Gone Phishing: How To Avoid The Greatest Cybersecurity Scam

More people fell victim to phishing scams in 2023 than any other cybersecurity threat, according to the latest edition of the FBI’s Internet Crime Report.  

Just fewer than 300,000 people reported being scammed through phishing attempts.

While this number is slightly down from the last two years, phishing still accounts for more crimes than the other top crime types combined—non-payment / non-delivery, extortion, tech support, and personal data breach. 

As phishing attempts—and success rates—increase, it’s worth taking a look at what phishing is, how your business can detect and protect against it, and what to do if an attack is successful. 

What Is Phishing?

Phishing is a cybersecurity scam in which hackers disguise themselves as a reputable person, company, or entity in email, social media messages, text messages, and other forms of communication to collect login credentials or account information. 

Examples of phishing techniques include: 

1. Clicking an email attachment. What appears to be a valid PDF or image could be malware. Opening an attachment could be all that's needed to breach your device or network. 
2. Receiving emails or phone calls from an impersonated known, trusted person or company. These are examples of spear phishing attacks. A would-be attacker may entice you to give up sensitive data—like credit card numbers or account numbers—with a sense of urgency. 
3. Spoofing popular websites. Attackers may use brands you recognize to get you to click a malicious link that takes you to fake websites so you will enter your account information for the legitimate website. 
4. Facebook friend requests. You may receive a request from an account with mutual friends, thinking it’s a legitimate profile. Instead, your new friend may send you a video that, when clicked, installs malware on your computer and potentially your network. 
5. Logging in to free Wi-Fi hotspots. Beware of Wi-Fi hotspots that may look like one that is offered by your favorite coffee shop, airport, shopping mall, or other public places. 

Phishing is part of a broader cybersecurity risk known as social engineering. 

All of these are things most people do regularly, so how do you figure out what’s real and what’s not? 

Common Indicators Of A Phishing Attack

Phishing attacks typically have telltale signs, like: 

1. Asking you to pay an invoice by downloading an attachment or clicking on a link.
2. Saying there’s a problem with your payment information.
3. Asking you to confirm personal or financial information.
4. Offering rebates, coupons, or refunds.

If any of these requests seem out of the ordinary, contacting the person or organization directly through another method is best. 

For example, if you’ve never purchased from or worked with a company before, don’t click or respond to anything within the suspected phishing email.

Instead, open a new browser window, search for that company, and find a way to contact them through their website with a phone number, support email, or live chat service. 

How To Prevent Phishing

The easiest way to prevent phishing is by asking yourself one question: 

Do you know the person or organization that’s contacting you? 

If you do, that’s a good start.

However, still, proceed with caution by contacting them through another verified method.

For companies, that likely means using a company phone number or website.

For people, text or call them if you know their number, or email them by starting a new email chain if you know their email. 

If you don’t know the person or organization, it could be a scam.

Follow the recommended steps outlined above to get in contact with them. 

Two other ways to prevent phishing and its potentially disastrous effects include enabling multifactor authentication and backing up your data to a location besides your home or office network.

At home, you can back up your data onto physical hard drives or a cloud service (one often comes with your phone plan as an add-on service). 

IT departments should back up company data on a separate cloud network so an attack cannot infiltrate further.  

Your IT department or managed service provider may also run phishing simulations as part of a security awareness program.

How To Report Phishing

If you accidentally clicked on that Facebook message or email, verify whether your device’s security software is updated. 

(Side note: Hackers hate updates, so we recommend regularly updating software and operating systems). 

Additionally, report the incident and notify your IT department so they can monitor any unusual activity on your computer or network as a whole.

If it turns out to be nothing, great.

If there is a cybersecurity breach, they can help stop it before it spreads too far. 

Depending on the nature of the information, you may consider taking additional steps:  

• Report the incident to IdentityTheft.gov. Protect your sensitive information from identify theft, such as your Social Security number, online logins, bank account information, and other personal data.
• Forward phishing emails to reportphishing@apwg.org, the Anti-Phishing Working Group. 
• Forward text messages to SPAM (7726). 
• Notify law enforcement. 

Read more on phishing: 

• Cybersecurity Awareness Month: Fundamentals for Shoring Up Phishing Defenses
• Protect Email Logins with Multi-Factor Authentication
• Tax Season Phishing – Don’t Take the Bait!

How secure is your company’s data? Phishing is one way to experience a cybersecurity incident, but hackers can access your protected information in other ways, too. Download our Data Security Checklist to see how well your data is protected against today’s common cyberthreats!