A week of writing about voice clones, breaches, and supply-chain attacks helps the people who haven't been hit yet.

This one is for the people who have.

Maybe you wired the money. Maybe you clicked the link and entered the password. Maybe you let someone "from Microsoft" onto your computer six months ago and only now does it feel wrong.

There's a specific order to do things in. And there's a thing most people do first that makes the rest harder.

Don't do this first

Don't delete anything.

Not the emails. Not the text messages. Not the call log. Not the downloaded file. Not the browser history.

The instinct is understandable. Something feels dirty and you want it gone. But that material is the only evidence of what actually happened for your bank, your credit card company, the police if it comes to that, and for me if you bring it to me.

Take screenshots before you do anything else. Of the email, the text, the caller ID, the payment confirmation, the website you ended up on. Photos with your phone are fine.

Then keep going.

The order that actually matters

1. Stop the bleed.

If money is moving right now, that's the first call. Bank or credit card, whichever you used. Use the number on the back of the card, not from the email, not from Google. The back of the card.

Tell them what happened in one sentence: "I sent money to someone I now believe was a scammer. I need to stop the transfer and dispute the charge."

If it was a wire transfer, ask specifically about a recall. Some banks will try; many won't, but the answer is faster when you ask early. The first hour matters more than the next twenty-four.

If it was gift cards, call the card issuer (the number is on the back of the card or on their website). Cards that haven't been redeemed yet can sometimes be frozen.

If it was cryptocurrency, the money is almost certainly gone - but document the transaction anyway. Some platforms cooperate with law enforcement and the record matters.

2. Lock down the door they came through.

If you clicked a link and entered a password, change that password on every site where you used the same one. (This is why password reuse is the silent risk under every other scam.)

If you let someone remote into your computer, turn off the computer and don't turn it back on until someone can look at it. Anything that's still running is potentially still under their control.

If you gave out a code from a text message, call the company that sent the code. "I gave out my verification code to someone I shouldn't have. Please secure my account."

3. Report it.

Three places, in this order:

The company that was impersonated. (If a scammer pretended to be your bank, the bank wants to know. Their fraud department has seen the playbook.)

The FTC at reportfraud.ftc.gov. Three minutes online. This is the closest thing the U.S. has to a central scam database.

The FBI's Internet Crime Complaint Center at ic3.gov. If real money is involved, especially over $1,000, this one matters - it's how cases get linked across victims, which is sometimes the only way the bigger groups get caught.

For Mainers specifically: the Maine Attorney General's Consumer Protection Division maine.gov/ag/consumer-protection will take a complaint as well. They occasionally have leverage that federal agencies don't.

4. Watch what gets touched next.

The scam you noticed is rarely the only thing they tried. For the next 90 days, treat your phone and your inbox as actively targeted:

• Strange login alerts from services you haven't used in months
• Two-factor codes arriving for accounts you didn't try to log into
• New mail-forwarding rules in your email (this is the most common silent move)
• Credit-card alerts from cards you didn't use that day

If you see any of those, that's a real signal. Act on it.

A credit freeze with all three credit bureaus is free and reversible. If anything financial was exposed, do it the same day. It's the single highest-leverage thing you can do, and it's the one most people skip because it feels excessive.

It Can Happen to Anyone

You're not stupid. You didn't fall for something obvious.

The scams that work in 2026 work because they're well-designed. The voice on the phone is your daughter's voice. The email logo is the right logo. The website does look exactly like Canvas. The person on the other end has done this five times today and knows exactly what to say.

The shame is the thing that lets the next round of it happen. People who feel humiliated don't tell their family, don't report it, don't change the password.

Telling someone is how you take that away.

If you want help walking through it

I do this work without judgment. A remote session is the fastest way to find out exactly what was touched, what wasn't, what to clean up, and what to leave alone. Most of these end up being smaller than they feel — and the relief of knowing is worth the call.

Schedule a remote session → | Request a callback →

That wraps the week. Voice clones, the Canvas breach, the Axios supply-chain story, the unifying playbook, and today — what to do when the playbook came a week too late.

The newsletter goes out this afternoon with the one-page printable that pulls it all together. If you haven't subscribed yet, this is the email to start with.