Skip to main content

Phishing

By Ben Warriner

This is part 4 of a 4-part series; previously, we looked at what phishing is, how to identify it, the various types of phishing emails, business email compromise, and account takeover attacks. Finally, we’re going to focus on what you should do when you receive a phishing email and what to do if you were or think you were phished.

Here are some things to look out for with phishing emails:

What to do if you get a phishing email

Phishing Attack Protection Tips

  • Look for warning signs: 
    • Common red flags of a phishing scam include unsolicited messages, spelling errors, a sense of urgency, requests for personal information, and suspicious links and attachments. 
  • Don’t respond: 
    • One of the safest responses to a phishing attack is no response at all. 
    • Even if you don’t give the scammer the information they want, responding will only let them know that they’ve found an active email address, encouraging them to try again in the future.  
  • Avoid clicking on links and attachments: 
    • When dealing with a message from an unknown sender, it’s best to avoid opening any links and attachments, because you could end up on an unsafe website or expose your device to malware. 
  • Use two-factor authentication (2FA): 
    • Enabling 2FA on your online accounts gives you a second layer of protection from phishing scams. 
    • That way, even if a phishing attack ends with your passwords exposed, scammers won’t be able to log into your account, giving you additional time to reset your passwords.  

What should you do if you were phished?

If you’ve been phished, there are a few ways you can try and get ahead of any of the damage a phishing attack can cause:

  • Report the message 
    • If you’re not sure how, ask your IT or cybersecurity staff.
  • Write down as many details of the attack as you can recall. 
    • Note any information you may have shared, such as 
      • usernames, 
      • account numbers
      • passwords.
  • Change account passwords on any affected accounts, or for any accounts that you may share that same password with.
    • The best practice is to use a unique password for every account and a password manager to store them for you.
  • If the scam involves your bank or credit card, inform the necessary financial institution of the attack.
  • If this happens at work, let your IT or cybersecurity team know immediately.
  • Confirm that you’re using multifactor (or two-step) authentication for every account you use.
    • If you’re not sure how to enable 2FA/MFA on your accounts, ask your IT or cybersecurity staff.
  • If you’ve lost money or been the victim of identity theft, report it to local law enforcement and to the Federal Trade Commission at https://www.identitytheft.gov/#/
    • Provide the details you captured.
  • Keep in mind that once you’ve sent your information to an attacker it is likely to be quickly disclosed to other bad actors.
    • Expect new phishing emails, texts, and phone calls to come your way.

Region 7 offers Infosec IQ to districts.This platform has security awareness training & phishing simulations. 

  • With these you can:
    • Reduce cybersecurity events with simulations and phishing templates.
    • Reinforce cyber secure behaviors with industry- and role-based training.
    • Strengthen cybersecurity culture while meeting compliance requirements.

For more information about this or anything else related to cybersecurity you can email [email protected].

Check out Part 1, Part 2, and Part 3 of this series.

 

Region 7 ESC Blog, Benjamin Warriner Ben Warriner is a Network Security Specialist for Region 7 ESC and has been a Certified Information Security Manager® (CISM®) since 2019. He has worked at the ESC since 2009 and has been working on the cybersecurity of the ESC since 2014.
 
Published