Account Takeover: Signs, Recovery, Digital Evidence and Protection

Quick answer: Account takeover is when an attacker seizes control of your email, bank or social media account through a stolen password, phishing, SIM swap or malware. First steps: regain access, reset the password, sign out of all sessions and revoke unauthorized third party apps, check email forwarding rules, and turn on multi factor authentication, ideally with a passkey. If you are considering legal action, preserve screenshots, headers and records with chain of custody. According to Javelin, account takeover caused 15.6 billion dollars in losses in the US in 2024 alone and was the fastest growing fraud type.

Once your account is taken over the attacker does not just log in; they change the password, swap the recovery email to their own address, set up hidden forwarding rules and lock you out of your own account. So speed and the right order are everything.

Signs of a takeover

1. Your password does not work or you cannot log in.
2. You receive login notifications from unfamiliar devices and locations.
3. There are messages, posts or money transfers you did not make.
4. The recovery email or phone number has been changed.
5. There is a forwarding rule in your inbox you did not create; attackers secretly copy your correspondence to their address.

First response, step by step

1. Regain access. Use the platform's official recovery flow: instagram.com/hacked for Instagram, facebook.com/hacked for Facebook, g.co/recover for Google. As Google notes, wrong guesses will not kick you out of the recovery process, so do not hesitate to try.
2. Clean the device. Before changing the password, scan your device with security software; if there is malware it will steal the new password too.
3. Reset the password and make it unique. Also change the passwords of other accounts where you reused it.
4. Delete forwarding rules. As the FTC stresses, delete forwarding rules in your email settings that you did not set up, so your messages are not copied to someone else.
5. Sign out of all sessions and remove third party access. Review the list of connected apps and devices.
6. Turn on multi factor authentication, ideally a passkey or app based; see our password, 2FA and passkey guide.
7. Fix recovery details. Verify that the recovery email and phone are yours again.

For platform specific recovery, see our guides on my Instagram account was stolen and my WhatsApp account was taken over.

Digital evidence: preservation for legal action

If you will file a complaint or a lawsuit, preserving evidence correctly is essential. The NIST digital evidence preservation guide treats an online account as digital evidence and recommends preserving the chain of custody with standard check in and out records and, where possible, making a copy of the evidence. In practice: take screenshots with the address and timestamp, save email headers, delete nothing, and where possible get an opinion from an independent digital forensics expert. For the legal framework see our guide on the digital forensics process, KVKK and chain of custody.

The corporate dimension

A takeover of one employee's account puts the whole company at risk. In a public notice published by KVKK, a single employee account compromised by a voice phishing attack affected about 12,000 people. Organizations reduce this risk with phishing resistant multi factor authentication, identity and access management, session monitoring and staff awareness. For the basics see our guide on what is identity and access management. If a personal data breach occurred, KVKK requires notification within 72 hours.

Protection, point by point

1. Use a unique, strong password per account and a password manager.
2. Turn on multi factor authentication, ideally a passkey.
3. Stay alert to phishing and SIM swap; do not make SMS codes your only defense.
4. Turn on login notifications and account alerts.
5. Keep the recovery email and phone current and secure.
6. Do not click suspicious links and attachments; keep your device updated.

Frequently Asked Questions

I cannot recover my account, what do I do? Complete the platform's official recovery flow and identity steps; if that fails, report to USOM and file with the prosecutor if there is financial loss.

Is a screenshot evidence in court? Weak on its own; it gains value with the address, timestamp, headers and chain of custody, and where possible an expert opinion.

Is changing the password enough? No. You must also clear forwarding rules, third party access and recovery details, and turn on multi factor authentication.

Sources

• Javelin Strategy and AARP, 2024 identity fraud report (account takeover 15.6 billion dollars, 2024): https://www.aarp.org/money/scams-fraud/javelin-identity-theft-report-2024/
• FTC, how to recover your hacked email or social media account: https://consumer.ftc.gov/articles/how-recover-your-hacked-email-or-social-media-account
• Google, secure a hacked or compromised account: https://support.google.com/accounts/answer/6294825
• Meta, account recovery: https://www.facebook.com/hacked
• NIST IR 8387, digital evidence preservation (September 2022): https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8387.pdf
• KVKK, data breach notification: https://www.kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi
• Turkish National Police Cybercrime Department: https://www.egm.gov.tr/siber

For corporate account security and post incident forensics, contact DSET.