Phishing is an attack used by hackers where they try to gain access to your account by tricking you into clicking on a malicious link sent in an email, text message, or social media message.
Phishing messages are designed to look important and legitimate to convince you to click on them. They're often phony password reset emails, appearing as if they're from online services you use frequently such as Facebook or your bank.
Once you click on a malicious link or email attachment, the attacker has already won since they can steal your current login session and use it for themselves. Oftentimes a phishing link opens to a form where they ask you to type in your password. If you do so, you give the attacker direct access to your account.
How Do I Avoid Phishing Attacks?
The best way to avoid being phished is to educate yourself on what a phishing attack looks like. Here are four simple tips you can use to help protect yourself:
Ask yourself why you received the email
Did you ask Facebook for a password reset? If not, it's likely a phishing attack. Did you change credit cards and need to update a payment method on Amazon? If not, then it's likely a phishing attack. If an email doesn't match up to your recent online activity, investigate further.
Make sure the information makes sense
Start by checking who sent it. Make sure that the domain is spelled correctly. A common trick is to register a domain that looks similar but is spelled slightly differently. For example, googl.co rather than google.com.
Attackers often add fake urgency: "if you don't respond in 24 hours your account will be locked". Legitimate services rarely do this. If you're unsure, go directly to the website and check there.
Hover over links before clicking
Hovering shows where links actually go. Hackers use slight variations like bankofameri.ca instead of bankofamerica.com. Notice the ".ca" instead of ".com"?
Also check for https:// vs http://. The "s" indicates the site is secure. Sites without it should be avoided.
Use a phishing filter
Locke ID is a password manager with a free Secure Inbox that prevents you from ever seeing emails from unfamiliar accounts. This greatly reduces the ability for hackers to send you phishing emails.
How Common are Phishing Attacks?
Phishing is a simple social engineering attack that doesn't require a hacker to have any technical knowledge. As a result of its simplicity, phishing is the most common form of cyber attack and the number 1 reason why people get hacked[1]. If you give a hacker your password willingly, they don't need to do any of the hard work of breaking complicated software systems.
Even the most secure systems in the world are at risk of being compromised by a phishing attack. In order to stay secure online, it's up to you to not click any potentially malicious links.
What Do I Do If I've Been Phished?
If you think you've been phished, you need to immediately change your password for the account that was targeted.
If you cannot change your password, that means the phishing attack was successful. You now need to change your password for all other accounts where you've reused that password. You also need to go to the account's website to start the process of recovering your stolen account.
If you are able to change your password, either the phishing attack was unsuccessful or the email wasn't an attack at all. You should investigate further to be sure, but you're probably safe.
Help us improve: If you have been phished, we'll compensate you to see the email or text that did it so that we can improve our phishing filter. Please contact us if you've been phished.
Conclusion
To summarize: phishing is an attack that hackers use to try and steal your passwords. They perform this attack by sending you an email, text message, or social media message that looks like it's from a business such as Facebook or Bank of America.
That email has a link inside of it that the hacker wants you to click. If you click on the link, the hacker can immediately steal your login session for that account and take ownership of your account.
The best way to avoid being hacked is to be careful of what links you click on from emails, text messages, or social media messages.
[1] ID Theft Center, Q1 2022 Data Breach Analysis: https://www.idtheftcenter.org/victim-help-center/ ↩