“Alert: Your charge of $984.93 at the Apple Store has been processed,” reads the legitimate-looking message. Because you visited the Apple store yesterday, you click on the corresponding link. Instant regret. You’ve been phished.
While phishing attacks can be dangerous, not all phishing attacks result in identity theft, malware downloads, network intrusions or other personally petrifying, career-ending, and business razing consequences. If you accidentally click on a phishing link, don’t panic!
Here’s how to proceed…
Recovering from phishing
If you’ve been phished or otherwise fallen for a social engineering ruse, the exact steps that you should proceed with will vary based on the nature of the scam itself, whether or not the attack has occurred on a work-owned device, and the type of device affected. Nonetheless, these general steps can help mitigate adverse events.
- Remove your device from the network. In the event that you’re using a wired connection, unplug the cable from your device immediately. If on wireless, visit the ‘settings’ menu, and disconnect from the Wi-Fi. Disconnect as quickly as possible. Without an internet connection, hackers will have less of an opportunity to access your devices or your personal information. Also, disconnecting from your network can prevent a malware attack from spreading to other devices.
- Change your passwords. In the event that you typed online account credentials into a phony web page, be sure to reset your password. If you use this same password for other accounts, be sure to change those passwords, as hackers sometimes conduct ‘password spraying’ attempts, which involve use of a single password in an effort to break into multiple accounts. Follow best practices in configuring new passwords.
- Scan for viruses. If the attack occurred on your personal computer, ensure that you’re using anti-virus software and that proper updates have been made. Then, run a complete scan of your environment. If you fell for phishing on your work-issued computer, reach out to your IT team. They can run scans for you, and search through the larger network for any impact. Be prepared to answer basic questions about whether or not you entered information into a phishing-related web portal, and whether or not any highly sensitive or classified information may have been leaked.
- Inform the right people. If the phishing message imitated Amazon, FedEx, Bank of America or another known organization, reach out to the customer service department of the organization and let them know of the scam. While it may already be on their radar, accumulating consumer complaints may give them greater reason to pursue a formal investigation into the perpetrators of the attack.
- Avoiding identity theft. Did hackers access valuable information? On a personal level, you can monitor accounts, use credit reporting services that offer fraud alerts, and report the incident to the appropriate national bureau. If you provided your credit card information on the phishing page, cancel your card. At the business level, next steps vary depending on the nature of the information accessed, and on the scale of the incident.
Future phishing schemes
You’ve been phished once. Don’t get phished twice.
Avoid obvious scams
On some occasions, a message may read as a scam, yet because humans experience unquenchable curiosity and thirst for reward, people click on scams anyway. While it sounds elementary, avoid obvious scams!
The sweepstakes promising to send you a $2,500 gift card to the local hardware store is probably a scam. If you have reason to think that this type of message might not be a scam, use a secondary channel to reach out to confirm with the soliciting organization.
Turn on multi-factor authentication
Enabling multi-factor authentication on accounts can prevent hackers from breaking in using stolen credentials. Whether the hackers have sent you a malicious attachment that exfiltrated credentials from your machine, or whether you’ve entered credentials into a phishing page yourself, multi-factor authentication can prevent hackers from continuing with attack schemes.
Back up your data
On both the individual and business levels, one key way to avoid phishing attack damage includes backing up your data. Individuals should make regular backups on an external hard drive (or two) and/or via cloud storage services, like Dropbox or Google. Organizations can consider implementing the 3-2-1 approach to backups.
Apply software solutions
Individuals and organizations alike can install anti-phishing software at multiple system levels in order to prevent future phishing attempts. Although phishers continually evolve their campaigns in order to evade anti-phishing filters, such mechanisms can still help prevent classic phishing threats. Also, be sure to install updates, or agree to auto-updates for anti-phishing software, enabling you to receive the latest phishing prevention blockers and tools.
If you’ve been phished, see this CyberTalk.org article for additional anti-phishing insights.
Understanding the latest trends can help you protect your organization. Get additional phishing-related insights throughout this week during #Phishingweek2022 – Feb 28th through March 4th.