It’s surprisingly simple to fall prey to a phishing scam. Whether it’s an appealing email proposition, a message on social media, or a pop-up ad while you’re surfing the web, scammers excel in the art of deception.
Even if you pride yourself on being security conscious, you can still be caught off guard.
If you find yourself in the unfortunate situation of having clicked on a phishing link or attachment in a phishing attempt, we’ve gathered the 10 steps to follow.
Key Takeaways
- Phishing attacks are escalating due to the increased use of generative AI to craft highly targeted and sophisticated attacks.
- Never trust unsolicited messages blindly, no matter how much authority they project.
- The outcome of clicking the phishing link in a phishing email depends on what information the hacker has placed on the malicious website.
- Some malicious websites will try to lock up an individual’s computer and may infect the computer with ransomware.
- If you click on a phishing email, the goal should be to get to a mitigated state as quickly as possible.
Quickly Taking Action Is Key
Although it’s unsettling to realize you may have inadvertently downloaded malware or compromised your personal information, there are actions you can and should take immediately to mitigate any potential harm. The sooner you take action, the less likely any damage will be done.
The outcome of clicking the phishing link in a phishing email depends on what information the hacker has placed on the malicious website, says Patrick Schaumont, professor in the Department of Electrical and Computer Engineering at Worcester Polytechnic Institute.
“Often, the malicious website is made to look like a legitimate website and tries to convince you to type in your personal information or login credentials,” he says. “If you type in your personal information, the hacker can use it to impersonate you or sell it to others.”
In some cases, the malicious website will try to lock up an individual’s computer and may even infect the computer with ransomware, which prevents the person from accessing it unless they pay the hacker a ransom, Schaumont says.
“[Phishing protection] becomes easy if you sprinkle in a pinch of suspicion,” he says. “After all, the hacker is trying to mislead you and will only succeed if you go along.”
Never trust unsolicited messages blindly, no matter how much authority they project, Schaumont adds.
“No legitimate online bank will ever ask you to click a link and provide personal data. No shipping service will ever tell you that they have a package for you but it’s undeliverable,” he says.
“No online shopping site will ever warn you that your credit card was charged for something that you didn’t order. No reputable boss will ever ask you to buy them a gift card. No upright person will ever find your name ‘by accident’ in their contact list.
“If it looks phishy, it probably is.”
Preventing Phishing Scams
To keep phishing scams from happening in the first place, organizations can implement phishing protection software designed to detect and prevent phishing attacks.
This software typically includes such features as email filtering, website blocking, and real-time scanning for suspicious activity to safeguard users from falling victim to phishing scams.
However, there are steps you can take if you do inadvertently click on a phishing link.
10 Steps to Take if You’ve Fallen for a Phishing Scam
When you realize that you’ve clicked on a phishing link or fallen for a con like the Geek Squad scam, it’s important to take note of what actions you’ve performed, says Aaron Walton, threat intel analyst at Expel, a managed detection and response provider.
“Did you enter your password? Did you share other sensitive credentials or information? Did you download a file?” he says. “The actions you’ve performed help inform what the next steps are, and in most cases, you don’t have to deal with it on your own as others are willing and able to help.”
1. Disconnect From the Internet
Disable Wi-Fi or unplug the Ethernet cable, says Robert Siciliano, a cybersecurity expert and CEO of ProtectNowLLC.com.
“Disconnecting prevents any potential malware or any remote access technology from communicating with the remote hackers’ servers,” he says.
2. Scan for Malware
Use reliable antivirus software to run a full system scan, says Julian Durand, vice president of product management and chief information security officer at Intertrust Technologies, a provider of trusted computing products and services.
“This will help identify and remove any malware that may have been installed,” he says.
3. Check Your Browser
Your browser has built-in warning signs that can detect phishing websites, Schaumont says.
“For example, trusted websites display a padlock symbol next to the web address field in your browser,” he says.
“You can click on the padlock, and your browser will tell you if it thinks the website is legitimate. Browsers may also display warnings before allowing you to proceed to a potential phishing site. Heed your browser’s warning, and retreat to a safer destination.”
4. Change Passwords
Any accounts the phishing website is associated with could be compromised, so you need to change your passwords, according to Siciliano.
“When you change your passwords, use long, strong, unique passwords for each account and never use the same password twice,” he says.
5. Enable Two-Factor (2FA) Authentication
Activate 2FA on all critical accounts to add an extra layer of security, reducing the risk of unauthorized access, says Durand.
6. Identify the Type of Phishing Attack
You should determine the nature of the phishing attack, says Phil Steffora, chief information and security officer at Arkose Labs, a provider of bot management and account security.
Was it seeking personal information, or was it a more dangerous type, such as a CEO impersonation attack aimed at monetary theft?
7. Review and Update Security Settings
You should regularly review the security settings on your digital accounts and devices and ensure that your software and applications are up to date to defend against new threats, Durand says.
8. Back Up Files, Photos
“Back up any important files or photos onto a USB thumb drive in case you need to wipe your device clean with a factory reset,” says Roman Zrazhevskiy, founder and CEO of MIRA Safety, a provider of personal protective equipment.
9. Implement a Fraud Alert
Place a free fraud alert on your credit report to be sure that scammers can’t defraud you, says Zrazhevskiy.
“This makes it quite difficult for scammers to open new credit accounts in your name,” he says. “However, it will also mean a few extra steps to confirm your identity whenever you want to open any new legitimate credit accounts.”
Siciliano agrees, adding, “If your Social Security number has been compromised, place a credit freeze on your credit report to prevent potential new account fraud identity theft.”
10. Report It to Your Security Team
If the activity occurred on a company laptop or account, it’s vital to report phishing to the security team ASAP, Walton says.
“They will be best equipped to secure any accounts and investigate the activity,” he says. “It’s essential to let them know because attackers are not just after you – they’re also likely aiming to compromise your employer through you.”
Siciliano adds that you might also want to consider reporting the phishing attempt to the Federal Trade Commission or the Anti-Phishing Working Group.
Don’t Be a Victim
The best advice is to not be a victim in the first place, says Durand.
“That is, do not click on suspicious links, particularly if you do not know the person sending you that link,” he says.
“Employ filters to weed out malware and configure your firewall with white lists of sites that are good. And train people in your company, family, and community not to click on arbitrary links.”
For more recommendations, read our complete guide on how to avoid phishing scams.
The Bottom Line
Phishing threats are evolving rapidly, and the volume of phishing is escalating exponentially due to the increased use of generative AI to craft highly targeted and sophisticated attacks, Steffora says.
“These aren’t broad campaigns anymore; instead, they’re direct assaults, personalized down to the individual,” he says. “Scammers are already using generative AI tools to impersonate voices and images and manipulate business information.”
For example, generative AI empowers scammers to use organizational charts and write contextually accurate phishing emails to individuals seeking some sort of financial transaction, such as paying a vendor, Steffora says.
“Enterprise IT and tech professionals need to start asking: What mechanisms can the business use to safeguard their companies besides email and phone because both of those have already been polluted by AI?” he says. “At the end of the day, when someone clicks on a phishing email, the goal should be to get to a mitigated state as quickly as possible.”