One Careless Click: What a Monday Morning Scam Taught Me About the Security Holes Nobody Talks About
And why locking your credit and your SIM card might be the two most important things you do this year
I want to tell you about the worst Monday morning I've had in a long time and what came out of it that might actually protect you from something genuinely awful.
It started innocuously. A chat from someone I knew on Discord. Except it wasn't them.
By the time I figured that out, I had already clicked something I shouldn't have, and a scammer with access to my compromised machine was typing out their demands in real time. I had less than a minute to respond once the list landed.
I never responded. I was already changing passwords.
The Adrenaline Did Something Useful (For Once)
Here's the thing about being AuDHD and hitting a genuine emergency: hyperfocus doesn't ask permission. It just arrives. Within about 30 seconds of the shock wearing off, I was in full triage mode and I stayed there, on and off, for most of that week.
I was motivated in a way that months of "I really should do this" had never managed to produce. Funny how that works.
One careless click had exposed the entire contents of my password manager. Let that sink in. Everything. And the only reason this didn't become a full financial catastrophe is that I had previously, in a fit of paranoia or prescience, activated two-factor authentication (2FA) on all my email accounts. That one earlier decision became my firewall.
They cost me time. They cost me one PayPal purchase that had to be reversed, which resulted in the offender’s account being permanently banned from the site where the purchase was made (possible petty vengence). They locked me out of my own Discord account for nearly a week by doing the digital equivalent of breaking a key off in the lock - hijacking the account recovery process before I could initiate it. Several days of back-and-forth with support followed, but because it's a paid account, the outcome was never really in doubt.
The part that stung most? While they had control of my Discord, they used it to run the same scam on my contacts. One person got hit despite my scrambling to warn everyone. That one landed hard. It didn't need to happen. None of it needed to happen.
I Had a Plan. I Just Hadn't Done It Yet.
This is the part I'm a little embarrassed to admit, because I know better both professionally and personally.
I had been planning for months to tighten my security. I had done the research. I had gathered the information. I had a plan. And then I didn't make the time, because the initial burst of concern had faded, the urgency evaporated, and life filled back in around the edges.
If you've ever done the neurodivergent thing where you research something thoroughly, feel briefly satisfied by the research itself, and then... don't actually do the thing? Hi. I see you. I am you, apparently, even with decades of knowing better.
Motivation that depends on urgency is not a character flaw. It's a neurological reality for a lot of us. But it does mean that when the urgency is artificial, we often don't act and when the urgency becomes real, we're already behind.
So I'm going to give you some urgency now, in the hope that you can borrow mine without having to generate your own the hard way.
What I Actually Did - The Full Sweep
Once the crisis hit, here's how I triaged, roughly in order:
Money first, always. Bank accounts, PayPal, credit cards, any account where payment information lives. Passwords changed, 2FA activated where it wasn't already.
Password hygiene across the board. Every account I actively use got a new password. Accounts I recognized but knew I'd never use again? Deleted. Zombie accounts are a liability. They're sitting there with old passwords and personal information, just waiting.
2FA on everything that will accept it. This is table stakes now. If an account offers two-factor authentication and you haven't activated it, that's an open door. I also finally - finally - set up an authenticator app on my phone rather than relying solely on SMS codes (more on why that matters in a moment).
Now here are the two things I want to spend real time on, because they're the ones most people don't know about, and they're both significant.
Lock Your Credit Reports. All Three of Them.
Most people know credit freezes exist in a vague, theoretical way. Far fewer people have actually done it.
Here's what it means in practice: when your credit reports are locked with all three major bureaus - Equifax, Experian, and TransUnion - no one can open a new account that requires a credit check in your name. Not a credit card. Not a loan. Not a car financing agreement. Nothing.
It doesn't matter how much of your personal information a bad actor has collected. Doesn't matter if they have your Social Security number, your date of birth, your mother's maiden name, your old addresses. With your reports locked, they hit a wall.
