Phishing FAQ

Commonly asked questions about phishing

Table of Contents

What is phishing?

Phishing is a type of cyber attack where attackers impersonate legitimate organizations or individuals through email, text messages, or websites to steal sensitive information such as usernames, passwords, credit card numbers, and other personal details.

How does phishing work?

Phishing works by tricking individuals into believing they are interacting with a legitimate entity. Attackers typically send messages that appear to come from a trusted source, prompting the victim to click on a link or download an attachment, which then leads to a fake website designed to steal personal information.

What are the different types of phishing attacks?

  • Email Phishing: The most common form, where attackers send fraudulent emails pretending to be from reputable sources.
  • Spear Phishing: A targeted form of phishing aimed at specific individuals or organizations, often using personal information to appear legitimate.
  • Whaling: A type of spear phishing targeting high-profile individuals like executives or important decision-makers.
  • Smishing: Phishing via SMS (text messages). Vishing: Phishing via voice calls.

How can I recognize a phishing attempt?

  • Unusual Sender: Check the email address or phone number for inconsistencies or unfamiliar sources.
  • Generic Greetings: Be cautious of messages that use generic greetings like “Dear Customer” instead of your name.
  • Suspicious Links or Attachments: Hover over links to see the actual URL and avoid clicking on unknown or suspicious links.
  • Urgent or Threatening Language: Be wary of messages that create a sense of urgency or fear, prompting immediate action.
  • Spelling and Grammar Errors: Legitimate organizations usually avoid sending messages with multiple spelling and grammatical errors.

What should I do if I fall victim to a phishing scam?

  1. Change Passwords: Immediately change passwords for the compromised accounts and any other accounts using the same password.
  2. Contact Financial Institutions: Inform your bank or credit card company to monitor for unauthorized transactions.
  3. Report the Incident: Report the phishing incident to local authorities and organizations like the Federal Trade Commission (FTC).
  4. Monitor Accounts: Keep a close eye on your accounts for any unusual activity.

How can I protect myself from phishing attacks?

  1. Use Strong, Unique Passwords: Use different passwords for different accounts and consider using a password manager.
  2. Enable Two-Factor Authentication (2FA): Adding an extra layer of security helps protect your accounts even if your password is compromised.
  3. Stay Informed: Keep yourself updated on the latest phishing tactics and scams.
  4. Verify Requests for Information: Be skeptical of any request for personal or financial information, especially if it’s unsolicited.
  5. Install Security Software: Use antivirus and anti-phishing software to help detect and block malicious emails and websites.

What should I do if I receive a phishing email?

  1. Do Not Click: Avoid clicking on any links or downloading attachments from suspicious emails.
  2. Verify the Source: Contact the organization directly using a verified phone number or website to confirm the email’s legitimacy.
  3. Report It: Forward the phishing email to your IT department, email provider, or report it to authorities like the Anti-Phishing Working Group (APWG).
  4. Delete the Email: Once reported, delete the email from your inbox.

What if I’m not sure whether an email address is legitimate or not?

Email addresses have two parts, the username and the domain name. In fred.smith@example.com, fred.smith is the username and example.com is the domain name. Domain names in email addresses are almost always the same as the organization’s website.

If you recognize the company name, check the spelling to make sure that it is spelled the same as the comapny’s website. Pull up the company’s website and check that the domain name in the eamil address matches the website domain name.

If you don’t recognize the company name, you can Google the comapny and evaluate whether it looks legitimate or not. Click on the search result that seems most likely to be the company name and check whether the domain name matches what is in the email that you received.

If you’re still unsure and you were not expecting the email, the best option is to ignore it. If the company really needs to contact you, they will find another way to reach out.