Phishing, a cyber-crime that targets victims through email, has become the most common form of online attack. Hackers will attempt to access sensitive information (such as usernames, passwords and credit card details) by sending fraudulent emails to their targets.
Successful phishing attacks can result in identity theft, unauthorised access to data and funds, decline in reputation and a violation of privacy.
What does phishing look like?
Spotting a phishing email can be difficult: hackers are growing more sophisticated in their approach, and emails can appear authentic and trustworthy. There are different ways to spot a phishing email, but the main signs of a phishing attack are:
- The email asks you for sensitive information, such as passwords or bank details.
- The email encourages you to open an attachment or link: this allows the phisher access to your device to steal information or infect it with malware.
- The email makes you panic: the phisher might trick you into thinking your accounts have been hacked and lead you to believe that they can solve the problem.
What to do if you've been phished
So, you've fallen victim to a phishing attach: don't worry, it can happen to anybody. But what should you do next?
If you are suspicious of an email but haven't responded yet, make sure that you report it to your company's IT department. They will be able to look at the email and recognise an attempted security breach.
If the email or text is from a reputable organisation but something doesn't feel right, visit the company's website to see if they will ever ask you for sensitive information. As a general rule, companies will never ask you for sensitive information (such as passwords or bank details) over email, text or phone.
Don't forget to contact the person or company that has been spoofed: they should know that hackers are impersonating them and can help prevent future phishing scams.
If you have already responded to a phishing email, follow these steps to protect you and your business:
- Take your device offline
If you have been phished, the first thing you need to do is disable your internet connection. This will help to contain a malware infection and stop the virus from spreading to other devices.
- Change your passwords
This is an absolute must if you have been phished. You need to change the passwords for any accounts that might have been hit in the cyberattack. Change your passwords from a different device to ensure that the hacker can't access your new information. Remember to always use unique passwords – never use the same password for multiple accounts – and use a combination of letters, numbers and symbols. Now might be a good time to set up two factor authentication for your accounts if you haven't already.
- Contact your bank
If you think your credit card information or bank details have been disclosed in the scam, make sure to contact your bank immediately. They might suggest freezing your account or cancelling your card.
- Back up your files
To protect your data from the phishing attack, back up your files to an external hard drive or USB.
- Report the attack
You should report the phisher to protect others from the scam. You can do this by:
- Emailing the Suspicious Email Reporting Service (SERS) at firstname.lastname@example.org
- Calling Action Fraud on 0300 123 2040 or through their online service
- Scan your device with anti-virus software
If you clicked on any links in the phishing email, then your device may have been compromised. It is important to check for viruses by scanning your device with an anti-virus software. If you have suspect you have been infected with malware, It may be sensible to reinstall your anti-virus software or even your entire operating system from a reputable source as it is possible your existing install may have been compromised so that it does not detect the recent infection.
- Contact the person or company that was spoofed
Just like if you haven't responded to the phishing email, it is important to contact the person that the phisher was impersonating: informing them might help prevent future cyberattacks.
- Continue to check for suspicious activity
Even if you have informed your bank of the phishing scam, you should continue to check your accounts for suspicious activity. This could be unauthorised usage of your credit card or foreign access to your accounts.
Protect your organisation with OnSecurity's Phishing Simulation Service
If you want to protect your organisation from future phishing emails, why not try OnSecurity's Phishing Simulation Service?
A simulated phishing email can be sent to staff across your organisation. The email will ask your employees to click links or enter sensitive information, just as a real phishing email would.
The service allows your staff to learn from their mistakes in a safe environment and raises awareness of real phishing scams.
Don't wait any longer to protect your business! Book a Phishing Simulation Service by getting in touch with a member of our expert team.