Protect Yourself Against Phishing

Have a Question?

Table of Contents

Overview 

Phishing is a tactic used by cybercriminals to lure you into revealing sensitive or confidential information. Phishing attempts typically involve deceptive emails, texts, or phone calls that are disguised as a message from a legitimate, trustworthy source. Watch the video below (1:44) to learn more about phishing and how to spot a phishing attempt. 

 


Types of Phishing 

  • Angler Phishing: Anglers use fake social media posts to get people to provide login info or download malware. 
  • Impersonation Spoofing: This term describes a criminal who impersonates another individual or organization, with the intent to gather personal or business information. 
  • Pharming: A malicious website that resembles a legitimate website, used to gather usernames and passwords. 
  • SMS Phishing or “Smishing”: Phishing through some form of a text message or SMS. 
  • Spear Phishing: When criminals obtain information about you from websites or social networking sites and customize a phishing scheme to you. 
  • Voice phishing or “Vishing”: A form of social engineering. It is a fraudulent phone call designed to obtain sensitive information such as login credentials. For instance, the attacker might call pretending to be a support agent or representative of your company. 
  • Whaling: When attackers go after a “big fish” like a CEO. These attackers often spend considerable time profiling the target to find the opportune moment and means to steal login credentials. Whaling is of particular concern because high-level executives are able to access a great deal of sensitive company information. 

Key indicators 

  • You are being asked for personal or private information, your password, financial account information, address, date of birth, Social Security Number, address or money, even in the form of gift-cards or blank checks. 
  • Scare tactics or threats stressing that if you don’t act quickly something bad will happen 
  • Promises of something too good to be true. This includes bargains and “great offers,” or links to claim an award/reward. 
  • It’s not addressed to you, specifically, by name. 
  • The sender isn’t specified, isn’t someone you know, or doesn’t match the “from” address.  
  • It has spelling or grammatical errors. 
  • It includes links to pictures or videos from people you don’t personally know 

Examples 

  • “There’s a problem with your account” – trying to trick you into sending your password or clicking on a link in order to fix a problem. 
  • Phony security alerts – email, pop-ups or Facebook notices warning that your computer is at risk of being infected, typically with a link to click. 
  • Phony computer support 
  • Money Phishing – trying to trick you out of money or bank/credit card account info. Often by pretending to be someone from another country who needs assistance accessing a large sum of money. Or a friend stuck in another country without any money. Or an IRS agent claiming that you owe taxes and must pay immediately over the phone. 

How to Protect Yourself 

  • Learn how to spot a phishing email
  • If you receive a phishing email: 
  • Never click any links or attachments in suspicious emails. If you receive a suspicious message from an organization and worry the message could be legitimate, go to your web browser and open a new tab. Then go to the organization’s website from your own saved favorite, or via a web search. Or call the organization using a phone number listed on the back of a membership card, printed on a bill or statement, or that you find on the organization’s official website. 
  • If the suspicious message appears to come from a person you know, contact that person via some other means such as text message or phone call to confirm it. 
  • Report the message to the IT Help Desk 
  • Delete the message or mark it as spam

What to do if you’ve been Phished 

If you’re suspicious that you may have inadvertently fallen for a phishing attack there are a few things you should do.  

  1. While it’s fresh in your mind write down as many details of the attack as you can recall. In particular try to note any information such as usernames, account numbers, or passwords you may have shared. 
  2. Immediately change the passwords on those affected accounts, and anywhere else that you might use the same password. While you’re changing passwords you should create unique passwords for each account, and you might want to see Create and use strong passwords. 
  3. Confirm that you have multifactor authentication (also known as two-step verification) turned on for every account you can. See What is: Multifactor authentication 
  4. If this attack affects your work or school accounts you should notify the IT support folks at your work or school of the possible attack. If you shared information about your credit cards or bank accounts you may want to contact those companies as well to alert them to possible fraud. 
  5. If you’ve lost money, or been the victim of identity theft, report it to local law enforcement. The details in step 1 will be very helpful to them.