A pretty kettle of phish: what to do if you click on a phishing link?

Rest assured: you’re not the first. According to the FBI’s 2021 Internet Crime Report , phishing, vishing, smishing, and pharming incidents topped the list of cybercrimes last year, having claimed 323,972 American victims and losses of $44,213,707 in total.

That’s four times the number of people who fell for non-delivery- and non-payment-type scams, the second most common cybercrime variety in the US, which signals an uptick of 182% from the 2019 phishing victim count.

However, knowing this will hardly be enough to get your peace of mind back once the damage is done. In this article, we’ll take a closer look at what phishing links are, what they do, and how to recognize them, plus give you expert tips for damage control.

The 44-million-dollar question: what is a phishing link?

But first things first: what is phishing?

"Phishing is a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person," explains the US National Institute of Standards and Technology. Translation , courtesy of the UK’s National Cyber Security Centre : it tricks users into doing 'the wrong thing', like clicking a link that will download malware or take them to a dodgy website.

If you look at the taxonomy of cybercrime, you’ll see that phishing is a type of social engineering attack. In these type of attacks, criminals use psychological manipulation to con users into compromising their security, transferring money, or sharing sensitive information. Albeit using digital tools, they aren’t all that different from traditional scams, like the door-to-door salesman that weasels stay-at-home parents into a dietary supplement pack subscription that never arrives.

Physical or digital, all social engineering attacks rely on the same modus operandi: exploiting our weaknesses, such as vanity, fear, or greed, or on the other extreme, curiosity, generosity, or sympathy. CISA warns that they often take advantage of current events and certain times of the year, such as natural disasters, like Hurricane Katrina, epidemics and health scares, like the COVID-19 pandemic, economic concerns, like IRS scams, major political elections, or holidays.

Phishing attacks might come through text messages, social media, or by phone, but email is by far the most commonly exploited attack vector. Attacks may vary in sophistication, from the Nigerian prince variety to those Netflix membership reset messages that can be barely told apart from the real deal, but scam links are almost always involved.

From the classics to the contemporary: the most common types of phishing links

1. The imaginary invoice

A true classic. “We’ve recently heard that scammers are recycling an old phishing attempt. In this version, scammers, posing as a well-known tech company, email a phony invoice showing that you’ve recently bought music or apps from them. The email tells you to click on a link if you did not authorize the purchase,” warned the Federal Trade Commission of the revival of the age-old scam back in 2018, probably referring to bogus iTunes bills.

Phishers who use this ruse target individuals and businesses with equal zeal, impersonating legitimate suppliers to pressure them for payment. The fact that both Google and Facebook fell for it underlines just how effective this phishing technique can be: a few years ago, a Lithuanian hacker managed to defraud the two tech giants out of more than $100 million posing as one of their vendors, Reuters reported.

2. The non-existing problem with your PayPal account

Boasting around 200 million users and direct access to their bank account details, PayPal is what phisher dreams are made of. Based on research of some 50,000 fake login pages, it’s the most popular brand used in phishing attempts, taking the lead at 22%. After a generic greeting, the scam message will typically ask users to volunteer financial or personal information, update account details or provide the tracking number of a dispatched item before receipt of payment. In other words, information that PayPal would never prompt users to share via email, if at all. More PayPal phishing email examples this way.

3. The Google Docs worm (reloaded)

In May 2017, a phishing attack called “the Google Docs worm” took the internet by storm, masquerading as Google Docs to gain deep access to users’ emails and contact lists, recalled Wired’s Lily Hay Newman. “The scam was so effective because the requests appeared to come from people the target knew. If they granted access, the app would automatically distribute the same scam email to the victim's contacts, thus perpetuating the worm. The incident ultimately affected more than a million accounts before Google successfully contained it.”

But that doesn’t mean we’re out of the woods. These types of scams, Matthew Bryant told the magazine, get much of their power from manipulating legitimate features and services that we trust. The security researcher has found ways attackers could potentially use to outwit Google's advanced Workspace protections. Not that they aren’t resourceful enough on their own, Newman remarks, manipulating Google Workspace notifications and features to make phishing URLs and pages appealing to targets.

