Scammer has your information? Start with what they got.
Not all exposed information creates the same risk. A phone number, email address, password, card number, bank login, Social Security number, or ID image can lead to different problems. Start with what the scammer has, then take the steps that match the risk.
By ScamClarity Editorial Team
Reviewed by ScamClarity Safety Review
Published May 21, 2026 ยท Updated May 21, 2026
A scammer having your information is scary, but the risk is not the same for every detail. A name and phone number are different from a reused password, one-time code, bank login, Social Security number, or photo of an ID.
Start with what the scammer actually got. Then focus on the account, card, bank, credit, or identity step that matches that exposure. You do not need to solve every possible risk at once.
Start with what they got
Use the closest match. If more than one applies, start with the item that gives direct access to money, accounts, identity documents, or government records.
They have my name, email, phone, or address
Lower risk
This can lead to more targeted calls, texts, emails, fake invoices, or impersonation attempts, but it usually does not let someone take over an account by itself.
Block the scam contact, watch for follow-up messages, and be careful with any caller or message that uses those details to sound official.
Expect more convincing messages that mention your name, location, employer, or recent scam.
Treat any new request for a code, password, payment, or ID as a separate risk.
Do not: Do not send a new document, code, or payment just because the person already knows basic details.
They have a password or login
Act quickly
A password can be used on the account you shared it for and anywhere else you reused it.
Change that password from the official site or app, change the same password anywhere else it was used, review signed-in devices, and turn on multifactor authentication.
Look for changed recovery emails, phone numbers, forwarding rules, connected apps, or unfamiliar devices.
Start with email, banking, payment apps, phone carrier, Apple, Google, Microsoft, and social accounts.
Do not: Do not change the password through a link the scammer sent.
They have a one-time code or reset link
Urgent
A one-time code may approve a login, password reset, money transfer, phone-number change, or security-setting change.
Stop sharing codes. Go directly to the affected provider, change the password if possible, sign out of unfamiliar sessions, and contact support if you see account changes.
A code you did not request can mean someone is already trying to sign in or reset the account.
If your phone service suddenly loses signal, contact your carrier from another trusted device.
Do not: Do not read another code out loud or send a screenshot of it.
They have card, bank, or payment details
Act quickly
Card numbers, bank account details, payment app access, wallet details, and account screenshots can be used for attempted charges, transfers, account recovery, or more targeted impersonation.
Contact the bank, card issuer, payment app, exchange, or provider using the official app, site, or number. Ask about blocking, replacing, freezing, disputing, or monitoring the affected account.
Look for small test charges, unfamiliar withdrawals, changed contact details, new payees, or transfer attempts.
If you shared a payment app login or code, treat it like account access, not just exposed information.
Do not: Do not approve a transfer, refund, or verification request from the scammer.
They have online banking or payment app access
Urgent
Direct access to a financial account can create immediate money movement, new recipient, card, loan, or identity risk.
Contact the provider now, secure the account from a trusted device, change passwords, revoke unfamiliar devices or sessions, and ask what transactions or profile changes need review.
If the scammer remote-controlled a device, secure the device before using it for banking again.
Do not: Do not keep using a device for banking if you think remote access or malware is still active.
They have my Social Security number, ITIN, or ID image
Urgent
SSNs, ITINs, driver's license photos, passport images, benefit numbers, and full date of birth can be used in identity theft attempts, account opening, tax fraud, or impersonation.
Use IdentityTheft.gov if identity misuse is possible or has started, consider fraud alerts or credit freezes, and monitor financial, tax, benefit, and account records for unfamiliar activity.
A credit freeze can help reduce new credit account risk, but it does not protect every existing account.
Tax-related identity theft has its own IRS steps if your return is rejected or you receive an IRS identity letter.
Do not: Do not assume a paid monitoring service fixes the problem by itself.
They have private photos or are threatening me
Urgent
Threats, blackmail, or pressure to send more photos, documents, money, or codes changes the situation from exposure to coercion.
Do not send more material or money. Save the messages, usernames, phone numbers, images they sent, payment requests, and threat language, then report through the platform and appropriate authorities.
Preserve evidence before blocking if you can do so safely.
If there is immediate danger, contact local emergency services.
Do not: Do not keep negotiating with someone who is using threats to control you.
I typed information but did not submit it
Check closely
Risk depends on the site or app. Some malicious pages can capture keystrokes or partially entered form data, while many ordinary forms do not submit anything until you press the final button.
If the page was suspicious and the information was sensitive, act as if it may have been exposed. Change passwords, contact affected providers, or use IdentityTheft.gov based on what you typed.
A password, card, bank login, SSN, or ID detail deserves faster action than a name or phone number.
Check browser downloads and extensions if the page also pushed a file, permission request, or support tool.
