The first hours after an online scam are often wasted on arguments with the person who took the money.
Victims continue messaging the broker, answer calls from the “security department,” wait for a promised withdrawal or send one more payment described as a tax, insurance fee or account-verification charge. By the time they contact their bank, exchange or police, important opportunities may already have disappeared.
My approach is different: once the facts begin to look suspicious, stop trying to persuade the other side and start protecting the evidence, accounts and payment trail.
There is no universal procedure that guarantees the return of money. Bank transfers, card payments and cryptocurrency transactions all follow different rules. The correct response also depends on whether the fraudster obtained only money, or also received passwords, identity documents, remote access or control of an online account.
The following sequence is designed to reduce further damage and give banks, exchanges, regulators and law-enforcement agencies something concrete to examine.
The First Rule: Do Not Send Any More Money
Stop all payments immediately.
Do not pay a newly invented:
- withdrawal tax;
- account activation fee;
- insurance charge;
- anti-money-laundering deposit;
- blockchain verification payment;
- liquidity fee;
- security deposit;
- commission for a financial partner;
- payment to unlock an account.
A platform may claim that the next transfer is the final requirement. In practice, fraud schemes often continue creating new obstacles for as long as the victim remains willing to pay.
Do not move money to a supposed “safe account” provided during an unsolicited call. Consumer authorities repeatedly warn that requests to transfer funds for protection are a common impersonation technique.
Step 1: Contact the Bank or Payment Provider Immediately
The bank, card issuer, payment application or cryptocurrency exchange should be contacted before you spend hours preparing a long complaint.
Ask for the fraud department, not ordinary customer support.
Explain:
- that the payment may be connected to online fraud;
- the date and amount;
- the recipient or merchant;
- the payment method;
- whether further transactions are pending;
- whether the fraudster obtained your banking credentials.
Official guidance from consumer and cybersecurity authorities consistently recommends contacting the financial institution immediately. Depending on timing and payment type, the provider may be able to stop a pending transaction, freeze an account, block a card or begin an investigation.
If you paid by bank transfer
Ask the bank to:
- attempt a recall;
- contact the receiving bank;
- flag the beneficiary account;
- preserve the transfer information;
- open a fraud case;
- provide a case or reference number.
Do not assume that an authorised transfer cannot be reported. Even when the customer approved the payment, the bank still needs to know that deception may have been involved.
If you paid by card
Contact the card issuer and ask whether the payment can be disputed.
Provide:
- the transaction date;
- merchant descriptor;
- amount;
- evidence of what was promised;
- correspondence showing that the service was not provided;
- withdrawal refusals or additional payment demands.
The outcome depends on the card scheme, transaction type, evidence and applicable deadlines. Avoid promising yourself that a chargeback is automatic.
If you used a payment application
Report the recipient inside the application and contact the provider’s fraud team. Save the account name, user ID, receipt and transaction reference before the account disappears.
If you transferred cryptocurrency
Contact the exchange or service from which the crypto was sent.
Provide:
- transaction hash;
- destination wallet address;
- cryptocurrency type;
- network;
- amount;
- exact date and time;
- recipient platform;
- any related exchange account or deposit address.
The FBI identifies wallet addresses, transaction hashes, cryptocurrency amounts, types, dates and times as important evidence in crypto-fraud reports.
A blockchain transaction normally cannot simply be reversed, but the sending exchange may still preserve records, identify an internal account, flag a destination or respond to a lawful request.
Step 2: Stop Communication With the Suspected Offender
Do not continue arguing, threatening or announcing that you are preparing a police complaint.
Stop:
- answering calls;
- opening links;
- installing applications;
- sharing screens;
- sending documents;
- providing verification codes;
- clicking password-reset messages;
- negotiating additional payments.
Cybersecurity guidance recommends ending communication with the offender after a scam and reporting the account used to make contact.
Blocking the contact is useful, but first preserve the conversation and profile information.
