10 steps to take after clicking a phishing scam
We all make mistakes. Even clicking on a phishing link can happen to the best of us – sometimes we are in a hurry, or sometimes the phishers are exceptionally clever with their ruse. Whatever the reason, it’s important to be safe and salvage as much of the situation as you can. Here’s a list of steps to follow after follow after clicking on a phishing scam.
See Infosec IQ in action
The ten steps to protect yourself
- Don’t panic! First, make sure that you have been phished. Merely opening a phishing email and reading it will not affect your computer. Nor will accidentally downloading a .zip file that contains malware. It’s only when you unzip the file and then open the document or program inside then you are likely compromised. Knowing the difference can save you from unnecessary stress.
- If you believe you have indeed been phished, immediately disconnect the computer or device from the Internet or network. If it’s a desktop or laptop connected via ethernet cable, unplug it. If you are on WiFi, pull up the menu and turn it off or forget the network.
- Notify your supervisor if you have one. This is the difficult part, as many people are embarrassed about their mistake and worry they will get in trouble. Don’t be afraid: a company with a good phishing policy should not blame the employee. Additionally, every second you delay can potentially make the problem worse.
- Scan your computer for viruses, especially if you opened an attachment. Many phishing emails contain malicious code that can capture keystrokes or take over computers or networks. Microsoft has a free tool, and for Mac there is a free version of Malwarebytes.
- Change usernames and passwords. If the phishing email sent you to a phony site and asked you to enter your credentials, it probably captured that info. To be on the safe side, change all user/passwords for important sites like work email, bank accounts and social media.
- Forward the email to IT, if you have one. If you work for a large company, there may be a specific email address to send phishing emails. You’ll want to include the header information, which shows where the email was sent from; the easiest way to do so is to drag and drop the phishing email into a new email and send.
- Flag the email as phishing. In programs such as Outlook, there are options to flag the email, which sends the info to Microsoft. Check your program’s email instructions for further info.
- Forward the email to the Federal Trade Commission at spam@uce.gov. You should also forward to the Anti-Phishing Work Group at phishing-report@us-cert.gov. Again, include the headers by dragging and dropping the email. If you think your identity has been stolen, go to https://www.identitytheft.gov/ and follow the instructions.
- Alert the business or person the email appeared to be from. This could prevent further attacks, especially if the phishers have hacked into their system and are using their account.
- Evaluate the vulnerabilities of your business. Are there others in the company that can or have made similar mistakes? It may be time to implement stronger anti-phishing policies and add real-world simulations to help prevent further breaches.
Phishing simulations & training
How to evaluate your vulnerabilities
To help you with the final step, Infosec has created Infosec IQ, a platform that contains training, simulation and mitigation tools that can be used by businesses of any size. AwareEd includes interactive videos and tests designed to educate employees about phishing scams and how to avoid them; PhishSim allows administrators to test the vigilance of their workforce by sending fake phishing emails and monitoring the results.
Want to try Infosec IQ for free? Open your free account today and prevent an accidental click tomorrow!
Sources
- Download Malicious Software Removal Tool, Microsoft
- Free Anti-Malware & Malware Removal, Malwarebytes
In this Series
- 10 steps to take after clicking a phishing scam
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