Do not: Do not go back to the suspicious page to test it again.
The information matters more than the scam story
The scam may have started as a fake job, apartment listing, bank alert, delivery text, dating conversation, marketplace sale, tech support call, or government impersonation. Once information was shared, the first question is not what label the scam has. The first question is what that information can let someone do.
Basic contact details can make future scams more convincing. A password can lead to account takeover. A one-time code can approve an action right now. Bank access can move money. A Social Security number or ID image can support identity misuse. Treat the exposed information as the risk.
A simple risk ladder
This is not a legal or banking decision. It is a practical way to decide what deserves attention first.
Lower risk: public or contact information
Name, address, email, phone number, username, public photos, or employer details mostly raise spam, impersonation, and targeted follow-up risk.
Medium risk: account clues and partial financial details
Account screenshots, last four digits, partial date of birth, or service-provider details can help a scammer impersonate you to a company or target you again.
High risk: credentials, full card or bank details, and recovery information
Passwords, one-time codes, full card numbers, payment app access, bank account details, recovery emails, and recovery phone numbers can affect money or account access.
Urgent risk: direct account access, SSN or ITIN, ID images, and threats
Online banking access, phone carrier access, Social Security numbers, driver's license or passport images, tax details, benefit information, or blackmail threats call for fast action and evidence preservation.
If the scammer has multiple types of information, handle the most sensitive item first.
If they have your email, phone number, or address
A scammer can use basic contact information to make future messages sound personal. They may call from spoofed numbers, send fake bank alerts, mention your address, pretend to be a delivery company, or claim they are following up on the same incident.
Block the scammer and report the account, number, or profile where the contact happened.
Do not answer identity questions from unexpected callers just because they know your name or address.
Watch for new messages that ask for a code, password, payment, document, or remote access.
Consider tightening privacy settings on social and messaging accounts if the scammer is using public details about you.
If they have your password, login, or one-time code
Passwords and codes need faster action because they can open a door. Do the security work from the official app or website, not from a link the scammer sent.
Change the exposed password and any reused copies of that password.
Sign out of unfamiliar sessions and remove devices you do not recognize.
Turn on multifactor authentication where available, especially for email, banking, payment, phone carrier, Apple, Google, Microsoft, and social accounts.
If you shared a code, contact the provider if you see a new login, password reset, transfer, phone-number change, or security-setting change.
If they have card, bank, or payment information
Money risk depends on the account and what was exposed. A card number is different from online banking access. A bank account number is different from a password and one-time code. Still, the provider is usually the fastest place to act.
Financial information: first moves
Information exposed
Main risk
First move
Card number or card photo
Unauthorized charges or card-not-present attempts
Contact the card issuer, ask about locking or replacing the card, and review pending charges
Bank account and routing number
Unauthorized withdrawals, fake deposit schemes, or targeted bank impersonation
Contact the bank, ask what can be monitored or changed, and watch for small test transactions
Online banking login
Account takeover, transfers, new payees, or changed contact details
Contact the bank immediately and secure the account from a trusted device
Payment app login or code
Transfers, linked bank or card access, or account changes
Use the official app or support site to secure the account and dispute unfamiliar activity
Crypto exchange login or wallet details
Account takeover, withdrawal attempts, or fake recovery offers
Contact the exchange, change credentials, and save wallet addresses and transaction IDs
Do not approve a new transaction to reverse, unlock, verify, or protect money because the scammer tells you to.
If they have your Social Security number or ID
A Social Security number, ITIN, driver's license image, passport image, benefit number, or full identity packet raises the risk of identity theft. That does not mean every exposed number has already been used. It means you should put controls in place and watch for signs of misuse.
Use IdentityTheft.gov if identity theft has happened or sensitive identity information may be misused.
Consider a fraud alert or credit freeze if new account risk is realistic. A freeze must be placed with each of the three major credit bureaus.
Check credit reports, bank statements, card statements, benefit notices, tax notices, and mail for activity you do not recognize.
If an IRS notice arrives or your tax return is rejected because a return was already filed with your SSN or ITIN, follow the IRS identity theft instructions.
If you think someone is using your Social Security number for work, taxes, credit, or benefits, review SSA and IRS guidance and keep records of what you find.
Signs someone may already be using your identity
Identity misuse can show up before you see a credit-report change. Review the places where the exposed information could matter.
Charges, transfers, or withdrawals you did not make.
Security alerts, password resets, new devices, new forwarding rules, or account changes you did not start.
Bills, collection calls, or account notices for accounts you did not open.
Credit inquiries, loans, cards, utilities, phone accounts, or addresses you do not recognize.
Missing bills or statements that normally arrive on time.
IRS letters, rejected tax filings, unexpected tax transcripts, or income records you do not recognize.
