Avoiding Phishing Attacks
Employees, children and organizations are increasingly going online to work, learn and run their businesses. The more they're online, though, the greater the chance of a scammer trying to trick them.
Phishing is a form of social engineering, Cybercriminals use email, social media or malicious websites to pose as a trustworthy organization or person and solicit personal information.
For example, an attacker might send an email that seems to come from a reputable credit card company or financial institution. The attacker requests the user's account information and often suggests that there is a problem. When the user replies with the requested information, attackers can use it to access their accounts.
Phishing attacks might also appear to come from other organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as
- Natural disasters (e.g., hurricanes, tornadoes or earthquakes)
- Epidemics and health scares
- Economic concerns (e.g., IRS scams)
- Major political elections and crises
Types of Phishing
Most phishing attacks use email. A scammer registers a fake domain or website name that mimics a real organization and then sends out thousands of generic requests.
For example, a scammer might email or text messages like these:
- "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
- "During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
- "Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund."
The fake website name often replaces one letter with another. For example, "r" and "n" might be put together to make "rn," which looks like "m." Phishing attacks might also use an organization’s name in a fake address (e.g., email@example.com), so that a legitimate sender’s name (e.g., PayPal) appears in the recipient’s inbox.
Spear phishing is when a cybercriminal sends a harmful email to a specific person that includes personal information to better trick them. That information might include the person's:
- School or employer
- Grade level or job title
- Email address
- Details about their school or job role
Smishing & Vishing
In smishing, scammers send text messages. Vishing involves telephone calls. In both, like in email phishing, scammers try to trick the recipient into clicking on a link or attachment or sharing personal information.
Angler phishing involves using social media to trick people into giving up sensitive information or downloading malware.
Scammers might use fake URLs, instant messaging and cloned websites, as well as posts and tweets. Highly targeted attacks might also be based on information that people willingly post on social media. That information includes geotagging, names, birthdays and vacations.
When in doubt, throw it out. Links in emails and online posts are often the way cybercriminals compromise your computer. If it looks suspicious – even if you know the source – it’s best to delete or, if appropriate, mark it as “junk email.” Contact the company directly (via phone) to be sure the email is not legitimate.
- Think before you act. Be wary of communications that implore you to act immediately, offer something that sounds too good to be true or ask for personal or financial information. Always check URLs and email addresses if you’re asked to click a link or download an attachment.
- Use stronger authentication. Always opt to enable stronger authentication when available, especially for accounts with sensitive information, including your email or bank accounts. A stronger authentication helps verify a user has authorized access to an online account. For example, it could be a one-time PIN texted to a mobile device, providing an added layer of security beyond the password and username.
- Make passwords long and strong. Combine capital and lowercase letters with numbers and symbols to create a more secure password.
- Install and update anti-virus software. Make sure all of your computers are equipped with regularly updated antivirus software, firewalls, email filters and anti-spyware.
- Be wary of hyperlinks. Avoid clicking on hyperlinks in emails. Instead, type the URL directly into the address bar instead. If you choose to click on a link, make sure it is authentic before clicking on it. You can check a hyperlinked word or URL by hovering the cursor over it to reveal the full address.
What to Do If You Think You’re a Victim
- Report it. If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
- Watch for changes to your accounts. If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Change your passwords. Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
- Watch for other signs of identity theft. These signs could include but are not limited to: unusual or unexplainable charges on your bills; phone calls or bills for accounts; products or services that you do not have; new, strange accounts appearing on your credit report; or unexpected denial of your credit card.
About This Page
Content is provided by the U.S. Department of Homeland Security's Stop.Think.Connect. public awareness campaign aimed at increasing the understanding of cyberthreats and empowering the American public to be safer and more secure online.
The campaign’s main objective is to help you become more aware of growing cyber threats and arm you with the tools to protect yourself, your family and your community. For more information, visit www.dhs.gov/stopthinkconnect.