Yes, it’s true, it happened to me. I got phished. In my defense, it was late at night and I wasn’t paying close attention to what I was doing. And in that moment of carelessness my password was compromised.
Wikipedia defines phishing as:
Phishing is attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware.
Phishing scams are extremely common, and in fact spam filters stop the majority of them from even getting to our inbox.
So I took the bait late one night in the following fashion: I was online, socializing, surfing. I got an email which appeared to come from a legitimate photo sharing website (on which I have an account as do several of my friends and family) that said “someone” had shared some photos with me. Here’s clue # 1: it didn’t say who just “someone” the real site is specific about who is sharing the photos in order to prevent spam. So I clicked on the link to see the photos. Clue #2: the log in page was very similar to the normal log in page for this website – but it was just a little different. I actually thought to myself “hmm, I wonder why the log in page is different than usual?”
Clue #3: I proceed to enter my username and password and they failed (no biggie, sometimes late at night my fingers can’t keep up with my brain and I mistype stuff) so I tried again and the password still failed. Now I check for Clue #4: the website I’m on is not actually “www.photosharingsite.com” but “www.photosharingsite.com.you.are.being.phished” (actual URLs changed to protect the innocent – but you get the picture). So you can see how on first glance it looks like I’m on “photosharingsite.com” but I’m really not.
How to recover from a phishing attempt
So how is it I survived to write this cautionary tale for you? So after two failed log in attempts it took me about 2.3 seconds to realize that I’d been phished. So I closed my browser to leave that page and make sure it’s not doing more naughty things (such as collecting cookies or keystrokes), cleared my cache, including cookies, opened a new browser and went directly to the legitimate “photosharingsite.com” logged in and changed my password. Then for the next couple of days I tested that log in and my activity to make sure the breach wasn’t exploited.
If you have been phished immediately do the following:
- If your password was compromised, then log in to the legitimate site and change the password right away.
- If you use the same password in multiple places, then change them in all those places.
- If you gave up financial information, notify your bank, the government and credit bureaus right away. There are several tools that they use to prevent identity theft and fraud that will help protect you.
- If you gave up health info then notify your health insurance provider and your local health authority in order to prevent identity theft or medical fraud.
What did I learn from this exciting adventure?
- Never, never, never open a link you receive in email! If you think that’s a bit excessive, talk to any security expert and the majority will tell you they never open a link they receive in their email (or Instant Messages for that matter).
- Use different passwords for all your accounts. I know this sounds crazy because I have several dozen accounts all over the web. But luckily for me the password I used at this photo sharing site was unique, so I only needed to change it once. If it was the same password I use everywhere, then I’d have to change my password at dozens of sites.
- Never, never, never, give up personal information (especially health or financial information) online. Your bank, your doctor and the government already have all that info, they don’t need it again and they won’t ask for it. So if you’re being asked, it’s likely a phishing scam.
- If you’re going to ignore rule #1, (but don’t because that’s how you get viruses too!) firstly be extra sure you trust the sender (an email with your banks logo is not enough to trust). Then, before you click, hover over the link to see the true address it links to: most browsers and mail clients it comes up at the bottom of the window. Make sure that link goes to where it says it does. Finally Triple check the link you end up at before entering any info. That is, check the address bar of your browser, not just the link in the email message.
One moment of carelessness caused me about 2 hours of grief and that was just over a simple photo sharing site. If I had given away personally identifiable information, especially financial info, I could have been in for months of grief to ensure my identity and my finances were intact.