Clicked on a Phishing Email? All Is Not Lost – Source: securityboulevard.com

Phishing continues to be a bane of organizations. Phishing accounts for 36% of all data breaches, according to Verizon, and the FBI found that in 2021, almost 83% of companies experienced a phishing attack.

And there are a lot of phishing emails being sent. Almost 1.2% of all emails sent are malicious, amounting to 3.4 billion a day, according to email security firm Valimail. The average cost of a data breach this year hit about $4.45 million, IBM said.

Despite the huge amounts of money organizations are spending on security awareness training for employees – about $5.6 billion this year – workers are still clicking on malicious emails, a situation that only has gotten worse with the rise of hybrid work – more corporate communications is being done over email – and the use of AI, which enables bad actors to write more convincing phishing emails.

“It takes only moments to fall victim to a scam and not even IT professionals are exempt from this risk,” Roman Cuprik at cybersecurity firm ESET wrote in a blog post this week. “You simply receive a seemingly innocuous email message containing a link you’re told to click on ‘before it’s too late.’ But what if, right after doing so, a sense of unease washes over you and you realize it was all a scam?”

There are steps the user can take after they’ve “taken the bait” to minimize the damage, Cuprik wrote. First and foremost, they shouldn’t provide any more information, especially if they’ve been sent to a site that may look legitimate but they’re not sure about.

“Do not input your credentials or provide your bank account details,” he wrote. “If scammers were going only after your data and did not compromise your device with malware, chances are that you’ve just dodged the hook.”

Back Up, Disconnect, and Scan

The next steps include disconnecting the system from the internet to reduce the amount of data the cybercriminal can steal from it, run a scan for malware and other threats, and even consider a factory reset of the device. Some malware can stay on the device even after a reset, but more often than not wiping the device clean will remove the threat.

They should also back up their data, particularly sensitive documents or files like photos and videos that hold high personal value, Cuprik wrote. It’s a practice that users should do even if they haven’t clicked on a malicious link.

“Backing up your data after being compromised can be risky, as they may have already been compromised by malware,” he wrote. “Chances are that you will back up the malware alongside the photos from your last birthday party. Instead, you should back up your files regularly and preemptively. If malware hits your device, you can recover your data from an external hard drive, a USB stick, or a cloud storage service.”

Resetting passwords also is important, given that many phishing emails are designed to convince users to give sensitive data like ID numbers, banking account and credit card details, and login credentials. Even if the user hasn’t divulged such details, malware installed on the device might be able to find them.

Changing the password is particularly important if, like many users, the victim uses the same password for multiple accounts.

Reach Out to Others

In addition, users should contact people and organizations that may be affected by a data breach, from family, friends, and employers to service providers and banks. They also should contact law enforcement.

They also need to look for unrecognized devices – such as looking at current logged-in sessions on social media and force the logout of any unknown device – and look for anything else that is unusual.

“Criminals who successfully break into one of your devices or accounts may try to establish their presence there for as long as possible,” Cuprik wrote. “They may change your login details, email addresses, phone numbers, or anything that can help them solidify their foothold in your account. Review your activity on social media accounts, banking information, and your online shopping order history.”

If there is a payment that doesn’t seem right or one that the user didn’t authorize, they should report it, change the credentials, and ask for a refund.

Clicking on a phishing email is dangerous, scary, and frustrating, but it can be addressed.

“Taking a bait and clicking on a phishing link may make you feel ashamed, and even alarming, but this kind of threat is evermore common,” he wrote. “In fact, it happens to hundreds of thousands of people every year just in the U.S., and the numbers are rising. If you stay calm and follow the tips … you’re one step ahead of the threats you could possibly face.”