What Now? What to Do If You Fall for a Phishing Scam

How to Stop a Cyber Threat in Progress

At some point in the past, you probably received a fraudulent email or phishing message that made you laugh. The grammar was terrible, it looked like it was pasted together by a first-grader, or you know darn well you don’t have a rich, long-lost uncle in England who left you money. Many of these cyber threat attempts to con people are pretty pathetic and easy to spot. But cyber criminals are continually improving the believability of their phishing “bait.” The fact is that anyone can end up clicking on a phishing email, message, or ad, especially if they’re temporarily distracted, stressed, or rushed. (That’s one reason phishing attempts have increased 350 percent during the COVID crisis, according to a report from Google.)

So, let’s say you’ve been reeled in by a phishing attempt and you were tricked into visiting a fraudulent website, downloading a file, or supplying personal information to the wrong people. Scammers may have installed spyware on your computer to steal information and/or monitor your communications. Or they may already be using your personal information to take over accounts or commit other kinds of identity theft. What can you do to head ‘em off at the pass?

First, do a mental triage (like the emergency medical assessment you see on all those on TV medical dramas). First, ask yourself these questions:

• Is your computer behaving strangely? If so, you may have accidentally downloaded ransomware. Disconnect from the internet and turn off your wi-fi immediately. From there, your response will depend on the kind of ransomware it is. This blog gives pointers on how to fight ransomware.
• Did the mistake happen on a computer that belongs to your employer, have you connected this device to your employer’s network since the phishing encounter, or did you accidentally supply a work password to a scammer? If so, notify your IT department right away. They’ll gather more information from you, then implement security procedures.

If there’s no sign of ransomware and the incident hasn’t put your employer at risk, assume that the phisher got access to information stored on or transmitted to your device, as well as anything you may have disclosed.

You need to cut off all avenues for the scammer to impact your privacy or commit identity theft. Here’s how:

• If you downloaded any software to your personal computer, delete it right away, then immediately run a scan of your computer with your anti-virus software.
• Change passwords on your email, online accounts, and bank accounts. If there are PIN numbers on the accounts, change those, too. (Having a password manager will make this easier.)
• Put a freeze or alert on your credit report.
• Contact your bank and credit card issuers and ask them to put an alert on your accounts.
• If the phisher impersonated a real organization, such as a shipping company, a bank, or a government agency, let the organization know what happened so that they can warn other customers.
• Report the phishing attack to the FBI’s Internet Crime Complaint Center.

Once you’ve secured your device and accounts, be sure to monitor extra carefully in case the scammer manages to get past your defenses:

• Review all your financial statements extra carefully for fraudulent transactions.
• Watch your credit score closely.
• If you don’t have one already, consider getting an identity protection plan such as MyIDCare, which includes monitoring your accounts for suspicious activity, dark web monitoring, and the Premier plan that includes social media monitoring. Then watch the monthly reports and alerts, so that you can take immediate action at the first sign of identity theft.

Finally, if you do fall for a phishing attack, don’t feel bad. But once you’ve gone through all the work of defending yourself, you’ll never want to go through it again, so consider shoring up your defenses. Make sure your security software includes features to warn you if you’re about to click on a suspicious link, visit a suspicious website, or download a suspicious file. Also, consider using a “privacy first” browser and maximizing privacy settings on all your online accounts, because when tech companies gather data on you, phishers sometimes buy tailored advertising slots from them to target potential victims.

The more warning systems you have in place and the more wary you are, the less likely you are to be caught again. Phishing really can happen to anyone, but there’s also the old adage, “Fool me once, shame on you. Fool me twice, shame on me.”