Move 1/4
1
0-5 min
Stop the reflex
Deny the prompt. Do not tap approve just to make the phone shut up.
ready← CyberSafe@Home index
Response
Recovery and incident first actions: plan the bad half hour
Prevention matters. So does getting back in, preserving evidence and stopping a bad moment from becoming a month-long admin disaster.
Short version
Protect email, phone number, backup codes, password-manager recovery and backups. Test one restore before it matters.
Source imagery
Swipe examples
Image 1/3
Image 2/3
Image 3/3
First-30-minutes builder
The bad half hour needs a script
Most recovery mistakes happen while people are stressed: approve the prompt, wipe the phone, reset from the infected laptop, forget the telco. Pick the incident, then build the first moves.
Timeline labels get cramped on phones. Swipe the first-move cards, then use the line above as the quick visual reminder.
Move 2/4
2
5-15 min
Move to clean ground
Use a trusted phone or laptop for resets and session revocation.
readyMove 3/4
3
15-30 min
Lock the master keys
Email, phone, password manager and backup codes give you ways back in.
readyMove 4/4
4
First day
Record and review
Panic-wiping can erase the facts you need later.
needs prepAccount-priority checklist
Fix the reset chain in this order
Email and the vault come first because they control most resets. Banking comes before nice-to-have accounts.
Swipe the six steps sideways. The first weak card is where to spend the next calm ten minutes.
Account 1/6
1Email
Reset links, alerts and forwarding rules
start hereAccount 2/6
2Password manager
Vault access, recovery key and emergency kit
readyAccount 3/6
3Phone / telco
SIM, port-out lock and account PIN
soft spotAccount 4/6
4Banking
Sessions, cards, payees and dispute trail
capture firstAccount 5/6
5Apple / Google / Microsoft
Device trust, cloud files and recovery methods
recoverableAccount 6/6
6Cloud / social / utilities
Photos, messages, shopping and household bills
after master keys
Fridge-door recovery card
Print it before anyone needs it
This is the calm-room version. Put it somewhere boring and reachable before a phone is lost.
Best use: print one copy, then add the clean device, telco number and recovery-code location by hand.
1
Do not approve weird prompts
Deny it. If you did approve, say so. That fact changes the next move.
2
Use a clean device
Reset from a device you trust, not the laptop or phone that may be part of the problem.
3
Secure email and the vault first
They control the reset chain. Revoke sessions and check forwarding, recovery methods and new devices.
4
Protect phone, bank and cloud
Call telco and bank through known numbers. Then review Apple, Google, Microsoft, cloud and social accounts.
5
Keep evidence before cleanup
Save screenshots, times, sender details, device names, case numbers and transaction IDs before wiping.
6
Write down the boring fixes
Recovery codes, backup key, telco PIN, trusted contact and one tested file restore.
Plan for: Strange MFA prompt
- • Do not approve the prompt.
- • Change the account password from a clean device.
- • Revoke sessions, then check recovery email, phone and forwarding rules.
Recovery posture
2 prep items still weak. Fix them while everyone is calm.
Explain the jargon
Small terms, big consequences
Tap a term for the plain-English version and the practical move. No fake mystique, just the bit that changes what you do at home.
Swipe the terms one at a time below desktop width. Glossary cards can get wordy, and squeezing three of them into a tablet row helps nobody.
?Clean device
A device you do not suspect is compromised. It might be another phone, a patched family laptop or a freshly reset machine.
Do this: Use it for password resets and session revocation when the main device may be infected or stolen.
?Recovery codes
One-time backup codes that get you back into an account when the usual MFA device is gone.
Do this: Store them somewhere safe before the bad day. Do not leave recovery dependent on one phone.
?Evidence first
Screenshots, timestamps, sender details and device names can matter for banks, telcos, work and police reports.
Do this: Capture facts before panic-wiping, unless safety or policy requires immediate isolation.
Read these as three short household checklists. They stay stacked below desktop width so the action text does not get squeezed.
Do this
- Protect telco accounts with strong passwords/MFA/port-out controls where available.
- Store backup codes and password-manager recovery safely.
- Test restoring one normal file.
- Know how to revoke sessions and reset from a clean device.
- Capture screenshots, timestamps and device details before panic-wiping.
Check
- Can email recover without the main phone?
