for Beginners

An incident is any event that threatens your accounts, devices, data, or ability to use them normally. “Responding to incidents” means taking immediate, practical actions to stop the damage, preserve what you need to investigate, and restore normal operation safely. For beginners, incident response is less about complex forensics and more about calm, repeatable habits: isolate, document, secure, recover, and learn.

Incidents can be obvious (ransom note on your screen, bank alerts, account locked) or subtle (unknown logins, new browser extensions, missing files, strange pop-ups). The goal is to avoid panic actions that make things worse (like deleting evidence, paying scammers quickly, or reusing compromised passwords) and instead follow a simple playbook.

Two priorities that guide every response

  • Stop ongoing harm: prevent further access, spread, or financial loss.
  • Restore safely: return to normal in a way that doesn’t reintroduce the same problem.

Immediate Steps: A Simple Triage Flow

When you suspect an incident, start with triage. Triage is a quick assessment that helps you choose the right next action. Use this order: safety, containment, evidence, notification, recovery.

Step 1: Check for immediate safety and financial risk

Ask: is there a risk of money leaving your accounts right now, or is someone actively controlling a device?

  • If you see unauthorized transfers, card charges, or login alerts: treat it as urgent financial fraud.
  • If a device is showing remote-control behavior (cursor moving, windows opening): treat it as active compromise.

In urgent cases, your first action is to stop the bleeding: contact your bank/card issuer, freeze cards, and lock accounts where possible. If you are on a work device, follow your organization’s reporting process immediately.

Continue in our app.

You can listen to the audiobook with the screen off, receive a free certificate for this course, and also have access to 5,000 other free online courses.

Or continue reading below...
Download App

Download the app

Step 2: Contain the incident (isolate affected systems)

Containment means limiting spread and cutting off an attacker’s access. For most beginners, containment is mainly about disconnecting and separating.

  • Disconnect the affected device from the internet: turn off Wi‑Fi, unplug Ethernet, or enable airplane mode. This can stop data exfiltration and remote control.
  • Do not power off immediately unless necessary: if the device is overheating, behaving dangerously, or you must stop encryption (ransomware), powering off may be reasonable. Otherwise, staying powered on can preserve useful information for later steps.
  • Separate removable media: unplug external drives and USB sticks to prevent them from being altered or encrypted.
  • Use a different, trusted device for account actions: if your laptop may be compromised, do password resets and account recovery from a phone or another computer you trust.

Step 3: Capture basic evidence (without “deep forensics”)

You do not need advanced tools to preserve helpful evidence. The goal is to record what happened before it changes.

  • Take photos/screenshots: error messages, ransom notes, suspicious pop-ups, unusual login alerts, unknown apps, or new browser extensions.
  • Write down timestamps: when you noticed the issue, when alerts arrived, and any actions you took.
  • Record key details: affected accounts, device name, approximate location, and any suspicious emails/messages you interacted with.
  • Save suspicious messages: keep the email or message in place; do not forward it to friends. If you must share with IT/support, use their official reporting method.

Avoid “cleaning” too early. Deleting files, uninstalling apps, or running random tools can destroy clues and sometimes worsen the situation.

Step 4: Notify the right people early

Incidents often require help. Notify based on context:

  • Work/school: report to IT/security immediately, especially if a work account or device is involved.
  • Financial: contact your bank/card issuer for fraud steps and charge disputes.
  • Key services: contact the service provider (email, social media, cloud storage) through official support channels if you cannot regain access.
  • Contacts: if your account sent suspicious messages, warn close contacts not to click links and to ignore unusual requests.

When notifying, share facts (what you saw, when, what you clicked, what changed). Avoid assumptions like “I was hacked by…” unless you have evidence.

Scenario Playbooks (Step-by-Step)

Different incidents require different first moves. Use the playbook that matches what you see.

Playbook A: You suspect an account takeover

Signs include password reset emails you didn’t request, login alerts from unfamiliar locations, new devices in your account, messages sent without you, or changes to profile details.

  • 1) Use a trusted device and network: avoid using the possibly compromised device for recovery steps.
  • 2) Try to sign in and change the password: if you can still access the account, change the password immediately.
  • 3) Force sign-out everywhere: many services offer “log out of all devices/sessions.” Use it.
  • 4) Check account recovery settings: verify recovery email/phone are yours; remove unknown ones.
  • 5) Review recent activity: look for logins, devices, forwarding rules, connected apps, and security settings changes.
  • 6) Enable stronger sign-in protection: turn on multi-factor authentication if available and ensure it uses a method you control.
  • 7) Secure your email first if it’s involved: email often controls password resets for other accounts. If your email is compromised, fix it before resetting other services.
  • 8) Notify contacts if messages were sent: tell them your account was compromised and to ignore prior messages.

Practical example: if your social media account posted scam links, the attacker may still have an active session. Changing the password alone may not remove them unless you also sign out all sessions and remove unknown connected apps.

