Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

I Think I’ve Been Phished. Now What?

You’re not alone. Here’s what’s next.

Phishing
(Image: canva.com)
Phishing is epidemic. Legitimate-looking emails asking for sensitive information are often bogus. Phishing is on the rise, and you need to be aware.
Question: I think I may have been “phished” with the “request to confirm” scam email. How can I tell? And if I have been phished, what do I do now?

First, don’t feel too bad — phishing attempts are getting very sophisticated. I haven’t fallen for one yet, but I’ve come very close.

But be prepared for a painful recovery if the phishing was successful.

Your next steps depend on where in the process you are: looking at an email, after clicking a link in the email or other source, or some time thereafter.

What to do next depends on what information you gave the phisher.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Phished? Now what?

If you’ve only clicked a link and done nothing else, it’s likely you’re safe. It might pay to run an anti-malware scan anyway, just in case. If you’ve clicked on a phishing link and then provided any information to the fake site you landed on — including attempting to sign on — then you need to take steps to immediately secure your account(s). This can be as simple as quickly changing an account password or as complex as contacting a credit card company to report the incident.

Prevention

In Phishing: How to Know it When You See It, I discuss how to identify phishing attempts.

The basic rule is to never click on a link in email unless you’re positive it’s safe. Go to the site yourself (by typing the URL into your browser or using a bookmark you’ve saved previously).

If you want more clues whether an email is a phishing attempt, look carefully at the link. For example, this link:

https://ebay.com

does not take you to eBay. You can tell before clicking on it, since most email programs and web browsers allow you to hover your mouse pointer over the link and show you, either as a tool tip or in the status bar, where the link really goes.

Misleading Link

When you look at where the link really goes, ensure that:

  • The destination matches what you expect. Exactly. If the link claims to be eBay, it should be for eBay.com. Targets like http://ebay.com.hacker.com, http://ebay.signin.services.ru, http://www.ebay.cc (note that it’s not “.com”) are all attempts to deceive you.
  • The destination is a name, not a number. If the destination of the link takes you to a link that has numbers, such as http://35.81.190.53, it’s probably not valid and definitely not worth the risk.
  • The destination is secure. That means it should begin with https:. If the target destination begins with the regular, unsecured, http: (without the “s”), chances are it’s not legitimate.

If you’re at all uncertain, skip the link and just go to the service manually.

Detection

OK, you clicked. Whoops. By mistake, but you clicked.

It opened your browser and brought you to a webpage. And the page looks totally legitimate. How can you be sure? There are several tests:

  • All the tests for the link in email now apply to what you see in the browser address bar. If it’s not what you expect — if it’s a number, if it’s not https secure —  chances are it’s bogus. If you click on my example eBay link above, this is what you’ll see in your address bar:

    Buy Leo A Latte

      Clicking on a link and ending up somewhere you didn’t expect. (Screenshot: askleo.com)

    Needless to say, that’s not eBay. Don’t continue. (Unless you want to buy me coffee, of course. Smile ).

  • If your password manager usually signs you in automatically or auto-fills the username and password, and it didn’t, then it didn’t recognize the URL as the legitimate URL. Don’t proceed.
  • If the site asks you to “reconfirm” by providing sensitive information like your credit card number, don’t do it. It’s likely bogus. Merchants do not need to update your entire credit card number if they keep it on file and all they need is a new expiration date or maybe the last four digits. Banks never need this information, as they’re the ones that have it to begin with!

If you’re uncertain at all, don’t proceed. As long as the only thing you did was click on the link and nothing else, then it’s likely you’re ok. (Technically, a fake page could include malware, but that’s rarely the goal. Run an up-to-date anti-malware scan anyway, just to be safe.)

If you did more than click

If you ignored or didn’t notice all the warnings signs above, and after clicking on the link you continued and gave the fake website some of your information, then things get dicey.

If, after you “log in”, you’re only presented with the information you just provided, it’s very suspicious. Legitimate services typically recognize you and display more details that they already have. If the site doesn’t do something like this, then it’s possible they’re simply trying to collect your information.

If after you “sign in” you get an error message or a “service temporarily down” message, or nothing at all, it’s likely you’ve been phished.

Whatever it is you just entered has probably been given to a phisher.

Recovery

You think you’ve been phished. Now what?

You may need to do several things.

If you tried to sign in to the fake site with your username and password, change your password immediately.

If you provided credit card or other account information, contact the customer service department for each and tell them what happened.

You may need to contact the consumer credit reporting agencies. This is important if you live in the U.S. and gave up your social security number. This is one way identity theft happens: successful phishers open accounts in your name that you know nothing about.

You may want to file a report with the police. This can be an important piece of data to prove you were the victim of identity theft.

The lesson here?

I’m sure you’ve heard stories of how recovering from identity theft can be difficult, painful, and time-consuming.

The real lesson here — the one thing to walk away with — is this: prevention is a much easier than recovery. Pay attention, remain skeptical, and avoid the problem in the first place, and you’ll be much, much safer.

