We are all susceptible to phishing scams in both our work and personal lives. Phishing is the most common cyber-crime, with an estimated 3.4 billion spam emails sent every day. A successful phishing attempt may lead to stolen credentials, which is the most common cause of data breaches. Therefore, it is important to learn how to protect yourself from these scams.
How do phishing attacks work?
Phishing Emails
Phishing Calls
Examples of phishing scams (and how to address them)
What to do if you click on a link or attachment in a phishing message
Signs your account has been hacked
Phishing scams will often use manipulation tactics to illicit a response. They may create a sense of urgency by telling you they need an immediate response, otherwise something bad could happen. Or they may promise something too good to be true, like a free vacation to an exciting destination, if you just provide some personal information. Regardless of how they go about it, all phishing scams are after something, whether that is obtaining personal information or unleashing malware onto your device. Most phishing scams will come in the form of electronic messages (texts or emails) and phone calls.
Most people fall victim to these scams when they are in a hurry or distracted. Make sure you follow best practices for email security. Read email and text messages very carefully. Never click on a link or download an attachment that you are not expecting. It is also important to keep in mind that legitimate organizations will rarely ask for personal information unprompted. If you are ever unsure about any communication you receive, you should contact the organization or person directly to confirm whether the communication came from them.
These are the steps you should take if you believe you have received a phishing email or text message:
- For emails, mark the message as spam (which reports the spam/scam to your email provider),
- Block the sender (so you don’t get another message like this),
- Do not reply to the message,
- If available, forward the message to the domain owner to report the scam (e.g. phishing@virginmedia.com)
Phishing scams can also come in the form of phone calls, either from a live person or automated voice message. If anyone calls asking for money, credit card numbers, social security numbers, bank information, or other personal information, always be suspicious. Hang up the phone and block the caller immediately.
Below are some examples of potential phishing scams you could come across and how to address them.
- You receive an unexpected text from your credit card company saying that there was a large purchase made from your account, and they provide a link to log in with your username and password to confirm or reject the charge. You check your credit card app and there is no notification about a pending charge, and no record of it in your statement.
- Solution: Instead of replying or clicking on the link in the text message you received, you should contact the credit card company directly, either through the app or by looking up the phone number online, to confirm whether the claim from the text is accurate.
- You receive an email from a friend who you haven’t spoken to for a while. The email has an attachment with the body of the email saying, “Check this out!”
- Solution: Instead of replying to the email or downloading the attachment, you can reach out to the friend using a different method (e.g. a phone number you already have programmed into your phone) to check if they sent the email.
If you do click on a link or open an attachment in a phishing message, the following actions should be taken immediately:
- Change your credentials (e.g. username and password)
- Scan your device for malware
- Disconnect your device from any Wi-Fi networks to stop the attack from spreading
- Delete or stop any downloads initiated by clicking on a link in a phishing email
- Report to Information Security immediately if you open a link/attachment in a phishing email on your Dartmouth device
If hackers have gained access to one of your personal or work accounts through a phishing attack, you may notice the following:
- Issues logging in with your current password
- Emails in your Sent folder that you did not send, or missing emails from your Inbox
- Receiving unprompted password reset emails or Duo alerts on your device
If you notice any of these signs that your account has been hacked, you should take immediate action to change your user credentials. Some accounts, like Gmail, have an option to log out of all your devices at once. You should use this option if available for a hacked account.
All instances of a hacked Dartmouth account should be reported to Information Security ASAP.