What to Do if You’ve Fallen Victim to a Phishing Attack

Phishing is social engineering at its best, allowing a hacker to target hundreds or even thousands of victims at once. It’s often carried out as spear phishing, whaling, smishing, or vishing.

We’re all at risk of falling victim to phishing attacks because of our increased reliance on email communication and mobile devices. 

Cybercriminals target phishing scam attempts on fatigued workers in the hopes of catching them off guard with an attention-getting email. They also launch phishing schemes against unsuspecting individual users by using fear and intimidation. And it sometimes works.

Why we should be scared of phishing

In recent years, phishing emails have become one of the most hazardous types of cyber threats. The most typical cybersecurity defenses, such as firewalls and antimalware tools, are efficiently bypassed by these attacks. Instead, they attack the end-users directly. Unfortunately, many users are unaware of or lack training to fight such phishing emails.

Identity Protection - McAfee Total Protection

Buy Now

We earn a commission if you make a purchase, at no additional cost to you.

A number of recent examples demonstrate the breadth of phishing attempts. Taken together, these examples show that phishing is becoming a widespread problem that affects not only businesses but also individuals users.

The World Bank attack

Not even global organizations are spared. In fact, hackers have a preference for them to establish a sense of legitimacy and trust.

The World Bank initiated a climate-related project to help developing countries brace the effects of climate change. In 2015, hackers breached the project website and created a PayPal phishing page. 

The fraudulent website was designed to deceive customers into disclosing personal information such as names, passwords, financial details, and more. Visitors were led to the climate project’s PayPal website only after they submitted this information.

The phishers were able to prey on users’ trust on the World Bank’s reputation to obtain sensitive information on the victims’ bank accounts.

The Internal Revenue Service email scam

Also in 2015, the IRS discovered an email phishing scheme targeting taxpayers. Hackers sent out emails posing as IRS messages, requesting recipients to update their IRS e-Services information. The emails’ links to the IRS e-Services page were designed to capture e-Services usernames and passwords.

Holiday phishing scams

During holidays, airline companies and hotels offer special deals. This acts as a magnet for cyber criminals. 

Phishers are aware that vacations during these times are in high demand, with many individuals shopping for low-cost flights and getaways. Criminals will impersonate well-known organizations and set up phishing scam websites to promise unbelievable deals that may be too enticing for some. 

Aside from holidays, cybercriminals are exploiting the pandemic with Covid-19-themed email messages to elicit people’s healthcare information. Phishers are also exceptionally active during Black Friday, the biggest retail sales day in the United States.

What to Do if You’ve Been Phished

If you fall victim to a phishing attack, don’t panic. Here are 11 steps to take immediately to preserve your compromised information:

1. Disconnect your device from the Internet

If you suspect you’ve downloaded virus or clicked on a phishing link, the first thing you should do is disconnect your device from your Wi-Fi system.

Locate your online settings and disconnect from the network you’re on. If you’re having problems finding your network settings, you can just turn off your wireless router.

Disconnecting your Wi-Fi connection is critical since it allows you to:

• Reduce the possibility of a cybercriminal gaining remote access to your devices
• Prevent viruses from spreading to other network devices
• Prevent data from being moved from your device without your knowledge

2. Change your login credentials immediately

Viruses can collect sensitive data such as usernames and passwords, financial account numbers, and other identifying information.

If you believe you’ve been a victim of of an email scam, update your online credentials right away. This is true for all your online accounts, including email, online banking, social networking, and shopping accounts.

Make sure you don’t use the same username and password for all of your online accounts. This will give criminals a harder time stealing your credentials, accessing your personal information, and withdrawing all your money.

#1 Password Manager & Vault App with Single-Sign On & MFA Solutions | LastPass

Buy Now

We earn a commission if you make a purchase, at no additional cost to you.

3. Back up your files

When recovering from a phishing attempt, your data may be destroyed. Backing up all of your data is critical, but especially those containing sensitive content or files.

Make a backup on an external hard drive, USB thumb drive, or save your data to the cloud remotely. Backing up your data on a regular basis is critical in combating future phishing attacks and should be part of any cybersecurity strategy.

If you back up your files on a regular basis, you may only need to back up files that have been updated or generated since the previous backup.

If you haven’t already done so, use one of the techniques we outlined to copy your files to a backup device or application. External hard drives and thumb drives have become significantly less expensive over time. They also have the capacity to store a large amount of data.

4. Run a malware scan on your devices and network

Depending on your level of technological skill, you can choose who will carry out this phase. If you are not particularly tech savvy, have your devices scanned for viruses by a specialist. Make sure to get references from your friends, family, and trusted security providers.

