ⓘ​  This page has been translated using artificial intelligence.

14 minutes

Cybersecurity: First aid for cyber incidents

Despite all your precautions, it has happened: you have been the victim of a cyber attack. Now take a deep breath and keep calm. This page is your emergency guide: here you can find out how to respond correctly in the first critical moments, what immediate measures are necessary for different types of attacks, and where to turn for help in Switzerland. Cyber attacks are unpleasant, but with the right response you can often limit the damage.

Go directly to topic

Help, I've been hacked!

Your points of contact in Switzerland

Specific incidents: What to do in the event of...

Can my data still be recovered?

What can I do to prevent this from happening again?

Further content

Other interesting topics

Share this page

You will find these topics on this page:

Topic

Help, I've been hacked!

Have unauthorised emails been sent from your account, are there unknown purchases on your credit card statement, or is your laptop displaying strange error messages? It appears that you have been hacked or scammed. What should you do now?

First, take a deep breath: anyone can be hacked – even IT experts and security companies. So don't blame yourself, just keep a clear head. You'll need it now, because quick and systematic action is required to limit the damage caused.

This is what you should do immediately if you realise that you have been hacked or scammed:

1. Change the affected passwords and access data

If you realise that you have been hacked, immediately change all affected passwords from a clean device.*

To do this, create a list of all your online accounts (or use your password manager) to keep track of them. Check these accounts in particular:

  • Email accounts: Cybercriminals can use these to attack your contacts or reset the passwords for online accounts that you have registered with your email address.
  • Bank and credit card logins: Replace your login details to protect yourself from (further) fraudulent charges.
  • Social media: Set new passwords to prevent cybercriminals from sending their phishing links to your contacts and putting them at risk too.
  • Online shopping: Change your login details for online shops too, so that hackers cannot place unwanted orders.
  • Cloud storage: And, of course, you should also change your login details for your cloud accounts to protect your data.


Follow the recommendations for strong passwords. Use a unique, strong password for each account and enable two-factor authentication wherever possible. Remember to update the new passwords in your password manager as well.

*You can use a virus scanner such as Hitman Pro(opens in new tab) (for Windows) to check whether your device is clean. Antivirus programmes are also virus scanners that can detect and remove suspicious programmes. But be careful, there are also fraudulent antivirus programmes (these are usually free). You can check whether your desired antivirus programme is clean at the independent testing institute AV-Test(opens in new tab).

2. Block affected credit and bank cards

Lasse deine Kredit- oder Bankkarten sofort sperren, wenn du eine betrügerische Abbuchung auf deinem Konto entdeckst.

Kreditkartenanbietern kannst du falsche Abbuchungen reklamieren und die Zahlung zurückfordern. Informiere dich bei deiner Bank oder deinem Anbieter. 

3. Isolate your system and device

Wenn du denkst, dass du Malware auf deinem Gerät hast, trenne das Gerät sofort vom Internet:

Schalte den Flugmodus ein, vergewissere dich, dass das WLAN nicht manuell mit dem Gerät verbunden ist und stecke im Notfall sogar deinen WLAN-Router aus. So verhinderst du im besten Fall, dass die Malware weitere Daten stiehlt oder sich übers Netzwerk auf andere Geräte ausbreitet. 

Und wenn das Smartphone befallen ist? Dann gilt grundsätzlich dasselbe. Stoppe zusätzlich alle automatischen Cloud-Backups und entferne bei Verdacht auf SIM-Swapping die SIM-Karte aus dem Gerät.  

Achtung: Gerät nicht neu starten! Bei einem Neustart deines Geräts kann sich eine Malware tiefer im System verankern. Lass deinen Laptop, Computer oder dein Smartphone also erstmal so, wie er ist. 

4. What else is affected?

Cyberkriminelle wollen immer noch mehr.

