- IBM Cloud speeds AI workloads with Intel Gaudi 3 accelerators
- Change these 5 settings on your TV for a quick and easy way to improve its picture quality
- How to disable ACR on your TV (and why doing it makes such a big difference for privacy)
- Splunk launches inventory tool to simplify OpenTelemetry monitoring
- Finally, I found an AirTag alternative that's cheaper and lasts twice as long
Help! I clicked on a phishing link – now what?
When you think of phishing emails, you probably think of the crude, grammatically flawed, easy-to-spot samples that go straight to your junk folder.
I regret to inform you that those weak “spray and pray” campaigns are yesterday’s news. The crooks haven’t gotten smarter, but their tools have.
Also: These phishing attacks are targeting Mac browsers – how to protect yourself
With the help of generative AI, online scammers have become dramatically better at crafting and delivering phishing emails that look and sound convincing. Last year, a group of high-powered security researchers found that AI-based phishing tools have reduced the cost of these attacks by more than 95% — while making them brutally effective. One study showed that 60% of respondents fell victim to these automated attacks.
Those tools can help a crook create hyper-targeted, meticulously personalized attacks that can be surprisingly difficult to spot, especially if you’re tired or distracted.
Also: The top 10 brands exploited in phishing attacks – and how to protect yourself
Even certified security experts can be sucker-punched. Just ask Troy Hunt, creator of the “Have I Been Pwned” site. He was fooled by a sophisticated attacker who stole his Mailchimp mailing list. Listen to his explanation of what happened.
Firstly, I’ve received a gazillion similar phishes before that I’ve identified early, so what was different about this one? Tiredness was a major factor. I wasn’t alert enough, and I didn’t properly think through what I was doing. The attacker had no way of knowing that (I don’t have any reason to suspect this was targeted specifically at me), but we all have moments of weakness, and if the phish times just perfectly with that, well, here we are.
Secondly, reading it again now, that’s a very well-crafted phish. It socially engineered me into believing I wouldn’t be able to send out my newsletter, so it triggered “fear,” but it wasn’t all bells and whistles about something terrible happening if I didn’t take immediate action. It created just the right amount of urgency without being over the top.
What to do if you click a phishing link
So, what should you do if you click on one of those links and then discover, to your dismay, that it’s a fake site designed to capture your information? Maybe you realized that almost immediately because something seemed not quite right. Or maybe you’ve already entered some sensitive information. In either case, here’s what to do next.
1. Stop typing!
If you haven’t yet entered any information, close the browser tab or mobile app immediately and consider clearing your cache to eliminate the possibility that the site was able to implant some tracking information.
2. When in doubt, disconnect
If you’re concerned that the site might be more than a garden-variety phishing attempt and that it might be trying to install a remote access tool or another form of malware, disconnect from the network. You can turn on airplane mode on a mobile device or laptop; if you have a wired connection, unplug the Ethernet adapter.
Or just press the power button to shut down while you figure out your next steps.
3. If this is a work device, call your IT department
Let them know what happened so they can check any necessary logs and begin looking for suspicious activity. Be honest. The more information you provide, the more likely they will be able to detect any intrusion and mitigate any damage.
4. Reset your password(s) and turn on 2FA
If you gave the attackers your username and password for an account, you need to change that password as soon as possible, before they have a chance to lock you out. If you entered an email address, phone number, or other personal information that an attacker could use to pose as you, consider securing any accounts that are tied to that information.
Create new, strong, unique passwords for those accounts. If you haven’t enabled multi-factor authentication (also known as 2-factor authentication or 2FA), do that now, especially for critical accounts.
Also: Got a suspicious E-ZPass text? Don’t click the link (and what to do if you already did)
If possible, do this cleanup work on a different PC, Mac, or mobile device than the one where you were phished, to avoid the possibility that the device has been compromised.
5. Scan for malware
If this is a Windows device, run a full antivirus scan on the affected device to determine whether any malicious software was installed. If possible, use an offline scanner like the Emsisoft Emergency Kit or the Microsoft Safety Scanner. Consider reformatting the device or restoring from a known good backup if you suspect it has been compromised.
6. Monitor for suspicious activity
If you gave the attacker access to your Microsoft, Google, or Apple account, you can go to their respective account page, sign in with your credentials, and check for suspicious activity.
Also: What is vishing? Voice phishing is surging – expert tips on how to spot it and stop it
Other online services offer similar features. Look for an option to sign out of all currently connected devices.
7. Don’t be ashamed
You’re the victim of a crime. It could have happened to anyone.
Also: How to protect yourself from phishing attacks in Chrome and Firefox
Concentrate on making sure you recover from any damage. And don’t be afraid to tell other people about your experience. Your experience could be just what someone else needs to avoid becoming a victim themselves.
