Phishing 101: What you can do to protect yourself

Proactive and reactive steps you can take

In a previous post, I described the basics of phishing, the most prevalent form of fraud on the Internet. Phishing has been around for more than 20 years and, unlike malware and other exploits that are usually patched with haste as soon as they are identified, phishing shows no signs of going anywhere. Not only that, but once your information has been stolen, it leaves one at risk for identity theft and other fraud for years to come. Some victims have to file paper returns with the IRS for many years, among other hassles.

Short of renouncing modern life and living entirely off-grid, phishing is likely to be a reality for the rest of your life. (And even if you were to go off-grid, it’s probably too late.)

So, what can you do to protect yourself? Quite a lot.

• When receiving an email which you suspect to be fraudulent, do not open any attachments.
• Do not click on links in emails without verifying the actual URL. So, for an embedded link (like this), hover your mouse over it and check the URL displayed at the bottom of the window.
• Similarly, do not click on emails or links from unknown sources.
• Report suspected phishing to your email provider or other relevant company (Twitter, for example, has a spam reporting option)
• If your employer has not provided any formal training about online security, consider raising the issue. Many consultants exist who will provide training and even run phishing “tests” for compliance.

As is all too common these days, if you receive a notice that some of your information has been compromised in a data breach – recent ones include Saks, Panera, and MyFitnessPal – be on heightened alert for phishing scams. Sometimes scammers will take the information they obtain through data breaches to craft more targeted and sophisticated phishing schemes.

What if you suspect your information has already been phished?

The Federal Trade Commission (FTC) has put together an excellent resource for victims, including an interactive tool that will help create a recovery plan. Below are some of the common steps you can take following suspected identity theft:

• Change all of your passwords and do not reuse any old passwords. Consider using a password manager.
• Contact the companies where you know fraud occurred—most larger companies will have a fraud department.
• Contact local law enforcement to file a police report, particularly if you have already experienced actual identity theft, such as a fraudulent credit line opening in your name.
• Place a fraud alert with the credit reporting companies. An alert is effective once filed with one of the three credit bureaus, as they are legally obligated to notify the other two. A fraud alert makes it more difficult for accounts to be opened in your name and requires businesses to verify your identity with you before issuing new credit in your name. Fraud alerts are effective for 90 days and can be renewed.
• Another option is a security freeze, which must be placed separately with each credit bureau.
• Consider obtaining legal advice about your rights.

Stay tuned for more information about one of the problem trends in phishing: W-2 scams that obtain entire years’ worth of employee data with a single email. You can learn more about CaseyGerry’s related investigations here.