Your stomach drops the moment you realize it: someone has been in your computer. Maybe ransomware is demanding payment. Maybe your accounts were accessed from a location you’ve never been. Maybe your cursor just moved on its own.
The next hour matters. Here’s exactly what to do — in order — to contain the damage, secure your accounts, and prevent it from happening again.
Important: Don’t restart your computer yet. If ransomware is involved, a reboot can trigger file encryption and cause permanent data loss. Take screenshots of anything suspicious first, then follow the steps below.
8 Steps to Take Immediately If Your Computer Was Hacked
Step 1: Disconnect and quarantine the device
Cut the connection before anything else. Disconnect from WiFi and disable Bluetooth. If you’re on a wired connection, unplug the Ethernet cable. If this is a work computer, disconnect from the corporate network or VPN immediately.
Why hardware disconnect matters: sophisticated malware can mimic a disconnected state in software while still maintaining network access. Physically severing the connection is the only reliable method.
Also disconnect any USB drives or external hard disks — don’t just unplug them, eject them first through the OS to avoid data corruption. These devices may also carry copies of the malware.
Step 2: Change your passwords — from a different device
Do not change passwords from the compromised computer. If a keylogger is installed, the attacker will capture every character you type — including your new passwords.
Use your phone or another computer you trust. Change in this order:
- Your primary email account — it controls password resets for almost everything else
- Financial accounts — banking, PayPal, Venmo, investment accounts
- Work accounts — email, VPN, cloud services
- Everything else — social media, subscriptions, any service that stores payment info
Every account should get a unique password. A password manager (Bitwarden, 1Password, or Dashlane) eliminates password reuse risk going forward.
Step 3: Enable two-factor authentication on all accounts
Once passwords are changed, add 2FA to every account that supports it. Use an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator) rather than SMS whenever possible — SMS codes can be intercepted via SIM-swapping attacks. Prioritize email, banking, and work accounts first.
Step 4: Run a full malware scan
Run a full system scan with a trusted anti-malware tool. Malwarebytes offers a reliable free version. If you already have antivirus software, update its definitions before scanning.
Don’t rely on manual file deletion — malware often hides in multiple locations or regenerates from fragments left on the drive. If the scan flags files, quarantine or delete them and review results carefully before reconnecting to the internet.
Step 5: Protect your financial accounts
Contact your bank and credit card companies to flag potential unauthorized activity. Report any fraudulent transactions, cancel compromised cards, and request replacements.
Consider placing a credit freeze with Equifax, Experian, and TransUnion. A freeze prevents new credit accounts from being opened in your name until you lift it — it’s free under US law and the most effective protection against identity theft following a breach.
Monitor your accounts closely for at least 90 days. Hackers often wait before using financial data to avoid triggering fraud detection.
Step 6: Notify your contacts
Hackers use your compromised accounts to spread attacks to people who trust you. Alert your contacts — by phone if possible — to ignore any messages “from you” that contain links, attachments, or requests for money.
Also check your email for forwarding rules or filters you didn’t create: attackers often set these up to silently receive copies of your incoming mail without alerting you.
If this is a work device, notify your IT department immediately. A compromised work computer is a potential entry point into your entire organization’s network.
Step 7: Wipe and reinstall if the infection is deep
If the malware scan finds persistent threats, or if you have reason to believe the compromise was severe (ransomware, rootkit, remote access tools), the safest path is a clean reinstall of the operating system.
Back up your files first — ideally to an external drive or cloud storage that wasn’t connected when the hack occurred. Then wipe the drive and reinstall the OS from scratch using official media. After reinstalling, restore only documents and media files — not application files. Reinstall applications fresh from trusted sources.
Step 8: Secure your system going forward
Once your device is clean, close the gaps that allowed the hack in the first place:
- Enable automatic OS and software updates. Most successful attacks exploit unpatched vulnerabilities.
- Install and maintain antivirus software with automatic updates and weekly scheduled scans.
- Keep your firewall on. Windows Defender Firewall and macOS Firewall are both effective and free.
- Disable remote access if you don’t need it. RDP (Remote Desktop Protocol) is a common attack vector — turn it off unless required.
