Malicious actors use emails, text messages, and IMs to fool you into giving them personal information. This information is is later used to target you and others you know in an attempt to gain access to resources and other information ultimately leading to you calling or entering financial information so they can steal or extort you and your organization.
- How can I identify Phishing?
- How can I protect myself from Phishing Attacks?
- What do I do if I suspect a Phishing Attack?
- What should I do if I responded to a Phishing Email or Message?
- Can I report Phishing?
How can I identify Phishing?
There are thousands of attacks or phishing campaigns every day. Many are successful on some level which is why they continue launching them. They have evolved and become more sophisticated where they may look and feel just like normal communications. They may even come from people you know because the senders email accounts have been compromised. There are some patterns that will help you identify these messages.
They may look like the are from people or service providers you use
It doesn’t take much to guess correctly. If you sent 10,000 emails out saying that your bank account was compromised and specify that someone’s Google, Apple, or Microsoft account was compromised and needed a password reset, you would have some pretty good odds several of those people have an account with one of those service providers.
Story telling emails
Many of these phishing emails contain the following common themes:
- Change your password, your account has suspicious activity
- Request personal information confirmation
- State account or payment problems
- Send a fake invoice or document (typically PDF)
- Link to receive refund or make payment or other free things (if it sounds too good to be true, it probably is).
How can I protect myself from Phishing Attacks?
Use Technology
Using spam filters, whitelists and blacklists aren’t enough any more. Fortunately our toolbox has expanded and should include the following
- Continuously update your anti-virus/malware scanners and ensure they are scanning your emails.
- Update all of your devices with the latest security patches and bug fixes.
- Protect as many accounts as possible using Multi-Factor Authentication (MFA). Avoid SMS messaging when possible and use an authenticator application such as Microsoft Authenticator, Google Authenticator, Authy, or others. We also recommend biometric scanners and hardware authenticators such as YubiKey.
- Keep current and at least 2 backups of all critical files. Also make backups offsite in case the entire network is compromised.
Use Knowledge
- Be skeptical and don’t trust ANY links. On most desktop/laptops you can hover over links and the target will appear somewhere on the page. If the URL doesn’t match the company, it’s likely a scam. On a phone you can usually press and hold the link to preview, again, if it doesn’t match, it is probably a phishing attempt.
- Always read the entire email looking for suspicious items such as spelling and typos, bad use of logos, poor grammar. Although marketing emails are annoying, most large companies will spell check and have descent grammar.
- Take a course and learn how to spot patterns in emails. A good training platform is KnowBe4.
What do I do if I suspect a Phishing Attack?
- Don’t open an attachments or click links
- Avoid calling the number and share anything personal. It’s probably not worth your time calling and sharing your opinion about how horrible they are, besides, they will probably put on you a DO CALL LIST because your number is now in yet another database.
- If you feel so inclined, you can report to the organization they are claiming it came from or reporting to the FTC.
- Delete the message, unless you click the link. Anti-Venom is harder to make when IT professionals don’t have the snake.
- Block the incoming mail by reporting as junk and phishing.
- Learn more about Cyber Safety.
What should I do if I responded to a Phishing Email or Message?
- Contact your IT staff
- Change your password (hopefully it is unique for that site/service but if not, change it everywhere you have used it and please STOP REUSING PASSWORDS).
- Enable Multi-Factor authentication (if you don’t have it).
- If you think the malicious actor has acquired personal or sensitive information such as financial information or social security numbers, follow the steps at IdentityTheft.gov
- If you suspect you’ve installed harmful software or opened something bad, update your security software and run a scan.
Can I report Phishing?
Yes! Please Do! Sweeping this under the rug will only cause more problems for more people moving forward. It is best the incident is reported. Consequences are almost always worse when trying to hide a breach or fail to inform others who may have been affected. You can help protect our community by reporting these incidents.
- Notify your organization’s IT department or Firm. They will help take immediate action and work with you to best resolve the incident.
- Maintain records (perhaps take a photo or video of the email and anything else connected with the email).
- Report the phishing attack to the FTC at ReportFraud.ftc.gov.