For Families & Households

Scammed? Here’s Exactly What to Do — A 2026 Family Recovery Guide

Published May 15, 2026 · 10 min read · By the ScamDrill Team
Editorial cover with the headline ‘Scammed. What to do next.’ over a recovery-shaped ECG pulse trace and three stat blocks: $20.9B in 2025 US cybercrime losses, 7% reporting rate, and a 72-hour wire recall window

You realize it about ninety seconds after the call ends. The number was spoofed. The “bank fraud officer” was not from your bank. The wire you just approved is gone, and the polite voice that walked you through it is already calling the next person on a list.

Almost no one is ready for that moment. There’s no muscle memory for it. The FBI’s 2025 Internet Crime Complaint Center report logged $20.9 billion in reported losses across more than a million complaints last year — a 26% jump in a single year — and the FTC testified to Congress in March that consumer fraud losses hit a record $15.9 billion in 2025. An AARP survey released earlier this year found that 4 in 10 Americans have lost money to fraud at least once.

If you, your parent, or your kid just got hit, this is the guide you want pinned to the fridge. The first hour matters more than the next month, and a small number of moves — some boring, some unintuitive — pull most of the recoverable money back.

$679M frozen by the FBI’s IC3 Recovery Asset Team in 2025 across 3,900 incidents — a 58% success rate. The recoveries cluster in the first 72 hours after a wire is sent. After that, the money is almost always gone.
Source: FBI IC3 2025 Annual Report.

The first 60 minutes

Speed is the whole game. If a scammer just moved money from your account, every minute matters in a way that very few other emergencies behave like. Don’t shower, don’t Google “what should I do,” don’t call your kid. Do this:

  1. Call the bank or card issuer printed on the back of the card. Not the number the scammer gave you, not a number from a Google search. The bank can sometimes recall a wire, freeze an ACH, or open a Zelle dispute — but the window measures in hours.
  2. Write down what just happened in three sentences while it’s fresh. Names used, phone numbers, amounts, time. You’ll be asked for this five times in the next week and you will not remember it.
  3. Change the password on the affected account from a different device if you can. Use a real password manager if you have one; if you don’t, write the new one down on paper for now.
  4. Take screenshots of everything — the texts, the emails, the website URL, the caller ID. Don’t delete the messages. The bank, the FTC, and the FBI will ask.

If money moved by wire, ACH, or Zelle, the second call — ideally happening in parallel with someone else dialing the bank — is to the FBI’s Internet Crime Complaint Center at ic3.gov. Their Recovery Asset Team coordinates with receiving banks to freeze accounts before the money is laundered out. It is not a guarantee, but in 2025 they recovered roughly six of every ten dollars they got to in time.

Figure 01 — The recovery clock

FIG. 01 / THE RECOVERY CLOCK ScamDrill scamdrill.com What to do, in the order it matters. Every band of color is a recovery window. They get harder to use the longer you wait. MINUTE 0 — STOP THE BLEEDING Call the bank on the back of the card. Halt wires, freeze the account, dispute the charge. Best chance of getting cash back lives here. HOUR 1 — LOCK YOUR ACCOUNTS Reset email password first, then bank, then anything sharing that password. Turn on 2FA everywhere it’s offered. DAY 1 — REPORT IT, FORMALLY File at reportfraud.ftc.gov and ic3.gov. If ID was exposed, identitytheft.gov gives you a personalized recovery plan. WEEK 1 — FREEZE YOUR CREDIT Free at Equifax, Experian, TransUnion. Stops new accounts in your name. No effect on your credit score. WEEK 2+ — HEAL AND HARDEN Tell the family. Run a phishing drill. Expect the “recovery” scam call — it’s the second wave, every time. Sources: FBI IC3 2025 · FTC ReportFraud · identitytheft.gov · scamdrill.com

The first 24 hours

By the time you’ve called the bank and dialed IC3, you have one more job before you sleep: shrink the scammer’s footprint inside your life. Most scams compromise more than one thing. A fake-IRS call gets your card; a phishing email gets your password; a romance scam gets your trust and sometimes your ID photos. Treat the breach the way a doctor treats a wound: clean wider than where it bled.

