I’ve been Phished. What do I do now?

In an online world, the odds are you regularly receive legitimate emails from utility companies, subscription services like Hulu or Netflix, delivery services like DoorDash or FedEx, even your bank or auto insurance provider. Cyber attackers recognize these companies as a great way to sneak into your device or capture your personal information. They’re using big name, sophisticated brands to send out phishing messages. Cyber criminals have gotten smarter and they’re no longer emailing you from an obviously made up business address to trick you into sharing private details. You likely open emails from trusted companies without thinking twice. You may even click on a link or open an attachment because it seems innocent and interesting. As soon as you realize you made a mistake and failed to avoid a phishing attack, don’t panic!

I’m caught. How to I recover from being phished?

If you’ve been caught in a phishing scam, it’s true – you’re on the “hook.”  But, the good news is, you can take immediate steps to remediate the damage.  Whether you are on your personal computer or one that is work-issued, we recommend the following steps.

  1. Disconnect your device from the network.  If you’re using a wired connection, unplug the cable from your computer immediately.  If you are on a wireless connection, open your network settings and disconnect from wi-fi.  The sooner you disconnect from the internet, the better.  Without an internet connection, the cyber attacker will have a shorter window of opportunity to remotely access your device or your personal information.  Quickly disconnecting will also prevent malware from spreading to any other device on the same network.
  2. Change your passwords. If you clicked a compromised link and entered a user name and password, your account has been compromised.  Go to the site you know to be affiliated with that account and follow the steps to change your password.  If you’ve used the same password on any other site or for any other service – change it anywhere it’s in use.  Use best practices in setting your new password(s).
  3. Run a virus scan. On your personal computer, make sure you have anti-virus software installed and updated.  Run a full scan of your system.  If your work-issued computer was involved in the phishing scam, contact your IT team as soon as possible (after you’ve disconnected from the network) so they can scan your device and the network for viruses.
  4. Inform the company. After you’ve done what you can to mitigate damage, reach out to the company that the phishing email appeared to come from.  Let them know what happened so they can investigate.  They’ll look into the breach, warn others of the potential for phishing attacks, and put protective measures in place to prevent future scams associated with their organization.
  5. Beware of identity theft.  If your personal information was accessed, you’ll want to monitor things like account activity and credit reporting.

Avoid the Hook

No matter what technology you have in place to protect your computer and network, you are the last (and best) line of defense.  It is critical to exercise caution online.  Don’t open attachments you aren’t expecting to receive.  Do not click on links unless you know, without a doubt, they’re legitimate.  Hover over links and make sure the website matches with the official site of the business sending the message.  Any time you aren’t certain an email is legitimate or a link is secure – pick up the phone.  Call the sender and verify anything that seems phishy!

Interested in email awareness training for your organization?  Safety Net can help – contact us!