- Are telco controls enabled?
- Can you restore a file?
- Are codes reachable?
- Does family know what a strange MFA prompt means?
Avoid
- Recovery depending on one phone.
- Approving strange MFA prompts to quiet them.
- Destroying evidence before fraud/work impact is assessed.
Self-check questions
Questions that expose the real habit
Use these quick checks to find the next practical fix. The useful answer is not perfect security; it is whether the safer path is obvious when someone is tired, embarrassed or in a hurry.
On phones, swipe one question at a time. Use the first uncomfortable answer as the next household fix, not as a lecture.
check 1/3
Bad-half-hour rehearsal
If a weird MFA prompt, lost phone or bank challenge happened tonight, who gets the card and which clean device is used first?
Good sign: The household knows not to approve prompts, where the recovery card lives and which device starts the reset chain.
Watch for: A plan that only one person remembers is not a household plan.
check 2/3
Evidence before cleanup
What screenshots, timestamps, sender details, case numbers or device names should be captured before resetting or wiping?
Good sign: Facts are saved safely before cleanup, unless immediate isolation is needed for safety or policy.
Watch for: Panic wiping can remove exactly what banks, telcos, work or police need to understand the incident.
check 3/3
Reset-chain drill
Can you secure email, vault, phone/telco, banking and cloud in that order without relying on the missing or suspect device?
Good sign: Backup codes, recovery routes and session-revocation steps exist outside the main phone.
Watch for: If every recovery path points back to one phone, losing that phone becomes losing the map.
Full guidance
More than a slide title
An incident timeline builder for the first 30 minutes, first day and the short recovery card worth saving before panic starts.
Swipe one guidance note at a time below desktop width. The receipt cards appear first; these notes are the deeper explanation, not a wall to skim in one go.
Note 01/07
First 30 minutes
Use a clean device, change the most important password first, revoke sessions, contact bank/telco/work if relevant, and preserve evidence.
Note 02/07
First day
Review account recovery settings, connected devices, mail forwarding rules, payment changes and cloud sharing.
Note 03/07
Backups
Cloud sync is not the same as backup. Deletion and ransomware can sync too. Keep a second copy for files that matter.
Note 04/07
Email first, then the accounts it can reset
Most household recovery paths route through email. If email is exposed, changing a bank, social or cloud password may not hold because the attacker can still receive reset links. Secure email from a clean device, revoke sessions, check forwarding rules, then move down the account list.
Note 05/07
Telco and identity recovery are admin jobs, not panic jobs
A phone number can sit behind MFA prompts, bank checks and password resets. If the SIM, number or identity documents are involved, slow down enough to record times, contact the provider, report where appropriate, and protect the document trail. Panic-wiping the only evidence helps the wrong person.
Note 06/07
Account-priority checklist
Recover in an order that breaks reset chains: email, password manager, phone/telco, banking, Apple/Google/Microsoft, cloud storage, social media, shopping and utilities. For each one, revoke sessions, check forwarding or delegated access, replace weak recovery methods and capture any suspicious changes before cleaning up.
Note 07/07
The fridge-door version
A household under stress does not need a lecture. It needs six plain moves: deny strange prompts, use a clean device, secure email and the vault, protect phone/bank/cloud, keep evidence, then write down the boring fixes for next time. Save that card before anyone needs it.
Scenario
Swipe one real-world mess at a time
Scenario 1/3
Strange MFA prompt
A login prompt appears while nobody is logging in.
Better response
- • Do not approve
- • Change password from clean device
- • Revoke sessions
Worse habit
Approving it because the notification is annoying.
Scenario 2/3
Email account feels wrong
A password reset email appears, mail is missing, or friends receive odd messages from the account.
Better response
- • Secure email first from a clean device
- • Check forwarding rules and recovery settings
- • Revoke active sessions
- • Then reset high-value linked accounts
Worse habit
Changing a few visible passwords while the email account still controls resets.
Scenario 3/3
SIM or identity trouble
The phone loses service, bank checks fail, or a provider says account details changed.
Better response
- • Contact the telco through a known-good channel
- • Record times, screenshots and case numbers
- • Contact banks and key accounts
- • Report identity theft where needed
Worse habit
Assuming it is a reception problem while reset codes and bank checks keep routing through the number.