GCCI
← All posts
May 1, 2026 · How-to guide

How to Preserve Evidence in the First 24 Hours

The instinct, when you realize something is wrong, is to make it stop. Block the account. Delete the messages. Close the tab. That instinct is wrong, and acting on it will make every reporting and recovery option harder.

Before you do anything else, capture what you have. Investigators, banks, platforms, and law enforcement all need evidence to act, and most of that evidence lives in places that disappear quickly—profiles get deleted, messages get pulled, transactions roll off the screen.

What to capture

Aim for screenshots, not summaries. A screenshot of a scammer’s message is worth more than your description of what they said. For each interaction, try to get:

  • The full conversation, scrolled from top to bottom
  • The other person’s profile page, including their handle, display name, and profile URL
  • Any phone numbers, email addresses, or external links they sent you
  • Wallet addresses, transaction IDs, and exchange names if money or crypto moved
  • Timestamps—most apps show these if you tap or hover on a message
  • Receipts, confirmation emails, or wire transfer details

How to capture it

Phone screenshots are fine. So is using the snipping tool on a computer. If a chat is long, scroll and screenshot in segments rather than trying to fit it all on one screen. Save URLs as text—copy and paste them into a notes app—because the link itself is part of the evidence, not just the page it points to.

Save everything to one folder, named with the date. Don’t edit, crop, or annotate the originals. If you want to mark something up, make a copy first.

What not to do

Don’t engage with the person to “get more information.” That tells them you’re onto them and gives them a reason to disappear or escalate. Don’t delete messages, even if they’re upsetting. Don’t reset the device. Don’t pay anything new in hopes of recovering what was lost—that’s a known follow-up scam.

If it’s already too late

If you already deleted things or blocked someone before reading this, it’s not over. Many platforms retain data for a window after deletion and will provide it in response to a law enforcement request. Banks keep transaction records for years. The fact that you can’t see it doesn’t mean it’s gone.

Capture whatever you have left, then move on to reporting. The resource page walks you through which channel to use depending on what happened.

— GCCI

← All posts Home →