There’s an old adage about telephone marketers: never give any information to someone if they called you. Only give information to someone you called. You know who you called and can verify who you’re calling.

The same is true for the internet: never give information to someone who contacts you to ask for it. Only give information in transactions you initiate with sites you know.

When you go to eBay.com and log in to your own account, you know it’s really eBay and that it is your account. But if you get an email from someone claiming to be eBay, it simply might not be them.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

14 comments on “I Think I’ve Been Phished. Now What?”

  1. You should also go the site in question anyway. Ebay, paypal and most banks will have a link on thier index page telling you how they will contact you and what they will ask.

  2. A few things also to take into account…

    With JavaScript enabled, the phisher can cause something other than the actual URL to appear when you hover the mouse over the link. (Some browsers will always show the true URL, perhaps in addition to the “status” message supplied by the JavaScript code.) However, most browsers allow you to see the actual destination by right-clicking the link and selecting something like “properties” from the popup menu.

    Another trick used by phishers is to redirect you to the real website, so that the URL in the address bar really is the known website, but only after popping up a “login” window on top of the main browser window. While the browser really is at the true website, the popup window still is from the phisher’s site. (Someone I know ran into this last year. While he knew enough to know this was a phish, he was at a loss to see how it worked, as the browser’s address bar showed the real site’s URL.) Most decent popup blockers probably prevent this, however.

  3. Thanks for the advice Leo, this has to be one of the most obnoxious issues out there today and the biggest way to fight back is to simply educate people. There are so many articles/blogs out there that tell about all of the issues regarding phishing, but this is one of the only that actually offers help to those affected.

    Educating people is our best option these days to potentially fix our phishing problems.

  4. I clicked a link to a bank knowing it was a bogus website (curiosity got me…just wanted to see how smooth the pranksters might really might be), but I didn’t enter anything. I did notice a little pop-up that said something like “click sensor”, but it disappeared too fast to check it out further. I closed all apps and restarted my computer after a separate ad/pop-up froze up and couldn’t be closed. Should I be worried that some kind of spyware has been installed? If so, how do I get rid of it? BTW- the computer is hooked up to a server with McAfee virus protection, has a firewall, etc. Thanks for any feedback. :-)

  5. I got a pop up and it said windows internet explorer…Your computer may have been hit with a virus click here if you want to check…so I did then it said my computer was hit with a virus and to click here if I want windows to fix it was I phished? it looked legit, but my husband said windows internet explorer won’t send you anything like that what do I do or have I done?

    Your husband is right. You need to immediately run anti-virus and anti-spyware scans using legitimate tools that you choose, rather than those that might appear in some random popup.

    – Leo
    21-Nov-2008
  6. What if all I gave was an email address and password before wising up to the scam?

    “All” you gave was email and password? That’s enough.

    Leo
    26-Mar-2010

  7. I received an e-mail asking to confirm my password to my sons google account. I do not know why I opened the e-mail and clicked on the link and procedded to enter his password(note sure if it was the right e-mail or not); anyway I am not sure if I need to do anything or not.

  8. I was phished through a facebook friend finder. I managed to recover all my accounts (nothing monetary thank the gods, I use them completely separate) But I did manage to find the little [edited] forwarding address. Where can I post or submit that to do him the most harm?

    The police, I would expect. Any other form just turns into revenge which can, and often does, backfire.

    Leo
    25-Jun-2010

  9. ok i stupidly fell for this i think i gave all info on my game account for SWTOR but reseted all even questions in like 3 mins after falling for it and giving all info now will i still get hacked if i changed everything on account even security questions or should i just leave that account i was sent here{URL removed} and i being new to this fell right for it if i changed all will i still be hacked plss answer fast :(

  10. I was trying to buy something online, when i went to check out i filled in the information page giving name, address, email address and had to set a password then clicked proceed and internet explorer could not open the next page, i then checked my emails the company had sent me an email but when i opened it i received a warning that it may not be genuine and i was asked if i would like to report an attempt at phishing (which i did) so i dont know if i have been phished or not? so any help or advise would be great?

  11. @Jimmy,
    What you expect, when you buy something online, is to immediately receive an email, sometimes even several emails. They will be sent to help you verify your account, and to confirm your purchase. So receiving an email like that, (even though IE crashed and didn’t let you finish) is not suspicious. It seems unlikely that it was phishing.

    Your best bet is to contact customer support at the site and let them know what happened.

  12. OK I was stupid.
    I entered my Gmail credential into a fake page.
    I recognize the Phishing after 24 hours and changed my Gmail password anything else that I should do?
    I was surprised to find nothing changed including recovery emails or forwarding, everything looks normal.
    I’m worried that in the 24 hours they might have recovered other informations and they are planning to do something else with it.
    I’d like to know more about this guys. Can I tell more from the email header?
    Thanks

Comments are closed.