Perform a complete two-stage scan of your system if you wish to take care of this phase yourself. Run a full scan with your antivirus program after putting your devices offline.

You may receive an error message stating that the program was unable to connect online. Ignore the warning. Even if you don’t have Internet access you can still run the scan. You should avoid reconnecting because this will allow any malicious software to continue its work.

Be patient as the scan may take some time to complete. Do not use your device for anything else during this time. When the scan is finished, you will be alerted. To remove any suspicious files discovered, simply follow the program’s instructions.

You can perform a second scan with another free or commercial antivirus program if you want to double down on your system’s protection. Connect to the network with a different device than the one that has been compromised.

Investopedia investigated some options, taking into account their antivirus and ransomware features. They recommend the following: [8]

•  Overall:                         Bitdefender Antivirus Plus 
•  For Windows:               Norton 360 With LifeLock
•  For Mac:                       Webroot SecureAnywhere for Mac
•  For multiple devices:    McAfee Antivirus Plus
•  Premium option:           Trend Micro Antivirus+ Security
•  For malware Scanning: Malwarebytes

If you’re still having problems with your device or want to make sure it’s clean, bring it to a professional.

Contact the spoofed company

If the cybercriminal is impersonating a reputable company, you must alert them to the phishing attack. This may be your bank, credit card company, service provider, or employer.

To mitigate the harm, they’ll want to conduct an internal investigation, deal with any data leaks, and contact any other victims who may have been targeted.

It’s a good thing to immediately let your bank or credit card company know what happened. Your financial accounts might not have been used yet. Reporting the incident right away will help prevent future fraudulent use of your compromised accounts.

6. Flag the phishing email

If your server hasn’t flagged the phishing email, make sure to do so manually. Your email provider will then flag the sender as a fraudster and move the message to your spam/junk folder.

When you transfer an email to your Spam folder manually, Google receives a copy and may analyze it to help protect you from future spam attempts.

To report a phishing email on your Gmail, open your computer and do the following:

• Go to your Gmail
• Open the message
• Click Reply, then click More
• Click Report Phishing

7. Alert your security team

If you work for a company, you should notify your IT department about the phishing attack.

It’s not at all embarrassing to admit you’ve been phished. However, it’s critical that you notify your security team as quickly as possible. By acting fast enough, the team can take steps to prevent the spread of the malware by locking down other company systems. 

If you’re an individual user, you should notify your email provider. Most email providers have built-in tools that make reporting an email fraud simple. In Outlook, Gmail, and Yahoo!, you can enable the Report Phishing button to report the phishing attack.

8. Check your account balances

If the phishing attack involved your financial accounts, review your accounts for suspicious activity. If you’ve previously discovered strange or unusual activity on your bank or credit account and set a fraud alert or credit freeze, you might want to keep it that way until you’re sure it’s safe to remove it. Also, keep an eye out for any bills from utility companies or other service providers that aren’t yours.

9. Look out for warning signs of identity theft

Long before the identity theft is discovered, stolen information is often used to take over accounts, open credit cards, or get medical care. There are several warning signs that your personal information has been stolen and used fraudulently.

Here are some of them:

• Unexplained withdrawals or charges
• Medical bills from doctors you’ve never met
• New credit cards you never applied for
• Denial of your credit card application
• Errors on your credit records
• Collections notices for debts you never obtained

10. Set up a fraud alert

To safeguard yourself, contact one of the main credit bureaus and request a free fraud warning on your account. Let them know that your account has been compromised. This may appear like an overkill, but it is better to be cautious than sorry.

Experian, Equifax, and TransUnion are the three primary bureaus. When you notify one of these bureaus of a fraud alert, they are compelled by law to notify the other two on your behalf. This will make it more difficult for fraudsters to register new accounts in your name.

11. Submit a report to the appropriate agencies

If you’ve been a victim of a phishing email, you should inform any or some of the following organizations:

• FBI’s Internet Crime Complaint Center (IC3)
• Federal Trade Commission (FTC)
• Better Business Bureau
• U.S. Department of Justice

Our final thoughts: Keeping yourself secure from phishing assaults needs a great deal of common sense. When checking your mailbox, be cautious and take a moment to think before opening, clicking links, or downloading anything from suspicious emails.

If you receive an email that appears to be from your bank, credit card company, or social media accounts, examine it carefully. Instead of disclosing any personal information, go to the website and log in or phone the company to see if the email is genuine.