Change passwords in the right order. Email first, always. If a scammer has your email, they can reset everything else, and they will. Then your bank, then anything sharing the same password (yes, all of them — use a password manager so you only have to do this once). Turn on two-factor authentication on email, bank, and any account holding money. Authenticator apps beat SMS codes; the FBI has been warning since 2024 that SIM-swap attacks are routinely defeating text-based 2FA.

Report the scam in the two places that matter. File at reportfraud.ftc.gov — that feeds the FTC’s Consumer Sentinel database, which is what state attorneys general and the FBI use to spot patterns. Then file at ic3.gov for the Recovery Asset Team. If any government-issued ID, Social Security number, or driver’s license image was shared, also file at identitytheft.gov, which generates a personalized recovery plan and pre-fills the dispute letters you’ll need.

Freeze your credit at all three bureaus. This is the single highest-leverage move you can make and almost no one does it. It’s free, takes ten minutes online, and the FTC reminded consumers in a September 2025 alert that it’s the only thing that reliably stops a fraudster from opening new accounts in your name. Lift it later in about a minute when you actually need credit. The bureaus: Equifax, Experian, TransUnion.

If gift cards were involved

Call the gift card issuer immediately — Apple, Google Play, Amazon, Target — even if the cards have been redeemed. Some issuers can claw back funds if the cards haven’t been spent yet. Save the cards and the receipts; the FTC has a gift-card scam guide with the specific issuer phone numbers. Recovery odds drop fast, but it’s worth the twenty minutes.

The first week

The urgent work is done. The longer work is making sure the same scam can’t re-enter through a different door.

Pull your credit reports. Free weekly at annualcreditreport.com. Look for accounts you didn’t open. If you find any, dispute them through the same FTC identity theft portal — the dispute letter generator is the part most people don’t know about.

Check the rest of the household. Scammers reuse phone numbers and SSNs the same way they reuse photos. If your phone number got harvested, your spouse’s may have been too. If a parent was hit, also check their statements for the kind of slow drain we wrote about in our piece on auditing an 80-year-old’s bank statements — the $19 monthly “tech support subscription” that’s been quietly running for two years is almost always the same incident.

Tell your family. The AARP and FTC both reported in late 2025 that fewer than half of fraud victims warn anyone, mostly because of shame. The data is unambiguous: families that talk about it openly have fewer second incidents, because the next scam call — and there is always a next call — gets answered with the family already on alert.

What you must NOT do

If your loved one was the one scammed

Most people reading this guide aren’t the victim themselves. They’re the adult child, the spouse, the friend. The data backs that up: adults 60+ reported $7.7 billion in losses last year, according to AARP’s analysis of the 2025 FBI numbers, and most of those cases get found and reported by family members.

Lead with empathy, not interrogation. The AARP Fraud Watch Network runs a free peer support group for victims and families and a helpline at 877-908-3360 staffed by people who’ve been through this. If the victim is an elderly parent, our 2026 family playbook covers the harder conversations — about Power of Attorney, about who picks up the phone — that almost always follow the first incident. If it was a romance scam, our romance scam guide has the exact language other families used when the “he’s real” conversation went badly.

Talk first. Audit second. The shame of being scammed is more dangerous than the scam itself, because it’s why the second one lands.

The drill that prevents the next one

The most uncomfortable thing about scams in 2026 is that nobody’s knowledge gap is the problem. Two-thirds of victims surveyed by AARP in April said they knew the warning signs — they just didn’t see them in time, because the call sounded plausible, or the text matched a real charge, or the “granddaughter” sounded exactly like the granddaughter. The fix is not more information. It’s reps.

