Phishing is a type of email attack that relies on making you believe that an email is a legitimate communication from a legitimate source. Because they appear reasonable, phishing emails trick users into clicking on malware links or prompt them to provide personal information. These emails tend to come with some emotional charge that makes you feel like they need to act immediately, such as “Change your password immediately” or “YOUR ACCOUNT HAS BEEN COMPROMISED.”
A Phishing Scenario
Consider this hypothetical: Bleary-eyed, 64 oz. travel mug in hand, an unassuming employee sips their coffee as they open their laptop for the first time of the day. It’s Monday, it snowed again, and the commute was 15 minutes longer than the day before. Their initial scan of the inbox reveals a slightly concerning email, notifying them their Google email account has been compromised and they must act quickly to change their password by clicking on a link and entering new information.
A little alarmed, they do what the email demands and go on about their day. But instead of putting out the fire effectively, they actually handed over the key to their email account to a cyber criminal.
How Phishing Happens
So what happened here? Eager to secure their email account, the employee didn’t take a minute to think: Is this really how Google notifies users of suspicious activity? Where did this email come from? Is that a spelling error?
The well-intentioned employee didn’t notice potential problems with the email or ask any of these vital questions. As a result, they became a victim of a very common and easily executed attack.
This is also a prime example of social engineering, a common way in which hackers compromise their victims. Instead of targeting digital weaknesses, a malicious hacker will take advantage of human ones. In our hypothetical, no actual hacking was involved. Instead of penetrating the digital system, phishing often relies on someone to make a mistake or trust something they shouldn’t.
Don’t Be Hasty
The best advice is this: don’t be too hasty.
If one of your accounts has been compromised, it’s too late to do anything. Changing your password after the fact is not particularly effective. So no matter what the email says, take a moment to reflect.
Instead of clicking on a link in the email or—God forbid—typing your password into an email, open a new browser tab and type out the website address. Go to your user settings and change your password there.
It is worth the extra thirty seconds even if it the email is authentic. It is also wise to be aware of how your major accounts will alert you to a threat in the event you’re your security is genuinely compromised.
Phishing is difficult to protect against because it relies on human error, not hacking. Anyone can be a victim since phishing attacks tend to be sent in massive waves. While the digital age that is always trying to force you to move quickly, the best defense against phishing is to slow down whenever someone asks you to provide personal information online.