Government benefit, medical, insurance, or phone carrier changes you did not request.
What not to do now
Do not send another code, password, ID image, card photo, bank screenshot, or private document.
Do not call a phone number the scammer gave you to fix the problem.
Do not pay someone who claims they can erase the exposure, remove your data from every site, or guarantee recovery.
Do not keep talking to the scammer to see what else they know if it increases pressure or risk.
Do not delete messages, receipts, phone numbers, email addresses, usernames, links, or screenshots before saving evidence.
Do not assume a credit freeze protects existing bank, card, payment, email, phone, or tax accounts.
What to save
Evidence and exposure checklist
Save a private copy before profiles, messages, pages, or transaction records disappear.
What they got
List the exact information shared: email, phone, address, password, code, card, bank detail, SSN, ITIN, ID image, account screenshot, tax detail, benefit number, or private image.
Where it happened
Save the app, website, profile, username, phone number, email address, link, domain, and any page or form screenshots.
Messages and timeline
Save chats, texts, emails, voicemails, call logs, dates, times, requests, threats, and any instructions they gave you.
Account and money records
Save bank, card, payment app, crypto exchange, phone carrier, or account alerts, including transaction IDs, wallet addresses, case numbers, and support tickets.
Reports and provider actions
Keep confirmation numbers from the bank, card issuer, payment app, FTC, IC3, IdentityTheft.gov, platform, phone carrier, IRS, SSA, credit bureau, or local authority.
Do not post unredacted IDs, account numbers, full card numbers, addresses, tax documents, or private images in public groups when asking for help.
Where to report or act
ScamPath is not an official reporting destination. Use the provider or agency that can act on the part they control.
Use the affected bank, card issuer, payment app, crypto exchange, phone carrier, email provider, platform, or account provider to secure accounts and review activity.
Use IdentityTheft.gov when identity theft has happened or sensitive identity information may be misused.
Use FTC ReportFraud for consumer fraud reports.
Use FBI IC3 for internet-enabled fraud, account takeover, crypto losses, or online financial crime.
Use IRS identity theft guidance if tax records, IRS notices, rejected returns, SSNs, or ITINs are involved.
Use SSA guidance if you think someone is using your Social Security number for work, benefits, or other Social Security record issues.
Contact local law enforcement or emergency services if there are threats, blackmail, stalking, violence, or immediate safety concerns.
Official sources
These sources support the practical guidance in this article. They are listed by purpose rather than as a general bibliography.
Official sources used for this guide
Use the official source that fits the exposed information.
Password, security code, account compromise, and official-channel guidance for Apple account scams.
FAQ
Can a scammer steal my identity with just my name and phone number?
Usually not by itself, but it can help them target you with more convincing calls and messages. The risk rises if they also have a password, code, Social Security number, ID image, bank detail, or account access.
What if I gave a scammer my Social Security number?
Treat it as sensitive identity exposure. Use IdentityTheft.gov if misuse is possible or has started, consider credit freezes or fraud alerts, watch credit and account activity, and follow IRS or SSA guidance if tax, work, benefits, or Social Security records are affected.
What if I gave them my driver's license or passport photo?
Save what happened and monitor for account opening, impersonation, platform misuse, or identity theft. If the image was paired with an SSN, date of birth, address, bank detail, or account login, treat the risk as higher.
What if I typed information into a fake site but did not hit submit?
It depends on the site. Some malicious pages can capture information before final submission. If the information was sensitive, act as if it may have been exposed and secure the affected account or provider.
What if I gave a one-time code?
Stop sharing codes and secure the affected account immediately. A code may have approved a login, reset, transfer, or setting change. Check recent activity and contact the provider if anything changed.
Should I freeze my credit?
A credit freeze can help reduce new credit account risk when sensitive identity information is exposed. It is free, but you need to place it with each major credit bureau. It does not secure existing bank, card, email, phone, payment, or tax accounts.
Can a credit freeze hurt my credit score?
A credit freeze does not affect your credit score. It can slow down legitimate credit applications until you temporarily lift it.
Can a scammer empty my bank account with only the account number?
An account number alone is not the same as online banking access, but it can still create risk. Contact your bank, explain what was exposed, and ask what monitoring, blocks, account changes, or alerts are appropriate.
Should I keep talking to get more evidence?
Do not keep engaging if it increases pressure, threats, account risk, or emotional manipulation. Save what you already have. If money, identity documents, threats, or account access are involved, ask the provider or appropriate authority what else to preserve.
Can someone remove my information from everywhere online?
Be careful with anyone promising guaranteed removal, guaranteed recovery, or instant protection after a scam. Some services may help with narrow tasks, but no one can erase every copy of exposed information or undo every risk.