Step 3: Save the Evidence Before It Disappears
A useful complaint is not based on a sentence such as:
“The platform stole my money.”
Authorities and payment providers need a timeline supported by records.
Create a folder and preserve:
Platform information
- company name;
- trading name;
- website address;
- login page;
- mobile application;
- every known domain and subdomain;
- claimed licence number;
- office address;
- telephone numbers;
- email addresses.
Payment information
- bank receipts;
- card statements;
- payment-application receipts;
- beneficiary name;
- account number or IBAN;
- SWIFT or routing details;
- cryptocurrency wallet addresses;
- transaction hashes;
- exchange confirmations.
Communication
- emails;
- messaging-app chats;
- SMS messages;
- call logs;
- account-manager names;
- voice messages;
- video-call invitations;
- support tickets.
Account evidence
- account balance;
- transaction history;
- withdrawal status;
- rejected requests;
- blocked-account messages;
- demands for additional payments;
- altered terms.
Save full screenshots that show dates, website addresses and account details. Cropped images may remove the context needed to verify what happened.
Step 4: Write a Short Chronology
Do not begin with a 20-page emotional narrative.
Create a timeline:
- 12 May: account opened after contact through social media;
- 14 May: first payment of €2,000;
- 20 May: additional payment of €3,500;
- 27 May: withdrawal requested;
- 29 May: platform demanded a 10% verification fee;
- 30 May: access to the account was restricted;
- 1 June: support stopped responding.
This format allows a bank, investigator or regulator to understand the case quickly.
At the top, add:
- total amount transferred;
- payment methods;
- total amount recovered, if any;
- company and domain;
- country claimed by the company;
- suspected licence;
- current account status.
Step 5: Secure Your Email First
The email account is often the key to everything else.
A fraudster with access to email may be able to reset:
- online banking;
- exchange accounts;
- social-media profiles;
- cloud storage;
- shopping accounts;
- payment applications.
Change the email password from a trusted device. Use a password that has never been used elsewhere.
Then:
- enable two-factor authentication;
- review recovery email addresses;
- review recovery telephone numbers;
- check forwarding rules;
- check logged-in devices;
- remove unfamiliar sessions;
- inspect sent and deleted folders.
Official guidance recommends changing passwords for accounts the fraudster may have accessed, particularly where the same password was reused.
Step 6: Change Passwords and Protect Accounts
After securing email, change passwords for:
- banking;
- cryptocurrency exchanges;
- payment applications;
- cloud storage;
- social media;
- government or tax accounts;
- shopping platforms storing card details.
Use separate passwords for every important service.
Do not change passwords through links received in messages. Open the official application or type the website address yourself. Cybersecurity authorities warn that fraudulent password-reset links are frequently used to steal credentials.
Also review whether the fraudster added:
- a new device;
- an API key;
- a withdrawal address;
- a trusted beneficiary;
- a recovery method;
- a passkey;
- a new telephone number.
Step 7: Remove Remote-Access Software
Many investment and technical-support schemes persuade victims to install remote-control programs.
Examples include software used for screen sharing, device management or unattended access.
If remote access was granted:
- disconnect the device from the internet;
- uninstall the remote-access program;
- review installed applications;
- run a trusted security scan;
- change passwords from another clean device;
- contact the bank;
- inspect browser extensions;
- review downloads.
The FTC advises users whose computers may have been compromised to update trusted security software, run a scan and remove suspicious software.
A simple uninstall may not be sufficient if the offender installed additional software or created persistent access.
Step 8: Protect Your Identity Documents
Victims are often asked to upload:
- passports;
- identity cards;
- driving licences;
- bank statements;
- selfies holding documents;
- utility bills;
- signatures;
- tax documents.
These documents may later be used for:
- opening accounts;
- creating exchange profiles;
- impersonation;
- fraudulent credit applications;
- verification of accounts controlled by another person.
Record exactly which documents were shared.