- Be skeptical of every link and attachment. Phishing is the #1 delivery mechanism for malware. Verify before you click.
- Use a VPN on public WiFi. Never access banking or sensitive accounts on untrusted networks.
Should you report a computer hack?
Yes — especially if financial fraud or sensitive data was involved.
- FBI IC3 (ic3.gov) — report cybercrime, ransomware, financial fraud, and identity theft
- FTC (ReportFraud.ftc.gov) — report identity theft and get a personalized recovery plan
- Your state attorney general — many US states have specific breach notification requirements
- Your employer’s IT or legal team — if a work device or corporate data was involved, breach notification obligations may apply
Keep records of everything: screenshots of suspicious activity, malware scan results, unauthorized transactions. These are needed for insurance claims, legal action, and regulatory reporting.
For IT teams: what to do when a managed device is compromised
When a device in a managed fleet is compromised, the response needs to move faster and further than individual remediation.
- Isolate the device from the corporate network immediately — ideally via remote policy if the device is off-site
- Remotely lock the device to prevent further access, and trigger a remote wipe if sensitive data is at risk
- Audit other devices for lateral movement — a single compromised endpoint can be the entry point for a broader network breach
- Rotate credentials for any shared accounts or services the device had access to
- Document the incident for compliance reporting
Device management platforms like Prey give IT teams the ability to remotely lock, wipe, and track compromised devices — and monitor the full fleet for anomalous behavior before a single breach spreads.
Frequently Asked Questions
Can I use my computer while it’s being hacked?
Stop using it immediately for anything sensitive. Don’t log into accounts, make purchases, or open emails on the compromised device. Use your phone or another clean device for anything that requires credentials until the machine is fully cleaned.
Someone was remotely controlling my computer — what do I do?
Disconnect from the internet immediately to cut off the attacker’s remote access. Check your installed programs for Remote Access Trojans (RATs) — AnyDesk and TeamViewer are common if you didn’t install them yourself. Run a full malware scan, change all passwords from a clean device, and consider a full OS reinstall.
My computer was hacked and files are encrypted — is it ransomware?
Likely yes. Don’t pay the ransom — payment rarely guarantees file recovery. Disconnect immediately, report to the FBI’s IC3, and check NoMoreRansom.org for free decryption tools. If backups exist, restore from a clean backup after wiping the drive.
How do I know if the hacker is still in my computer?
Signs of active compromise: mouse cursor moving on its own, programs opening without your input, webcam light activating, unusual network traffic, or processes in Task Manager you don’t recognize. Disconnecting from the internet cuts off most active remote access immediately.
Will factory resetting my computer remove a hack?
For most hacks, yes. A factory reset wipes the OS and all installed software, removing most malware. However, some advanced rootkits can survive a standard reset by embedding in firmware. A clean OS reinstall from official media is more reliable for severe infections.
Should I call a tech support number that appeared on my screen?
No. Pop-ups claiming your computer is infected and displaying a phone number are a scam. Calling them gives attackers access to your machine. Close the browser tab (force-quit if it’s locked). Run a real malware scan with a tool you downloaded yourself from a trusted source.
How long does it take to fix a hacked computer?
A basic response — disconnect, password change, malware scan — takes 1–3 hours. A full OS reinstall can take a day. The timeline depends on severity: adware is fast to remove; ransomware or deep rootkit infections require more time and potentially professional help.
What if my work computer was hacked?
Notify your IT department immediately — don’t try to fix it yourself first. A work device has access to corporate systems, and the response must include isolating the device, auditing for lateral movement, and potentially triggering incident response protocols.
Takeaways
Speed is everything when a computer gets hacked. The faster you cut the connection, secure your accounts, and scan the machine — the less damage an attacker can do.
The 8 steps above cover the immediate response. But recovery doesn’t end there: monitor your financial accounts for 90 days, enable 2FA everywhere, and close the gaps that allowed the breach.
For organizations managing device fleets, reactive remediation isn’t enough. Real-time device monitoring, remote lock and wipe capability, and credential monitoring give IT teams the ability to respond before a single compromise spreads across the network.