Each bureau has an online portal where you can lock and unlock your report yourself, for free. Unlocking when you legitimately need to apply for credit takes a few minutes. Locking it back down takes the same.
This is one of those things that sounds complicated and is actually, almost insultingly, simple. The friction of doing it is low. The protection it provides is substantial. If you do nothing else after reading this, do this.
Lock Your Phone Number and Your SIM. Yes, Really.
This one is less well known, and I'd argue it might be even more important - especially now.
Here's the attack. It's called SIM swapping, and it's been quietly ruining people's lives with very little mainstream coverage. A bad actor calls your phone carrier. They have information about you - gathered from data breaches, from the dark web, from your social media, from any number of places your information has leaked over the years. They pretend to be you. They say they got a new phone and need the number and SIM transferred.
And the terrifying part is how often it works. Customer service representatives are human. They're working from verification scripts. And the information needed to pass those checks is frequently available if someone is motivated to find it.
The move from physical SIM cards to eSIMs (virtual SIMs) has made this easier to execute, not harder. There's no physical card that has to be obtained. It's a digital transfer.
Once someone controls your phone number, they control everything that uses that number for verification. Your email recovery. Your bank's two-factor authentication. Your authenticator app backup, in some configurations. Your entire digital identity can pivot on that one point of failure.
This is what motivated me to start my research and secure my emails: watching a video about someone who had gone through exactly this. The level of damage - financial, personal, psychological - was significant and took months to begin untangling.
The fix, again, is simpler than the problem suggests. Call your carrier or log into your account portal and ask about their SIM lock or number lock options. Most major carriers have them. It adds a PIN or passphrase requirement to any changes made to your account. Some carriers call it a "port freeze" or "account security PIN." The language varies; the concept is the same.
Without it, your number can be transferred by someone who isn't you. With it, they need a code that only you have.
The Behavior Change That Doesn't Require a Crisis
I want to name something that the crisis clarified for me, because it applies whether you've been hacked or not.
Online behavior has patterns. The people in your life, including your digital-life contacts, have patterns. When something feels slightly off about a message, even from a known account, that feeling is data worth honoring.
The scammer who had taken over my contact's Discord account was mimicking conversational tone. But they needed something from me quickly, and they were pushing for it with a low-grade urgency that, in retrospect, didn't quite fit. I noticed it. I didn't act on the noticing fast enough.
We've been socialized, particularly those of us who struggle with the social rules that feel arbitrary, to second-guess our read on situations. To give the benefit of the doubt. To not make things awkward. Scammers count on exactly that.
Odd requests from known accounts deserve a pause. A quick verification through a separate channel - a text, a direct call - takes 90 seconds and can stop something cold.
The discomfort of asking "wait, is this actually you?" is temporary. The discomfort of having clicked something you shouldn't have is considerably less temporary.
Here's Your Low-Pressure To-Do List
You don't have to do all of this today. But I'd like you to do some of it this week, while you still have my adrenaline to borrow.
Lock your credit reports with Equifax, Experian, and TransUnion
Call your phone carrier and ask about SIM lock and number lock options
Turn on 2FA for every account that matters, starting with email and financial accounts
Download an authenticator app if you haven't (Google Authenticator and Authy are both solid starting points)
Delete accounts you know you'll never use again
Change any password you've been using for more than a year, or that you've used in more than one place
None of this requires a tech background. None of it costs money. All of it closes real doors that are currently open.
I spent years knowing I should do this and not making the time. Then I spent a week cleaning up to avoid what could have cost me a lot.
I'd rather you spend an afternoon doing the boring preventive work than a week in crisis mode - even if, neurologically speaking, the crisis mode was kind of impressive.
You deserve systems that protect you. You also deserve to set those systems up before someone forces your hand.
If this brought up questions about your own digital security or anything else you've been putting off that you know matters - my door's open. That's what coaching is for.
What's one thing on this list you've been meaning to do and haven't? Drop it in the comments. No judgment - I clearly have no standing to judge anyone on this particular topic.
#DigitalSecurity #NeurodivergentLife #LifeCoaching