Playbook B: You clicked a suspicious link or opened a suspicious attachment

Not every click causes an incident, but treat it seriously.

  • 1) Disconnect the device from the internet: contain potential downloads or remote control.
  • 2) Do not enter credentials: if you already entered them, treat it as credential compromise and follow Playbook A for that account.
  • 3) Capture evidence: screenshot the message, the link (if visible), and any page you saw.
  • 4) Run a reputable security scan: use your installed security tools or your organization’s approved tools. Avoid downloading “cleaners” from pop-ups.
  • 5) Monitor accounts for unusual activity: especially email, banking, and any account you attempted to log into.
  • 6) If it was a work context: report to IT/security with the email and details.

Practical example: you opened an invoice attachment and it asked you to “Enable Content” or “Enable Macros.” If you enabled it, treat it as higher risk: disconnect immediately and escalate to IT/support rather than trying to fix it alone.

Playbook C: Your device may be infected (pop-ups, unknown apps, performance issues)

When a device behaves strangely, you want to prevent spread and avoid trusting the device for sensitive actions.

  • 1) Disconnect from the internet: contain potential communication with malicious servers.
  • 2) Identify what changed: new apps, browser extensions, unknown admin accounts, new startup items, or security settings disabled.
  • 3) Back up critical personal files carefully: if you must back up, copy only documents/photos you need. Avoid copying unknown executables or installers. Use an external drive that you can disconnect afterward.
  • 4) Scan with trusted tools: run a full scan using reputable security software already installed or obtained from official sources.
  • 5) Remove suspicious extensions/apps: if you can identify them confidently. If unsure, document first and seek help.
  • 6) Consider a clean reinstall if compromise is likely: for serious infections, the most reliable recovery is wiping and reinstalling the operating system, then restoring files from known-good backups.

Practical example: if your browser homepage and search engine keep changing back after you fix them, that suggests a persistent unwanted program or extension. Document the extension list, remove unknown items, and scan. If it returns, a clean reinstall may be faster and safer than repeated guessing.

Playbook D: Ransomware or mass file encryption suspected

Signs include many files suddenly changing extensions, failing to open, or a ransom note demanding payment.

  • 1) Disconnect immediately: unplug network cable or disable Wi‑Fi to stop encryption spreading to shared drives.
  • 2) Do not attach backup drives: keep backups disconnected so they cannot be encrypted too.
  • 3) Photograph the ransom note and messages: record any “case ID” or contact method shown.
  • 4) Identify scope: which folders/drives are affected, and whether other devices on the same network are impacted.
  • 5) Escalate: for work/school, contact IT/security immediately. For personal, consider professional help if valuable data is at stake.
  • 6) Recovery planning: prioritize restoring from known-good backups rather than attempting random decryption tools. Only use decryption resources from trusted, official sources if applicable.

Important habit: avoid paying quickly out of panic. Payment does not guarantee recovery and can invite further targeting. Focus on containment and safe restoration.

Playbook E: Lost or stolen device

This is both a privacy and account security incident.

  • 1) Use another device to locate/lock: use the official “Find My”/device management feature to mark it lost, lock it, or erase it if necessary.
  • 2) Change passwords for key accounts: start with email, then banking, then other important services.
  • 3) Revoke sessions/tokens: sign out of all sessions for accounts that were logged in on the device.
  • 4) Contact your carrier (for phones): suspend service and block the SIM if needed.
  • 5) Report theft if appropriate: a police report can help with insurance and some recovery processes.

Recovery Habits: Restoring Safely Without Reintroducing Risk

Recovery is not just “getting back online.” It is restoring your normal workflow while preventing the same incident from recurring. Beginners often recover partially (e.g., they regain an account) but leave behind the original weakness (e.g., compromised recovery email, unknown connected app, or infected device). The habits below help you recover fully.

Habit 1: Use a “known-good” base for recovery actions

Do sensitive recovery steps from a device you trust. If your main computer may be infected, use a different device to reset passwords, review account activity, and contact support. This reduces the chance that a hidden attacker sees your new credentials immediately.

Habit 2: Reset credentials in the right order

When multiple accounts are involved, order matters because some accounts control others.

  • 1) Email accounts: because they receive password resets and security alerts.
  • 2) Financial accounts: banking, payment apps, shopping sites with saved cards.
  • 3) Primary identity accounts: phone number account, major cloud accounts, app stores.
  • 4) Everything else: social media, forums, subscriptions.

As you reset, also check recovery settings and connected apps. Attackers often add a recovery email, set forwarding rules, or connect a third-party app to regain access later.

Habit 3: Rebuild trust in your device before trusting it with secrets

After a suspected infection, decide how you will regain confidence in the device:

  • Low suspicion: reputable scans, remove suspicious extensions, update the system, and monitor.
  • High suspicion: back up essential files, wipe and reinstall the operating system, reinstall apps from official sources, and restore files carefully.

