Preserve evidence by capturing what happened (screenshots, messages, headers, transaction details, timestamps) and storing it in a tamper-resistant way before you start changing things. Then lock down access in a controlled order (device first, then passwords and recovery options), so you don’t erase the very signals that support recovery, refunds, or an investigation.

1) Stabilize first: stop the bleed without wiping the trail

If fraud is active right now, the goal is to prevent further damage while keeping records intact.

• Use a “clean” device to take control. If you suspect malware on your main computer/phone, do not start recovery from it. Use another trusted device or a freshly updated system, because attackers sometimes intercept resets and new passwords. Microsoft’s recovery guidance explicitly recommends scanning/cleaning for malware before changing passwords. (Microsoft Támogatás)
• Pause account changes long enough to capture proof. Before you reset passwords or delete sessions, capture the key evidence listed below. After you secure the account, some logs and notifications can disappear or become harder to access.
• Stop new transactions. If financial accounts are involved, immediately contact the institution’s fraud channel to freeze transfers/charge activity. This step is part of “account protection,” but it also creates a record (case number, call logs, emails) that becomes evidence.

2) Create an “evidence package” (one folder, one timeline, clear labels)

Think of your evidence package as something you could hand to a bank, platform support team, or law enforcement without having to explain it twice.

Make a simple structure:

• Folder A — Timeline (one document): a running log of events in chronological order.
• Folder B — Screenshots & photos: labeled with date/time and what they show.
• Folder C — Emails & messages: saved in original format when possible.
• Folder D — Transactions & account data: PDFs or exports from banks/platforms (if available), plus screenshots.
• Folder E — Support interactions: ticket numbers, chat transcripts, call times, names/IDs, and outcomes.

In your timeline, record:

• Date/time you noticed the fraud
• What you saw (exact wording, amounts, account names)
• Actions taken (password changes, freezes, reports filed)
• Reference numbers (bank claim ID, platform case ID, police report number)

This timeline prevents “memory drift” and helps support teams correlate your report with their logs.

3) Capture the right evidence (what matters most in recovery)

Not all “proof” is equally useful. The best evidence is specific, verifiable, and includes machine-readable details.

A. Account access and security changes

• “Your password was changed” emails
• MFA/2FA changes (new device added, authenticator reset, phone number changed)
• Recovery email/phone changes
• “New sign-in” alerts and security log screenshots (location/device/IP if shown)

If you’re dealing with a major account provider, follow their compromised-account flow and document each screen you see during recovery (error messages included). For Google accounts, their official recovery/secure steps focus on reviewing suspicious activity and securing the account—those screens are evidence in themselves. (Google Támogatás)

B. Communication evidence (phishing, impersonation, social engineering)

• The original email (not just a screenshot) and the full headers if possible
• Text messages (screenshots plus export if your phone supports it)
• Chat logs (download or copy full conversation including timestamps)

Why headers matter: they help identify where an email originated and how it traveled. The FBI’s IC3 notes you may paste details like email headers into a complaint, and you should keep originals securely. (IC3)

C. Transaction and identity evidence

• Transaction IDs, authorization codes, merchant names, dates/times
• Wallet addresses (for crypto fraud), payment handles, invoice numbers
• Screens showing your profile details at the time (display name, linked email, payout account)
• Any proof of identity misuse (new accounts opened, address changes, new payees)

D. Device and browser evidence (when relevant)
Only capture what you can safely access; do not install random “forensics” tools in panic.

• Browser history entries that show the phishing page URL
• Download history (suspicious files)
• Security software alerts (screenshots)

4) Preserve originals: screenshots are helpful, but not always enough

Screenshots show what you saw, but originals carry metadata and are harder to dispute.

Use this priority order:

1. Export/download originals (email files, transaction exports, platform logs)
2. Save pages as HTML (if available)
3. Screenshots (as a backup and quick visual summary)

Practical tips:

• Keep file names consistent: 2026-02-03_0915_Gmail_password_reset_email.png
• Don’t edit images (cropping can be fine, but keep an unedited copy too).
• If you must forward evidence, forward as an attachment when possible (preserves more metadata).

5) Lock down accounts without destroying evidence

Once you’ve captured the key proof, secure access in an order that reduces re-compromise.

Step 1 — Secure the device you’ll use

• Update OS and browser
• Run a reputable malware scan (especially if you suspect credential theft) (Microsoft Támogatás)
• Remove unknown browser extensions

Step 2 — Regain control of the primary email
Your email is the “master key” for password resets. If an attacker controls it, they can undo every other fix.

• Change email password (unique, long)
• Enable MFA with a method you control
• Review forwarding rules, filters, delegated access, recovery email/phone

Step 3 — Reset passwords (strategically)

• Start with email + financial + password manager
• Then high-impact accounts (shopping, social, work tools)
• Use unique passwords; a password manager helps prevent reuse

Step 4 — Kick out active sessions
After password and MFA changes, sign out of other sessions/devices. Many platforms provide “sign out everywhere.”

Step 5 — Check “recovery routes”
Attackers often add their own recovery email/phone or app. Remove anything you don’t recognize.

6) Work with support: evidence that gets traction

Support teams typically respond best to:

• Exact timestamps (including timezone)
• Transaction IDs and amounts
• Screenshots of security logs and change notifications
• A clear statement of what you want: “restore access,” “reverse changes,” “refund charges,” “disable fraudulent payee”

When you open tickets:

• Ask for a case number and record it in your timeline.
• Keep chat transcripts. If chat can’t be exported, screenshot it in segments with timestamps visible.
• If you must summarize in a form field, write a short “fact block” (5–10 bullet points) and offer to provide supporting files if requested.

For internet-enabled fraud, consider filing a report with the FBI’s IC3 and keep the underlying evidence. IC3 emphasizes that they don’t accept attachments and that you should retain originals in case an investigating agency requests them. (IC3)

7) Avoid common evidence mistakes that weaken recovery

• Deleting the phishing email/message immediately. Move it to a folder, label it, and keep the original.
• Resetting everything first, documenting later. You may lose logs, session data, or proof of unauthorized changes.
• Mixing old and new facts. Keep a clean timeline with “observed” vs “assumed.”
• Sharing evidence publicly. Posting screenshots with full names, emails, order numbers, or addresses can invite copycat fraud and complicate support verification.

8) A quick “do this now” checklist (in order)

1. Use a trusted device; update and scan if needed (Microsoft Támogatás)
2. Create a timeline document and an evidence folder
3. Capture: security alerts, logins/activity, recovery changes, transaction details
4. Save originals (emails/headers, exports) plus screenshots
5. Secure primary email, then financial accounts, then the rest
6. Open support tickets; record case numbers and outcomes
7. If appropriate, report via official channels (IdentityTheft.gov / IC3) and retain originals (IdentityTheft.gov)

Why does this matter

Good evidence shortens resolution time and reduces back-and-forth with banks and platforms, while also improving the odds that fraud can be reversed and future access restored.

Sources

• IdentityTheft.gov — step-by-step recovery guidance
• FBI Internet Crime Complaint Center (IC3) — FAQ on retaining evidence
• Google Account Help — secure a hacked or compromised Google Account 

Next Step: https://cyberspark.blog/2026/01/20/baseline-account-protection-settings-for-every-account/