What to Do in the First 48 Hours After a Scam

Feb 10, 2026 / By Erin Ryan
Print AAA
Add to My Archive
My Folder

My Notes
Save
When a client realizes they’ve been scammed, the next two days determine how much damage can be contained. This guide gives advisors a step-by-step protocol to share with clients facing fraud and covers reporting, financial lockdown, and emotional recovery.

The call comes in, and you hear it immediately in your client’s voice: panic, shame, confusion. “I think I just got scammed.”

What happens in the next 48 hours matters more than almost anything else. Quick action can freeze accounts, stop ongoing theft, and create a legal trail that might lead to recovery. Delayed action turns a contained incident into a cascading loss.

As their advisor, you are often the first professional they call. What you tell them in that moment can determine whether this fraud costs them thousands or tens of thousands.

Here’s the protocol every advisor should have ready.

Immediate steps to take

First instruction: Stop all contact with the scammer immediately. Block the phone number. Delete the email thread. Do not respond to “just one more message.” Scammers often return with follow-up schemes, sometimes posing as law enforcement or recovery services offering to get the money back for a fee.

Second: Secure the compromised accounts. If the scam involved financial accounts, call the institution immediately using a number from a previous statement, not from any recent communication. Request account freezes, password changes, and fraud alerts. This is the callback protocol in action: Never use contact information provided in suspicious communication, always go to independently verified sources. As we covered in , the three-step verification—Stop, Search, Speak—applies even in crisis mode.

If gift cards or cryptocurrency were involved, contact the issuing platform (Google Play, Apple, the crypto exchange) and report the transaction, though recovery odds are low.

Third: Document everything. Screenshot emails, save voicemails, write down exact wording of phone conversations while memory is fresh. Note dates, times, amounts, and the names or titles the scammer used. This documentation becomes critical for law enforcement and potential recovery efforts.

Hours 2–24: Report and protect

File an official report with the FBI’s Internet Crime Complaint Center (IC3.gov). This creates a federal record and feeds into national fraud databases that help identify patterns and networks. It takes about 15 minutes and doesn’t require a lawyer.

Report to the Federal Trade Commission at ReportFraud. The FTC doesn’t investigate individual cases, but mass reporting triggers enforcement actions against large-scale operations. Again, simple online form, minimal time investment.

Contact local police if the amount is substantial or if the scam involved in-person contact. Many departments now have cybercrime units. Even if they can’t recover funds, a police report number is often required for credit disputes and insurance claims.

Notify credit bureaus. Place a fraud alert with Equifax, Experian, or Transunion (notifying one triggers alerts at all three). If personal information was compromised, you should freeze your credit immediately. Fraud alerts provide some protection, but a credit freeze locks down your credit completely, no one can open new accounts in your name until you lift it. Both are free, but freezes offer stronger protection.

Alert your financial institutions. Even if the scam didn’t directly involve their accounts with you, notify them. It protects both you and the client if follow-up attempts occur, and it documents your proactive response for compliance purposes.

Hours 24–48: Assess and rebuild

With the immediate crisis contained and official reports filed, the focus shifts from damage control to long-term protection.

Evaluate ongoing risk. Did the scammer obtain Social Security numbers, account passwords, or access to email? If yes, assume they’ll try to use that information elsewhere. Change passwords across all accounts, enable two-factor authentication, and monitor credit reports weekly for the next several months.

Check for secondary scams. Scammers often sell victim lists. Your client may soon receive calls from fake “fraud recovery” services, government impersonators, or new investment schemes. Warn them explicitly: “You’re now on a list. Expect more attempts. Apply the callback protocol to everything.”

If your client hasn’t established a family safe word with immediate family members, now is the time. As we described in The Five-Minute Holiday Conversation That Could Save Your Clients Thousands, a shared secret phrase prevents follow-up scams that use AI voice cloning to impersonate family members in manufactured emergencies. After being scammed once, clients become higher-value targets. The family password creates a verification checkpoint that works regardless of how convincing the impersonation sounds.

Document financial impact for tax purposes. Theft losses have limited deductibility under current tax law, but documentation matters for potential future recovery or legal action. Work with the client’s tax preparer to determine if any reporting is beneficial.

Address the emotional aftermath. Fraud victims experience shame, self-blame, and loss of confidence. As their advisor, a simple acknowledgment helps: “This happens to smart, careful people. It’s not a reflection on you.” Reassure them that taking these steps demonstrates good judgment, not gullibility.

Some clients will want to talk through what happened; others will want to move on quickly. Follow their lead, but make it clear you’re available for questions and that this doesn’t change your professional relationship.

The advisor’s role: Prepared, not paralyzed

You can’t undo the scam. But you can give clients a clear path forward when they’re overwhelmed and unsure who to trust.

Keep this protocol accessible: printed on a card in your desk, saved as a PDF you can email, or built into your client portal. When the call comes, you won’t need to research in real time. You’ll have immediate, credible guidance ready.

Frame it this way: “Here’s what we’re going to do in the next 48 hours. I’ll walk you through it.” Clients in crisis need clear steps, not choices. Deciding what to do next when you’re already overwhelmed just makes it worse.

This protocol works alongside the preventive measures we’ve outlined in previous guidance. The Q1 fraud prevention checklist helps clients avoid scams before they happen. The callback protocol and family safe word create verification barriers that stop fraud in progress. And this 48-hour response plan minimizes damage when prevention fails. Together, they form a complete defense system your clients can actually use.

Checklist: 48-hour fraud response protocol

Immediate (0–2 hours):

  • Block all contact with the scammer
  • Freeze compromised accounts using independently verified contact information
  • Document everything: screenshots, notes, amounts, dates

Within 24 hours:

  • File FBI IC3 report (IC3.gov)
  • File FTC report (ReportFraud.ftc.gov)
  • Contact local police if substantial loss
  • Notify credit bureaus (fraud alert or freeze)
  • Alert financial institutions

Within 48 hours:

  • Change all passwords, enable two-factor authentication
  • Warn client about secondary/recovery scams
  • Establish family safe word if not already in place
  • Document losses for potential tax/legal use
  • Provide emotional reassurance and ongoing support

IMPORTANT NOTICE
This material is provided exclusively for use by Horsesmouth members and is subject to Horsesmouth Terms & Conditions and applicable copyright laws. Unauthorized use, reproduction or distribution of this material is a violation of federal law and punishable by civil and criminal penalty. This material is furnished “as is” without warranty of any kind. Its accuracy and completeness is not guaranteed and all warranties express or implied are hereby excluded.

© 2026 Horsesmouth, LLC. All Rights Reserved.