How to secure ”evidence” on compromised devices?

My mother of 85, a longtime Macintosh user, was recently scammed for a large amount of money, which she wired the scammers a total of five times from two different bank branches. We’re pretty sure she allowed screen sharing (for about a week!) on her Macbook Air M1 with Monterey, and we see texts from the scammers. We don’t know how compromised her iPhone 6s Plus (unsure of the iOS) is. A police report has been file, but they don’t seem to be so interested. My less technical brother is with her. I’ll be arriving there in San Francisco this week to inspect more closely.

We’ve changed both AppleID passwords, 1Password Master password (she’s on my Family account), all email and financial passwords and directed 2fA to my brothers iPhone. All email and texts were received on both devices (Apple Mail and iMessage/Messages).

The question:
Before erasing and reinstalling, I’d like to secure any potential evidence that could be needed later. Any tips on the best way would be welcome.

Please also see my other thread for questions on how to best configure her devices.


I work in law enforcement in the UK so what counts as evidence here will almost certainly differ from the States. ‘Evidence’ is notoriously difficult. Scammers will spoof the origin of texts, it’s easy to do. UK law allows law enforcement agencies to request telecoms data but you need to go over considerable legal hurdles to (rightly) collect personal data which may involve international calls or burner phones. Email headers may include the IP address - however these will probably have gone through a VPN and be of little value. Again you’d need to get through those legal hurdles, not something a private citizen can do. Sadly most people in the UK will hope their banks will refund them if they can demonstrate they took reasonable steps to check the veracity of the caller.


That is an important point. What would constitute “reasonable steps”?

Reasonable steps would include:
Not divulging their PIN to any caller
Not divulging their account details.
Hanging up the call and ringing their bank back (though scammers get around this by staying on the line).
Not divulging any personal details such as passwords or other personal information.

Older or less technically savvy people are more easily persuaded that a call is genuine so each financial instution will take a different view on what is reasonable. I’ve known police officers attend a individual who had transferred substantial funds and who still didn’t believe it was a scam even though they were telling them to their face that it was. I’ve dealt with individuals who’ve permitted their PC to be remotely controlled and have lost £200k.


Thanks Dave.
I’m afraid Mom fits in to that profile quite well. She trusted them blind, for about a week, wiring them money a total of 5 times and giving them pretty much unlimited screen sharing access to her computer. When we read the text exchanges, it’s almost as if she sees them as friends and appreciates the company. She doesn’t even seem stressed out.

That’s a great shame. Many banks in the UK now have security teams who automatically block access when unusual/suspicious payments seem to be made - you have to actively override them to complete the process. However there are many many, (sometimes but not exclusively) older people, who are taken in because they are vulnerable or, as is also the case, the scammers are very convincing.

1 Like

About a week ago a friend stopped at my mom’s and found her on the phone with a guy with a caller ID of “Visa Customer Service” who said he was in the fraud department and was trying to block a $2500 gambling charge on my mom’s Visa card. The friend got on the phone (pretending my mom was her mother-in-law) just as the guy was asking for my mom’s PIN number!

The friend demanded more info and the guy couldn’t even tell her which card it was (“It’s Visa!”) and so she hung up on him. She took my mom to her bank where they could check everything and ensure nothing bad had happened. Nothing had – the caller was just fishing for personal info, and thankfully the friend stopped my mom from giving him any. But I couldn’t believe my mom could be so trusting. The irony of “fraud department” committing fraud!

I’ve told my mom that from now on ANY call or text relating to finances has to come to me. I told her to say she doesn’t handle her money and her accountant will have to get back to them. Then I can verify if it’s legit or not.

It’s getting to be a scary world.

(I also just helped my elderly neighbor who got a text from “Amazon” saying her account was blocked. She was entering her info on the indicated web form when they asked for her SS# and that spooked her and she called me to see if it was legit. It was clearly not.)


I have no idea what rights a person has to request their own text records from a carrier. However, I do know from experience that voice records in the United States, know as Call Detail Records (CDRs), can be requested for one own’s phone without involvement from either law enforcement or the judiciary.

1 Like

Yes, scarey world. When we changed all moms passwords, we also directed 2fa to my brothers iPhone.

Thanks Nello! Good info.

1 Like