Practical example: if you saw remote-control behavior or security tools were disabled unexpectedly, treat it as high suspicion and plan for a clean reinstall rather than “quick fixes.”

Habit 4: Restore from backups carefully

Backups are powerful, but restoring blindly can reintroduce the problem.

  • Prefer restoring personal documents over system images if you suspect malware was present.
  • Scan restored files before opening them, especially if they came from a period when the device was acting suspiciously.
  • Keep at least one backup offline (disconnected) so it cannot be affected by future incidents.

Habit 5: Verify security settings after recovery

After you regain access, do a short verification checklist for each important account:

  • Review recent logins/devices and remove unknown ones.
  • Check recovery email/phone and remove anything unfamiliar.
  • Review connected apps and revoke anything you don’t recognize.
  • Check for forwarding rules or filters in email that could hide alerts.
  • Confirm multi-factor authentication is enabled and uses a method you control.

This step is often what prevents “I got hacked again the next day.” The attacker may have left a backdoor in the form of a connected app or recovery method.

Habit 6: Keep an incident log (simple and useful)

An incident log is a small document you maintain during and after the event. It helps you communicate clearly with support and reduces mistakes.

Incident log template (personal use)  Date/time noticed:  What I observed:  Affected device(s):  Affected account(s):  Actions taken (with times):  Evidence saved (screenshots, emails):  Support contacted (who/when/ticket):  Outcome and next steps:

Even a few bullet points can save hours later, especially if you need to dispute charges, prove account ownership, or explain the timeline to IT.

Habit 7: Monitor for recurrence for a defined period

After recovery, set a monitoring window (for example, 2–4 weeks) where you pay extra attention to alerts and account activity. This is not paranoia; it is a controlled follow-up.

  • Watch for new login alerts.
  • Review bank and card activity more frequently.
  • Be cautious with unexpected password reset emails.
  • Check that removed devices/apps do not reappear.

Communication During an Incident: What to Say and What Not to Do

How to report clearly (to IT, support, or a bank)

Use a factual, structured message:

  • What happened (symptoms, alerts, unauthorized actions).
  • When it started (approximate time).
  • What you did (disconnect, password change, scans).
  • What you need (account lock, fraud investigation, device check).

Example report:

At 10:20 AM I received a login alert for my email from an unknown location. At 10:25 AM my contacts received messages I did not send. I disconnected my laptop from Wi‑Fi and used my phone to change the email password and sign out of all sessions. I can provide screenshots of the alerts and the sent messages. Please help verify account recovery settings and check for forwarding rules.

Avoid common “panic moves”

  • Do not pay or negotiate immediately with extortion messages without getting professional guidance.
  • Do not keep using the compromised device for sensitive logins until you regain trust in it.
  • Do not install random tools recommended by pop-ups or unknown websites.
  • Do not delete everything right away if you may need evidence for support, disputes, or workplace reporting.

Building Your Personal Incident Response Kit

You can prepare a small “kit” so you are not improvising during stress. This is not about advanced gear; it is about readiness.

What to prepare

  • Recovery codes and backup access methods: store them securely so you can regain access if you lose a phone or get locked out.
  • Important contact list: bank fraud numbers, carrier support, key account support links (official), workplace IT contact.
  • Offline backup drive: disconnected when not in use.
  • A second trusted device: even an old phone kept updated can be a recovery lifeline.
  • A simple incident log template: ready to copy and fill in.

Practice: a 10-minute “tabletop” drill

A tabletop drill is a short practice run where you imagine an incident and walk through your steps. Do this occasionally so the actions feel familiar.

  • Pick a scenario: “My email is taken over.”
  • Write down: which device you would use, which accounts you would secure first, and who you would contact.
  • Locate the settings: where to sign out of all sessions, where to review connected apps, where to check recovery info.

The goal is not perfection; it is reducing decision-making under pressure.

Now answer the exercise about the content:

When multiple accounts may be compromised, what is the recommended order for resetting credentials to recover safely?

You are right! Congratulations, now go to the next page

You missed! Try again.

Email should be secured first because it controls password resets and security alerts for other services. After that, secure financial accounts, then primary identity accounts, then the remaining accounts.

Next chapter

Arrow Right Icon
Learn Cyber Security

LearnCyber Security

Discover free online courses in Cyber Security, from fundamentals to advanced topics. Gain skills with free certifications in IT Security, Pen Testing, and more today!

 Learn Information Technology

LearnInformation Technology

Our IT free online courses offer top-notch training in the latest technologies and tools, including programming languages, web development, cybersecurity, and more.
Download the app to earn free Certification and listen to the courses in the background, even with the screen off.
QR Code - Baixar Cursa - Cursos Online

Download our app via QR Code or the links below:.

Get it on Google Play Get it on App Store