Im besten Fall konntest du den grössten Schaden soweit abwenden. Vielleicht ist aber doch mehr angerichtet, als es auf den ersten Blick erscheint. Darum prüfe insbesondere: 

  • E-Mail-Posteingänge: Findest du verdächtige Bestätigungsmails? 
  • E-Mail-Postausgänge: Wurden von deinem Konto aus verdächtige E-Mails z.B. auch an unbekannte Empfänger*innen versendet?  
  • Kreditkartenabrechnung: Gibt es noch andere falsche Abbuchung als die, die du bereits entdeckt hast? 
  • Social Media: Wurden von deinem Profil aus Nachrichten verschickt, die nicht du geschrieben hast? Schau auch gerne mal nach, ob es neue Kontakte gibt, die auffällig sind und prüfe, ob in deinen Privatsphäre Einstellungen noch alles so ist, wie du es wünschst?  
  • Cloud: Gibt es verdächtige Zugriffe auf dem Aktivitätenprotokoll? Sind neue und verdächtige Dateien abgelegt? 

5. Secure all evidence

Mache Screenshots oder Fotos von verdächtigen Nachrichten, Fehlermeldungen oder Pop-Ups.

Diese können später die Aufklärung und Nachverfolgung erleichtern. Dokumentiere mindestens: 

  • Zeitpunkt: Wann hast du die erste verdächtige Aktivität bemerkt? 
  • Hinweise: Wie bist du darauf aufmerksam geworden? 
  • Konten: Welche Konten sind betroffen? 
  • Geräte: Welche Geräte sind betroffen? 
  • Schäden: Welche Schäden hast du oder haben deine Geräte davongetragen? 

6. Report the incident to the NCSC

Den Cybervorfall kannst du beim Nationalen Zentrum für Cybersicherheit (NCSC) melden.

Melde jeden Fall, auch wenn er dir noch so klein erscheint: Jede Meldung hilft dem NCSC, Trends zu erkennen und andere zu warnen. 

Zum NCSC Meldeformular(opens in new tab)

Bei akuten Notfällen wende dich an die Notrufnummern der Polizei 112 oder 117(opens in new tab)
 
Achtung: Ab dem 1. April 2025 gibt es für kritische Infrastrukturen eine Meldepflicht gegenüber dem Bundesamt für Cybersicherheit (BACS) – kritische Infrastrukturen sind diese meldepflichtigen Behörden und Organisationen(opens in new tab)

Your points of contact in Switzerland

In Switzerland, there are several professional contact points that can provide you with expert advice and support in the event of a cyber incident: you are not alone.

Contact point Suitable for Contact
Swiss Crime Prevention (SKP) 
 Prevention and avoidance of cyber incidents Website: skppsc.ch  
E-Mail: info@skppsc.ch
National Centre for Cyber Security (NCSC) 
 First aid and reporting centre for cyber incidents Website: ncsc.admin.ch 
Reporting centre: report.ncsc.admin.ch
Cantonal police
 Criminal charges for fraud, threats, identity theft or financial damage Online criminal complaint: suisse-epolice.ch  
In person: At any local police station
Consumer Protection Switzerland
 Consumer rights and advice on online fraud

Website: konsumentenschutz.ch  
E-Mail: info@konsumentenschutz.ch

Consulting services: konsumentenschutz.ch/beratung
State Secretariat for Economic Affairs (SECO) 
 Information about fraudulent online shops Website: seco.admin.ch 
Helpline: +41 (0)58 462 20 00  
Your legal expenses insurance Seek legal assistance if an emergency situation does arise. For example: sure Legal protection(opens in new tab)

Topic

Specific incidents: What to do in the event of...

Depending on the cyber incident, further steps may be advisable. Since your world may be a bit upside down right now, here are some instructions on what to do in your case.

Phishing & Co.

Have you clicked on a fraudulent link and entered your details on a fake website?
Immediate measures
  1. Follow the first steps in ‘Help, I’ve been hacked’.
  2. If your e-mail address is affected: Check your e-mail accounts for automatic forwarding rules and delete any unknown entries.
In the next few days
  • Inform friends and family that your contact details have been stolen.
  • Monitor your email inbox for suspicious confirmations or password reset emails.