Then contact the relevant issuing authority, identity-support service or credit-reporting organisation in your country. Monitor for unfamiliar financial accounts and applications. Authorities recommend checking financial records and acting quickly where identity information may have been exposed.
Step 9: Report the Incident to the Correct Authorities
There is no single international reporting office for every online scam.
A report may need to go to:
- local or national police;
- national cybercrime portal;
- financial regulator;
- consumer-protection authority;
- securities regulator;
- bank;
- payment provider;
- cryptocurrency exchange;
- social-media platform;
- website host or registrar.
Europol advises victims to contact local or national police; Europol itself does not accept crime reports directly from members of the public.
For online offences, use the national cybercrime-reporting channel where one exists.
A regulatory complaint and a police report are not interchangeable. The regulator examines financial-law and licensing issues. Police investigate suspected crimes.
Step 10: Report the Website and Contact Accounts
Report the offending profile or advertisement to the platform where contact began:
- Facebook;
- Instagram;
- Telegram;
- WhatsApp;
- LinkedIn;
- YouTube;
- TikTok;
- Google Ads;
- an app store;
- a dating platform.
Include:
- profile URL;
- username;
- telephone number;
- advertisement ID;
- screenshots;
- linked website;
- payment demand.
Also report phishing emails to the email provider.
This may not recover the payment, but it can help remove accounts and preserve platform records.
Step 11: Do Not Delete the Account Too Early
Victims sometimes delete the trading account, email thread or messaging profile out of fear.
That can destroy useful evidence.
Before deleting anything:
- export chats;
- download statements;
- save account history;
- record wallet addresses;
- screenshot the withdrawal page;
- preserve company documents;
- note support ticket numbers.
After the evidence is secure, reduce contact and revoke access.
Step 12: Beware of “Recovery” Scams
A person who has already lost money is a valuable target.
The victim may soon receive messages from someone claiming to be:
- a lawyer;
- regulator;
- police officer;
- blockchain investigator;
- recovery specialist;
- bank employee;
- government agent;
- former employee of the platform.
Common promises include:
- “We located your funds.”
- “Your money is frozen in a wallet.”
- “Pay a release tax.”
- “Buy a recovery certificate.”
- “Pay gas fees to unlock the blockchain.”
- “We have a court order.”
- “The regulator appointed us.”
The FBI has warned that cryptocurrency-scam victims are frequently approached by fraudulent recovery services and fictitious law firms. Victims should be cautious of anyone requesting advance payment to recover funds.
A legitimate regulator does not normally contact a victim through a private messaging account and demand cryptocurrency.
What Not to Do After an Online Scam
Avoid these mistakes:
Do not pay one final fee
There is rarely a real “last payment” in an ongoing fraud scheme.
Do not threaten the operator before preserving evidence
The website, chats and account may disappear.
Do not use the fraudster’s contact information to verify the company
Use the official register, bank statement or regulator website.
Do not install another application
A supposed recovery adviser may be trying to gain remote access.
Do not share verification codes
Verification codes are used to access or approve activity on your account. Consumer authorities advise never sharing them with another person.
Do not send original identity documents to unknown helpers
Redact unnecessary information when sharing evidence with anyone who has not been verified.
Do not assume a displayed account balance is real
A number shown inside a privately controlled platform may not represent funds held in a real trading or bank account.
Which Payment Methods Require the Fastest Action?
Bank transfer
Speed matters because the receiving account may still contain funds. Contact the sending bank immediately.
Card payment
Ask the issuer about dispute rights and applicable deadlines.
Cryptocurrency
Preserve the transaction hash and contact the sending exchange immediately. Do not pay anyone claiming that a second transaction is needed to reverse the first.
Cash deposit or crypto ATM
Save the receipt, terminal location, date, time and wallet address. IC3 reporting forms specifically request details about cryptocurrency kiosks where relevant.