Workplace security teams have known this for fifteen years: people get better at spotting phishing only after they’ve safely fallen for one. The same logic finally arrived at the kitchen table. Sending the family a few realistic, gentle simulations a month — toll-text smishing, a fake bank verification, a fabricated “package failed to deliver” alert — teaches the reflex in a way reading articles cannot. We wrote up the research in our family simulation guide if you want the full case.

Run a phishing drill on your family this weekend.

ScamDrill sends safe, realistic scam simulations to the people you love — texts, emails, even AI-voice scenarios — with an instant teachable moment when someone clicks. It’s the difference between reading about scams and actually noticing them.

Start free →

The pattern, in one line

You can’t out-research a scammer at 8:47 on a Tuesday night when they’re using your grandchild’s voice. What you can do is decide, today, that the first call is the bank, the second is IC3, the third is the credit bureaus, and that you’ll be telling your sister about it by Friday. That sequence is most of the difference between “we lost everything” and “we lost a Tuesday.”

Print this page. Stick it on the fridge. Hope you never need it.

Frequently asked questions

What is the very first thing to do if you or a family member just got scammed?

Call the bank or card issuer printed on the back of the card. If money already moved by wire, ACH, or Zelle, ask them to recall the transfer immediately. Reporting within 72 hours gives the FBI’s IC3 Recovery Asset Team and your bank the best chance of clawing the money back; in 2025 the IC3 froze $679 million across 3,900 incidents with a 58% success rate, but that drops sharply after the first three days. Do this before you do anything else — even before you tell anyone what happened.

Where do you actually report a scam in 2026?

Three places, in this order: your bank or card issuer (for the money), reportfraud.ftc.gov (so it feeds the FTC’s Consumer Sentinel database that powers law enforcement), and ic3.gov (the FBI’s Internet Crime Complaint Center, which handles wire fraud and cybercrime). If identity documents or Social Security numbers were exposed, also file at identitytheft.gov, which generates a personalized recovery plan and prefills the dispute letters.

Should you freeze your credit after a scam?

Yes, every time a scammer got financial details, a Social Security number, or any ID document. A credit freeze is free at all three bureaus (Equifax, Experian, TransUnion), takes about ten minutes, and stops new accounts from being opened in your name. It does not affect your credit score. Lifting it later is also free and takes about a minute online. The FTC has been pushing the credit freeze as the single highest-leverage move a fraud victim can make in 2025–2026.

Can you actually get scammed money back?

Sometimes yes, but only inside a short window. Credit card chargebacks have the strongest protections — you can usually dispute up to 60 days. Wire transfers and Zelle are the hardest to reverse: the FBI’s IC3 Recovery Asset Team and your bank can sometimes recall a wire if you call within 72 hours, but recovery becomes far less likely after that. Gift cards and crypto sent to a scammer are almost never recoverable, though reporting still helps law enforcement disrupt the operation.

What is a recovery scam and why is it so dangerous?

After someone gets scammed, a second scammer often follows up posing as an FBI agent, attorney, or “fraud recovery specialist” offering to get the money back for a fee. The FTC has warned that no legitimate paid private recovery service exists for consumer fraud losses; victims who paid one almost always lose that money too. If a stranger contacts you offering recovery help, especially after you posted about the scam on social media or Reddit, treat it as the second scam every time.

Keep reading

How to Protect Elderly Parents from Scams

The 2026 family playbook for adult children who want to help without taking over — including the harder conversations.

The AI Voice Cloning Scam

The 10-second rule and the safe-word habit that defuse the “stranded in Cancun” call before it works.

Internet Safety for Tweens and Teens: A 2026 Parent’s Guide

Pew found 95% of US teens use YouTube and nearly half are online “almost constantly.” An age-by-age guide to privacy, DMs, AI companions, and the household digital agreement that works.

Join our free newsletter to stay ahead of the scammers

Receive updates on monthly scam trends, along with best practices to protect yourself and those you care about.