Malware & ransomware

Benimmt dein Gerät sich merkwürdig, läuft langsam und zeigt unbekannte Programme oder Pop-ups? 
Immediate measures
  1. Follow the first steps in ‘Help, I've been hacked’.
  2. Run a full antivirus scan using up-to-date antivirus or virus scanning software*.
  3. If you are unsure, do not delete suspicious programmes yourself, but contact an IT specialist who specialises in malware removal. 
In the next few days
  • Do not make any payments or carry out any important online activities from your device until it has been completely cleaned.
  • Restore your system using your backup. You can seek assistance from an IT specialist to do this.

Identity theft

Nutzen Cyberkriminelle deinen Namen für ihre betrügerischen Absichten und Handlungen? 
Immediate measures
  1. Follow the first steps in ‘Help, I’ve been hacked’.
  2. Report the incident to the police if your personal data has been misused. 
In the next few days
  • Identity theft can have consequences months later. Therefore, remain vigilant and regularly check your bank statements and email accounts.

No longer able to access online account

Is your password no longer working, or have hackers locked you out of your online account?
Immediate measures
  1. Reset your password using the ‘Forgot password’ function in your online account (if you have provided an alternative email address in your account, it is best to send it to this address).
  2. Is your password reset not working? Then contact the provider and have your access blocked (you may need to prove your identity, so it's best to have an ID document ready or visit a bank in person, for example).
  3. Activate two-factor authentication if possible.
  4. Follow the further steps in ‘Help, I've been hacked’.
In the next few days

Online shopping

Have you paid online but not received your goods, or has your data been misused for an order?
Immediate measures
  1. Follow the first steps ‘Help, I've been hacked’.
In the next few days
  • Report the fake online shop to the police and file a complaint. You can do this online here(opens in new tab) or in person at your nearest police station.

Email account hacked

Are your friends receiving suspicious emails from you?
Immediate measures
  1. Follow the first steps in ‘Help, I've been hacked’.
  2. Check all email filters, forwarding settings and contact entries. Reset any suspicious settings or delete entries.
  3. Also check whether any fraudulent links have crept into your signature and whether automatic replies containing phishing links are being sent from your email account.
In the next few days
  • Warn your contacts and inform them that your email account has been hacked.
  • Change your email address if the damage is too great.
  • Use different email addresses for different purposes, e.g. one for official bodies, one for online shopping, one for newsletters, etc.

Business device affected

Has your work laptop or company mobile phone been hacked?
Immediate measures
  1. Disconnect the device from the internet.
  2. As this involves more than just your personal data, immediately inform your employer's IT managers or your line managers.
  3. Follow their instructions. 
In the next few days
  • Answer all queries from those responsible openly and honestly; they are your allies. Provide them with screenshots and evidence to help them follow up.

Family devices affected

Do smart home devices also show suspicious activity alongside laptops?
Immediate measures
  1. Immediately disconnect all suspicious devices from the network.
  2. Change your router's Wi-Fi password so that the devices cannot reconnect to your Wi-Fi on their own.
  3. Reset the router to its factory settings.
  4. Systematically check all devices and accounts to find out what has been affected by the cyber attack. 
In the next few days
  • Inform your family about the new password.
  • After thoroughly checking each device, you can reconnect them to the network one by one.
  • Get help if you want to secure the network further, e.g. with a firewall.

*You can use a virus scanner such as Hitman Pro(opens in new tab) (for Windows) to check whether your device is clean. Antivirus programmes are also virus scanners that can detect and remove suspicious programmes. But be careful, there are also fraudulent antivirus programmes (these are usually free). You can check whether your desired antivirus programme is clean at the independent testing institute AV-Test(opens in new tab).

Topic

Can my data still be recovered?

Have you lost important data? Yes, it's annoying and can feel like a disaster at first. But don't panic, there may be ways to recover the data. Here are a few options: 

Backup available?