4. The unusual activity that never happened

“While not reported here at Brown, security vendors are warning of the following scam email that taps into concerns about the current international crisis in its attempt to prompt the recipient to report the user and unsubscribe,” reads a security alert that has been recently posted by Brown University to warn Microsoft account holders of a brand new wave of phishing notifications of sign-in attempts from Russia. Conveniently, the “report the user” button is right there for you to click. Of course, instead of a report page, users who oblige will see a new, prefilled message open up and, once sent, a login or payment information request.

With 19%, Microsoft is the second most popular brand for cyber criminals to hide behind. With good reason: 75 million users log in to their Microsoft Teams workplace every day. As 95% of Fortune 500 companies rely on Microsoft cloud services, many of these users will probably do so to access information of extremely high value. This is also why these notifications are also part of our quarterly phishing email drills. As part of the simulated attacks, our employees receive a carbon copy of the original alert, but when they click to check their activity history, a proxied clone of the Microsoft login page pops up to capture their credentials.

5. The bogus HR communication

While the coronavirus outbreak pushed most of us behind closed doors, for hackers, new windows of opportunities opened. In early 2020, a new email scam reared its ugly head to target remote workers and steal their business logins. All this through Microsoft Sway, an unassuming application that allows employees to create newsletters, reports and the like.

According to TechRadar , the criminals used this service to create and send out emails containing subject lines such as ‘Employee Enrollment Required’ and ‘Remote Work Access’ with ‘Human Resources’ as the sender. Clicking the phishing website link, however, victims were quickly led to a phishing site where their credentials got stolen and potentially sold on.

6. The only message from your boss you should ignore

As we pointed out in a previous post , no payment is so urgent that it warrants a message from a company’s CEO telling employees to arrange for an immediate wire transfer. Unless, you’ve guessed it, it’s from someone who pretends to be a company executive urging subordinates to take care of an overdue invoice. Which is pretty much what happened to Belgian bank Crelan in 2016. In that case, the hackers successfully spoofed the CEO’s email account and convinced employees to transfer money into a bank account controlled by them, leaving the company with a very real bill of £57 million once internal auditors discovered the attack.

How to check if a link is safe? Six phishing signs to look for when checking a URL for phishing

Here’s a checklist with six questions to ask yourself to avoid suspicious links – and becoming a phishing statistic.

1. Does this URL look legit? Always check the spelling of the URLs in email links before you click them, especially if you’re about to provide sensitive information. Can’t see the URL right away? Hover over the link the message is asking you to click.

2. Does this link or button lead where it’s supposed to lead? As a general rule, if there seems to be a mismatch between the email link and the destination address, don’t click it. The same goes for URLs with nonsensical strings of text.

3. Would the sender use this wording? No respectable business kicks off their email blasts with “Dear User” or “Dear valued member”. Other telltale signs include grammatical errors and misspelled or oddly capitalized words.

4. Am I being asked to share my personal information for a legitimate reason? Reputable companies rarely ask for sensitive data via email links. Be especially on guard if the unusual request is paired with sudden urgency or emotional appeal.

5. Does the sender’s email address look alright? Always look beyond the sender’s display name to verify their identity. A closer look at the email header may reveal a common phishing tactic: slightly altering domain names to appear legitimate.

6. Was this email sent at an unusual time? “Malicious emails are now being timed to coincide with the ‘mid-afternoon slump’ common to office workers,” says CPO Magazine , meaning the 2-6 p.m. window when they may face less scrutiny.

“I clicked on a phishing link!”: follow these steps to get off the hook

Clicked on a phishing link but did not enter details? Still go through the steps below. If you’ve clicked something suspicious, it’s better to overreact than to underreact.

1. Immediately change your password for the affected account and any account where you use the same login credentials.
2. Disconnect the compromised device from the internet as well as all networks and external drives to contain a possible malware infection.
3. Scan your device for malware, then follow the antivirus software’s instructions to remove or quarantine any suspicious files detected.
4. Back up your files to disarm ransomware attackers and prevent potential data loss as a result of malware removal.
5. Don’t keep it to yourself: if it’s a work device that might have been compromised, reach out to your IT department and await instructions.