Don’t panic, you’re probably ok.
We’ve probably all fallen for it. We’re mindlessly browsing our email, click on a link in one of them and are redirected to a page where we’re asked to enter our username and password. Or a popup comes up with some junk ads and a warning sign emblazoned with: “You’ve been Infected!”
My name is Aaron. I’m a lawyer and cybersecurity practitioner with over a decade of experience. I’ve also clicked on a phishing link before.
Let’s talk a little bit about phishing: what it is, what to do if you click a malicious link, and how to defend yourself against it.
Table of Contents
Key Takeaways
- Phishing is a way to get you to disclose information or provide money.
- Phishing is a large-scale attack of opportunity.
- If you’ve been phished, stay calm, file a police report, talk to your bank (if applicable) and try to rid your computer of viruses (if applicable).
- The best defense against phishing is knowing what it looks like and avoiding it if possible.
What is Phishing?
Phishing is fishing with a computer. Imagine this: someone, somewhere, has written an email designed to defraud you of information and money. That’s the lure. They cast their line by sending the email to hundreds of people picked at random. Then they wait. Eventually, someone will respond, or click their link, or download a virus from the email and they have their catch.
That’s pretty much it. Very simple, yet very devastating. It’s the top way that cyberattacks are started, nowadays. I’m going to get into what a phishing email looks like later, but there are a few common ways a cyberattack happens via phishing. The kind of attack is relevant for what to do next.
Request for Information or Money
Some phishing emails will request information, like a username and password, or they’ll request money. We’ve all probably heard about the Nigerian Prince scam, where a Nigerian Prince emails you saying that you’ve inherited millions of dollars, but you need to send a few thousand in processing fees. There are no millions, but you may be out thousands if you fall for it.
Malicious Attachment
This is one of my personal favorites and I’m going to introduce it with an anecdote. Someone working for a company, who’s never handled a bill for the company, gets an email saying: “Bill overdue! Pay immediately!” There’s a PDF attachment. That employee then opens the bill–despite never having done so before–and malware is deployed on their computer.
The malicious attachment is a file that can be opened by the recipient which, when opened, downloads and executes a virus or other malicious payload.
Malicious Link
This is similar to the Malicious Attachment, but instead of an attachment, there’s a link. That link can do a few things:
- It can redirect to a legitimate-looking, but illegitimate site (e.g.: a site that looks like a Microsoft log-in page which isn’t).
- It can download and execute a virus or other malicious payload on your computer.
- It can also go to a site that locks up user input and makes it seem like you’ve downloaded something malicious and asks for payment to unlock.
What Do You Do If You’ve Been Phished?
Whatever you do, don’t panic. Keep a level head, take a few deep breaths, and think about what I’ve told you here.
Keep your expectations reasonable. People will be sympathetic and want to help you, but at the same time, there are things you just can’t do. For example, it’s difficult to recover money after it’s been transferred. Not impossible, but difficult. Another example: you can’t just change your Social Security Number (for U.S. readers). There’s a very high bar you have to meet to have that change made.
Regardless of what happens, call your local law enforcement. In the U.S. you can call the police and the FBI. Even if they can’t help you with your immediate problem, they aggregate information for trend management and investigations. Remember, they may ask for a copy of your hard drive as evidence. Evaluate whether or not you want to pursue that as an option.
If you make a payment for any of these forms of phishing, filing a police report will help with the next step, which is calling your bank or credit card fraud department to initiate a recovery action. That may not be successful, ultimately, but it’s worth a try.
Requests for Information or Money
If you responded to an email or clicked a link and provides your personal information or a payment, then you should file a police report as that will help with recovery of funds or handling potential future identity theft.
If you provided your Social Security Number or other personally identifiable information, you can contact the three major credit agencies Equifax, Experian, and TransUnion to freeze your credit.
That prevents fraudulent lines of credit (e.g. loan, credit card, mortgage, etc.) from being taken out in your name. That is a very American-centric recommendation, so please contact the credit authorities in your country (if not the three above) to address fraudulent lines of credit in your country.
Malicious Attachment
Chances are that Windows Defender, or your malware detection and response software of choice, will stop this automatically. If it doesn’t, then you’ll see very significant performance issues, inaccessible encrypted information, or deleted information.
If you can’t address the problem using endpoint malware software, then you may need to just reformat the computer and reinstall Windows. Here’s a straightforward YouTube video about how to do that.
But I’m going to lose all my important files! If you don’t have a backup, yes. Yes, you will.
Right now: start a Google, Microsoft, or iCloud account. Seriously, pause reading here, go set one up, and come back. Upload all your important files to it.
All of those services let you access your files from your computer and use them as if they were on your computer. They also provide for version control. Your worst case scenario is ransomware, where the files are encrypted. You can roll-back file versions and get back to your files.
There’s no reason not to set up cloud storage and put all your important unlosable files there.
Malicious Link
If the Malicious Link deployed a virus or malware and you’re having problems with it, follow the directions in the previous section, Malicious Attachment.
If the Malicious Link asked you to input a username and password, you need to reset your password immediately. I would also recommend resetting your password wherever else you used that same password with the same or a similar username. The sooner you do that, the better, so don’t put it off!
How Can You Spot a Phishing Email?
There are a few things to look out for to identify a phishing email.
Is the message from a legitimate source?
If the message purports to be from Adobe, but the sender email address is @gmail.com, then that’s unlikely to be legitimate.
Are there significant misspellings?
This isn’t telling on its own, but in combination with other things indicates that something may be a phishing email.
Is the email urgent? Is it prompting you for immediate action?
Phishing emails prey on your fight-or-flight response to get you to act. If you’re being contacted, say by the police, call the police and see if they’re actually looking for you.
Most payments you make aren’t in Google Play or iTunes gift cards.
Along the lines of the above, a lot of fraudulent schemes ask you to pay with gift cards, because they’re largely untraceable and non-refundable once used. Official organizations or law enforcement won’t ask you to pay for things with gift cards. Ever.
Is the request expected?
If you’re being told to make a payment or be arrested, have you done the thing you’re being accused of? If you’re being asked to pay a bill, are you expecting a bill?
If you’re being asked to input a password, does the site look legitimate?
If you’re redirected to a Microsoft or Google login, close the browser completely, reopen it, and then log in to Microsoft or Google. If you’re being prompted to input the password for that service after logging in, it’s not legitimate. Never input your password unless you, yourself, go to the legitimate website.
FAQs
Let’s cover some of your questions about phishing links!
What to do if I Clicked on a Phishing Link on My iPhone/iPad/Android Phone?
Follow the instructions above. The good thing about an iPhone, iPad, or Android is that there’s very little in the way of web-based or attachment-based viruses or malware for those devices. Most malicious content is delivered through the App or Play Stores.
What to do if I Clicked on a Phishing Link But Did Not Enter Details?
Congratulations, you’re ok! You spotted the phish and avoided it. That’s exactly what you should do with phishing links: don’t input your data. Work towards not even interacting with them next time. Better, yet, report spam/phishing to Apple, Google, Microsoft or whoever your email provider is! All of them provide something.
Conclusion
If you’ve been phished, just stay calm and manage your affairs. Call law enforcement, contact impacted financial institutions, freeze your credit, and reset your passwords (all as-applicable). Hopefully, you also took my advice above and set up cloud storage. If not, go set up cloud storage now!
What else do you do to keep your data safe? What do you look for to avoid phishing emails? Let me know in the comments!