Don't Take the Bait: Tips to Avoid Getting Phished

Many people trying to stay secure online have likely heard vague advice about how do so. Experts will advise tech users to "avoid suspicious emails and phishing attempts" that can invite malware and more onto their devices.

But there's more to avoiding a phishing attack than just steering clear of suspicious emails. Phishing attacks are becoming more sophisticated, and it's not just technology neophytes falling for these schemes.

Phishing has evolved since the earlier days of the internet of spam advertisements and emails from Nigerian princes.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

"Phishing and spear-phishing are becoming the next big thing in security and it's the natural evolution of how hackers operate," said Asaf Cidon, vice president of content security services at Barracuda Networks.

Hackers pick fewer targets, but those targets tend to be more lucrative. Some hackers employ teams to go after specific individuals or companies that may be tricked into wiring money to them or fooled into giving up log-in credentials to drain bank accounts. Successful teams could make up to hundreds of thousands of dollars for each successful attack, he said.

"They’re more rare, but when they do hit, they’re much more painful," said Cidon, who has seen phishing attempt swindle people out of the down payments on their home by posing as the real estate office and drain small businesses of so much money they've had to close.

Here's how to spot a phishing attempt and how to deal with it:

Prevent

Security experts may sound like a broken record at this point, but to prevent phishing attacks altogether, make sure to beef up password security and enable two-factor authentication, especially on email and financial accounts.

Tech users should also have external or cloud backup in place, so if they do fall victim to a phishing attack, their data won't be lost entirely.

When checking your email, always think twice before clicking any link, especially if it has a URL shortener, or downloading an attachment, even if it's from a friend. Why shouldn't you trust a friend? Your friend's email account could have been compromised.

If you're unsure of anything, get on the phone with your friend or colleague to verify they did send that message. And of course, never wire transfer money without extra, verbal verification, Cidon warned.

Spot

Many phishing attempts often create urgency and in a panic get you to click. These psychological tricks get you to act without thinking. If you get a strange email saying your account is overdrawn, stop, take a breath and check a few key things before proceeding.

First, try to verify the sender. Hackers will often disguise the email to make it look like it's from an established source, like a friend or a company. But click to find out the details, and you might see a slightly altered email address, Cidon said.

Sometimes, hackers will gain access to a legitimate email account and alter the reply-to email address. If something is suspicious, like your boss is urgently asking you to send company security information or wire thousands of dollars of company money to, find out what the email address is that you would reply to with the information.

React

If you were unfortunately duped—maybe you clicked that link that said your PayPal account was going to be closed—there are steps you can take.

First, immediately reset the password on all of your accounts, especially any financial accounts. You should also call your bank to let them know you've had a security breach and you have not authorized any money transfers.

If this was a phishing attempt on your work account, immediately report it to the appropriate channels.

Some users might want to wipe endpoints and format the computer and reinstall programs, Cidon cautioned.

Ultimately, being aware of the risks posed by phishing is a good step. Educating people about these threats is important, so they know what's possible and how to prepare for it.

"I definitely think we should be spreading the word about these attacks,” Cidon said.