What Is a Phishing Attack?
In this notorious scam that has dominated the email threat landscape for decades, a malicious actor poses as a reputable party, sending fraudulent emails with the goal of tricking victims into sharing sensitive credentials or downloading malware. Phishers typically employ social engineering techniques to craft well-researched, convincing attack campaigns. Phishing emails often contain malicious URLs that direct users to fraudulent websites where credentials are collected; however, attackers are increasingly employing stealthy fileless techniques in an effort to evade detection.
Costly Clicks - Beware of Phishing Links
Clicking through a malicious link embedded in a phishing email can have severe consequences including data theft, account compromise and financial loss. One wrong click can also result in serious reputation damage and significant downtime - or even permanent closure - for businesses. Sensitive information stolen in a phishing scam can be used to initiate fraudulent wire transfers in which a victim is tricked into transferring funds to an account controlled by the attackers. The FBI has released that a reported $221 million was lost to wire transfer fraud in 2019 - and only 15% of wire fraud is reported. Email accounts that are compromised in phishing attacks can also be used in dangerous email account compromise (EAC) scams to compromise further accounts.
Clicking on a phishing link or opening an attachment in one of these messages may install malware, like viruses, spyware or ransomware, on your device. This all happens behind the scenes, so it is undetectable to the average user. In some cases, clicking through a phishing link results in the installation of ransomware, spyware or other dangerous malware. Ransomware victims typically experience significant downtime and data loss.
Don’t Rush! Stop and Think Before You Click
Always take time to stop and think before interacting with an email in any way. Phishing attacks often convey a sense of urgency to dissuade recipients from engaging in this best practice.
Businesses can protect against phishing by implementing a layered supplementary cloud email security solution that offers malicious URL protection and uses multiple email authentication protocols to detect email spoofing and prevent sender fraud.
How Do I Know if I’ve Clicked on a Phishing Link?
Before anything, it is important you confirm you interacted with a phishing link, which can be confirmed by inconsistencies in the sender’s email address, links and domains. Hovering your cursor over the link before clicking provides a preview of the URL, a domain that doesn’t exist is likely to be a phishing link. After confirming the phishing link, you must stop interacting with the page and delete any downloaded files. Search for the intended target site using a search engine. Compare the legitimate web address and content to the phishing site. Watch for suspicious account activity, calls, or texts. If attackers have previously collected your data successfully, victims may receive additional calls or messages asking for further action, as there is a higher likelihood the victim will engage after falling for a previous attempt.
What if I Clicked on a Phishing Link on My Smartphone?
Smartphones are susceptible to hacking via phishing links found in text messages, email, or software. By interacting with a phishing link, you run the risk of accidentally downloading malware, or being redirected to a malicious website controlled by hackers who intend to collect user information. A hacker only needs a device connected to the internet to infect it with malware.
Smartphones may be exploited with multiple malware variants. Purpose-built apps can compromise your device by causing apps to malfunction, drain your battery or data, slow the device, or even install apps.Most importantly, it is critical to learn from the incident and proceed with caution. Always take time to stop and think before interacting with an email in any way. Phishing attacks often convey a sense of urgency to dissuade recipients from engaging in this best practice. That being said, the single most effective method of preventing phishing attacks is investing in a comprehensive, fully-managed email security solution.
Next Steps to Take if You’ve Clicked on a Phishing Link
In the event that you do fall for a phishing scam, it is important to be aware of the actions you can take to help safeguard compromised information and recover from the attack. Even if you clicked on a phishing link but didn't enter any information, you are still at risk, as the link may still have been used to deploy malware or spyware on your device.
Our security engineers recommend these next steps that you should take if you either know or suspect that you’ve experienced an attack:
Disconnect your device from the Internet.
Disconnecting from the internet will help reduce the risk of malware spreading to other devices on the network. This will also prevent a malicious actor from accessing your device or sending out confidential information from it.
- Enable airplane mode on iPhone and Android. Airplane mode can temporarily block hackers while your device is not connected to Wi-Fi. To enable airplane mode for iPhones: swipe down and tap Airplane Mode in Command Center to turn on and off. For Android: swipe down from your home screen and tap Airplane Mode to turn on and off.
- Disconnect Wi-Fi on a laptop. To disconnect your laptop from the Wi-Fi: right-click the network icon > Click Network & Internet Settings > Click Wi-Fi networks > Click the network to remove or delete under the Manage Networks list, then click forget.
- Disable an Ethernet Connection in Windows 10. To disable an ethernet connection from your device start by opening the Wi-Fi networks panel > select the network you want to disconnect from > click Disconnect.
Contact your bank.
Set up a fraud alert with either Equifax, Experian or TransUnion that you can place on your credit report to make it more difficult for the attacker to open a new account in your name.
Backup your files.
Backing up your data is the best way to minimize the damage in the event of a phishing attack, or in case they get erased in the recovery process.
Change your username and password.
If you were directed to a fraudulent website where you attempted to login, immediately change your username and password. Use a password manager to make changing passwords across all devices easier. It will also help you to identify weak passwords and assist you in changing them to more secure ones.
Scan your system for malware.
After disconnecting your device from the internet, use an antivirus program to perform a scan of the device. Once completed, remove or quarantine any of the suspicious files detected.
Report the incident to the Federal Trade Commission (FTC).
The FTC will provide you with a step-by-step recovery plan. Forward the phishing email that you received to
Enroll in cybersecurity awareness training.
The best way to prevent a successful phishing attack is by being educated. With proper cybersecurity awareness training, you will learn about threats such as phishing, ransomware, social engineering attacks and more.
Tips & Best Practices to Avoid Clicking on a Phishing Link in the First Place
In order to prevent an attack, it is best to be aware of cybersecurity best practices and tips for recognizing a phishing email. Some tips for avoiding a phishing attack and protecting sensitive information include:
- Check for spelling and grammatical errors, suspicious subject lines and signatures. This is a key indication that the email is a phishing scam.
- Be wary of the display name, an email may say it’s from a known or trusted sender, but that might not be the case. Even if the email address is legitimate, the message could come from a compromised account.
- Evaluate the salutation, is the greeting vague or general, does the tone sound suspicious coming from the person the email is allegedly from?
- If something feels off, confirm the legitimacy of the email with the sender before interacting with it, or contact the source with a new email as opposed to hitting reply.
- Scan attachments for viruses, malware, or other dangerous code.
- Verify shared links to ensure they do not lead to fraudulent websites or malicious code.
- Phishing emails often urge users to act quickly, beware of this and think things through.
- Most importantly, think before you click. If there is something suspicious about the email, evaluate for warning signs.
Most importantly, if you’ve accidentally clicked on a phishing link it is critical to learn from the incident and proceed with caution. Always take time to stop and think before interacting with an email in any way. Phishing attacks often convey a sense of urgency to dissuade recipients from engaging in this best practice. That being said, the single most effective method of preventing phishing attacks is investing in a comprehensive, fully-managed email security solution.
Phishing Is Evolving
Are Your Current Email Defenses Falling Behind?
- What Is Guardian Digital EnGarde Cloud Email Security?
- What are Some Examples of Malicious Code & What Can They Do?
- How to Properly Scan Your Windows Computer for Malware & Remove Malware from Your PC
- What Should I Do if I Accidentally Clicked on a Phishing Link?
- What Are Denial of Service (DoS) Attacks?
- Why Should Businesses Outsource Email Security?
- What Is Domain Spoofing?
- What Are Insider Threats & How Can You Reduce Your Risk?
- The Silent Assassins: How Impersonation Attacks Target CEOs via Email
- How Can I Choose the Right Email Security Service for My Organization?