Phishing Scams: What To Do When It Happens to You

Every morning, I go on The Hacker News to see what has the community talking. A recent example that caught my eye is “Phishers Exploit Salesforce’s Email Services Zero-Day in Targeted Facebook Campaign.”

That may sound like a lot of confusing web jargon, but it’s fairly simple: hackers exploited Salesforce’s email service to generate fake Facebook help tickets, which allowed them to steal Facebook login credentials. These login credentials could then be sold  — in literal seconds — on the deep web. 

This kind of clever maneuvering is extremely common in the hacking world, and sadly, there is very little that can prevent your organization from receiving this kind of phishing attack. Additionally, because this was a zero-day vulnerability — meaning there was initially no solution to prevent hackers from using this exploit — the only precaution you can really take is to be extra careful with emails coming from Facebook. That’s hardly an effective organizational strategy to prevent a security breach. 

Still, it’s better to know what to do if you get phished before it actually happens. And it’s always worth reviewing the best security practices to help ensure it doesn’t again.

So you got phished. What now?

If one of our clients had a suspected phishing incident, here’s what we would advise:

1. Change your password now. Even if you only think you’ve been phished, change your password immediately. It will never hurt, and it might just undo the damage. Also, ask yourself: have I re-used this password elsewhere? This is exactly why not to.
2. Investigate the link. When one of our clients suspects a phishing incident, we employ cybersecurity tools to scan the email URL(s) in question for compromise. Was it definitely a phishing incident? Once confirmed, we…
3. Determine the severity. Once we’ve confirmed a compromised link, we use our tools to determine if that link is associated with any known credential theft databases. This helps us understand exactly how widespread the phishing incident was.
4. Report the incident. Depending on the client who’s been phished and the leaked data in question, we then instruct them to report the incident to the relevant regulatory bodies (HIPAA, FTC, or whatever acronyms govern your industry).

How do I avoid this happening again?

When it comes to phishing and zero-day exploits, prevention can be tricky. The painful truth is that the only way to truly avoid being hacked is to disconnect from the internet entirely — a trade-off that few individuals and even fewer businesses are willing to make.

Put another way, if enough hackers want to break into your system, they almost certainly will. Remember, if the CIA can get hacked, you can too. 

That said, there are a handful of time-tested best practices that can mitigate the risk to you and your organization.

1. Train (and retrain) your team. End-user training is the sine qua non of preventative cybersecurity. Basic, forefronted awareness of this kind of phishing threat among your staff can provide the skeptical buffer that stops an incident in its tracks. 
2. Never share your credentials. We’ve all been there: Everything from the casual sharing of logins between colleagues to the reflexive sharing of information to the authoritative-sounding person over the phone… it’s extremely easy to fall prey to these phishing strategies. Just bear in mind: there’s almost always a better way. There is virtually no circumstance where a major platform will ask you for your password. Yet hackers know that “social engineering” — applying calculated pressure and urgency to an interaction in order to manipulate an unsuspecting victim — is one of the most effective strategies for acquiring valuable credentials.
3. Beware unusual links. Just because it looks like a legitimate link doesn’t mean that it is. URLs can actually be faked with special characters that appear at a passing glance to be standard text. It never hurts to look twice.
4. It might happen anyway. Sometimes it’s just the luck of the draw: you or someone in your organization gets just a little sloppy or unlucky, and suddenly you’re compromised. It happens every day. Keep calm, stick to the tips mentioned above, and get help from an expert as soon as possible. It might ruin your day, but it doesn’t need to spell ruin.

By doing your best to maintain a vigilant, proactive approach to cybersecurity, you can minimize the chances that your organization will be the next to be breached — no matter what clever trap hackers have set for you.