Perhaps you'll be lucky and the lost data is still stored in a backup? Systematically check your cloud storage, external hard drives, automatic backups, smartphone backups – or maybe you'll even find the important file in an email attachment?

IT support or data recovery specialists

A local computer repair service can help with data recovery. The staff there have experience with a wide variety of data loss situations, have specialised software at their disposal and can also give you an estimate of the costs before carrying out the repair. Incidentally, it is a good idea to get a cost estimate, as data recovery as a service can be very expensive.

Has ransomware destroyed your employer's data? Contact your IT specialists or supervisors for data recovery. They are familiar with the company's backup systems and can decide whether external help is needed. 

System recovery software

The Windows and Mac operating systems offer functions for restoring a previous system state. Sometimes the version history of documents is also helpful, or the lost file may even still be in the recycle bin or in the cloud.

In addition, there are programmes such as Recuva(opens in new tab) or Disk Drill(opens in new tab) that specialise in data recovery. However, the capabilities of these tools vary and they are technically different in terms of complexity. If you are unsure, it is best to ask a professional.

Manufacturer support

Sometimes, the manufacturer of your device can also step in and help you recover lost data. It is best to clarify your options directly with the manufacturer.

Can backups themselves be infected?

Yes, they can. Certain types of malware can also spread to backups or hide in them: malware worms, for example, copy themselves to connected drives, viruses can infect programmes in your backup, or ransomware can specifically search for your backups in order to destroy them.

So if you want to check your backup for malware before restoring your data: If you have a backup on an external hard drive, connect the drive without an internet connection and run a full virus scan. If you suspect malware, it is best to contact a specialist.

As a general rule, the older the backups, the more likely it is that they were created before the infection.

Topic

What can I do to prevent this from happening again?

A cyber incident can also be a wake-up call: yes, it can happen to you too. If you haven't taken cyber security too seriously up to now, now is the time to rethink your approach. And perhaps also to make your family, friends or work colleagues aware of the issue.

Understand what happened

If you understand how the attack happened, you will be better able to assess future risks and prevent the same cyber incident from happening again. Understanding can also alleviate any uncertainty or fears you may have.

Ask yourself questions such as:  

  • How did the attackers get into my system?
  • What security vulnerabilities did they exploit?
  • How could I have detected the attack earlier?

It's not about blaming yourself, but about learning from the past. A healthy respect for digital risks will help you stay safer in future.

Fix the vulnerabilities

Once you know how the hackers got into your system, you can start fixing the vulnerabilities. Maybe it was outdated software? Perform an update. A weak password? Replace it with a strong one. An unprotected account or network? Protect it or use a VPN.

Optimise passwords and networks

The most common cause of cyber incidents is insecure passwords or networks. So make sure you optimise and customise your passwords, and you will have already made a big difference in your everyday life. Perhaps there is also something you can do about the security of your router?

Secure your data in backups

If you've had to laboriously restore your data after an attack, it might be worth saving important data using the 3-2-1 backup rule in future. Use automatic backups to make your life easier while still retaining full control and data security.

Are you considering cyber insurance?

Yes, cyber insurance exists. However, the range of products on offer varies greatly. Think carefully about what you need and compare the different offers. iBarry provides recommendations on what to look out for when taking out cyber insurance.(opens in new tab)

We have compiled our range of cyber insurance products here.

This is important

  • If you have been hacked, stay calm and proceed systematically. First, change all affected passwords from a clean device.
  • Depending on the cyber incident, specific steps may be necessary.
  • Report the incident to the NCSC.
  • Learn from the incident and apply what you have learned in future.

Useful links

Further content

We have compiled further information and content on the topic of cybersecurity here.

Other interesting topics

Ask Marcel

Marcel is a trainer at Swisscom. He is available to answer any questions you may have about cybersecurity.

Portrait des Leiters Jugendmedienschutz Michael In Albon
Marcel

Trainer at Swisscom