Gift cards
Keep the card, receipt and code information. Contact the card issuer immediately.
Payment application
Report the recipient account, save the transaction ID and contact the provider’s fraud team.
A 24-Hour Action Plan
During the first hour
- stop communication and payments;
- contact the bank, exchange or payment provider;
- block cards or accounts if necessary;
- preserve transaction records;
- secure email.
During the first six hours
- change passwords;
- enable two-factor authentication;
- remove remote access;
- save chats and screenshots;
- write a chronology;
- report suspicious recipient accounts.
During the first day
- submit police or cybercrime reports;
- notify the relevant financial regulator;
- report the website and social-media accounts;
- contact identity-protection services if documents were exposed;
- organise the evidence into one folder.
Evidence Checklist
Before submitting a complaint, collect:
- company name;
- website and login address;
- account number;
- claimed licence;
- contact names;
- phone numbers;
- email addresses;
- chat profiles;
- bank recipient;
- payment references;
- wallet addresses;
- transaction hashes;
- screenshots;
- withdrawal requests;
- additional fee demands;
- terms and conditions;
- formal complaint to the company;
- timeline;
- total loss.
Example of a Clear Fraud Report
Subject
Online investment fraud report concerning [company] and [domain]
Summary
I am reporting suspected online investment fraud involving [company name], operating through [domain]. Between [date] and [date], I transferred a total of [amount] using [payment method]. After requesting a withdrawal, I was asked to pay an additional [tax/insurance/verification] fee. The withdrawal remains unresolved.
Payment information
Payment date:
Amount:
Recipient:
Bank or exchange:
Transaction reference or hash:
Evidence
I have attached account screenshots, payment records, communications, withdrawal requests and the additional payment demand.
Requested action
I request that the recipient account, company identity, website and associated transactions be assessed for possible fraudulent or unauthorised activity.
Frequently Asked Questions
Can the bank return money sent to a scammer?
Sometimes a bank or payment provider may be able to stop, recall or investigate a transaction, particularly when contacted quickly. No result is guaranteed, and the available process depends on the payment method, timing and national rules.
Should I continue speaking to the platform to collect evidence?
Preserve existing communications, but do not continue sending money, documents or security information. Further contact may expose you to additional manipulation.
What should I do if the scammer has my passport?
Record what was shared, secure financial accounts, monitor for identity misuse and contact the relevant identity-document and credit-reporting authorities in your country.
What if I installed remote-access software?
Disconnect the device, remove the software, run a trusted security scan and change important passwords from a clean device. Notify the bank immediately if financial accounts were visible or accessed.
Can cryptocurrency be recovered?
Blockchain transfers generally cannot be reversed in the same way as an ordinary card payment. However, rapid reporting may help an exchange preserve records or identify accounts connected to the transaction.
Should I report the incident even if the amount was small?
Yes. Reports can reveal links between victims, recipient accounts, domains and communication profiles.
Can I report an attempted scam where no money was lost?
Yes. Authorities such as the FBI encourage reports even where a cryptocurrency scam did not result in financial loss, because transaction and contact information may support broader investigations.
Is a fund-recovery company the first place to contact?
No. Start with the bank, payment provider, exchange, police and relevant regulator. Be particularly cautious when a private company guarantees recovery or requests an advance payment.
Final Assessment
The first objective after an online scam is not to win an argument with the fraudster.
It is to prevent a second payment, secure the accounts, preserve the evidence and notify the organisations that can act on the transaction.
The strongest order is:
- stop paying;
- contact the financial provider;
- secure email and accounts;
- preserve payment and communication evidence;
- report the incident;
- avoid recovery schemes.
Online fraud becomes harder to investigate with every deleted message, abandoned receipt and delayed report. A concise chronology with payment references, wallet addresses, domains and screenshots is more useful than a long accusation without supporting records.

Encountered a suspicious broker, scam website or online fraud? Tell us what happened and get a free consultation on possible recovery steps.