What to do if you've been phished

  • Articles
  • What to do if you've been phished

So let's cut to the chase, you've been phished and you want to know what to do from here. Well first things first, don't panic. It'll take a bit of work but I'll go over the steps you need to take to protect yourself now, and then we'll go over how to avoid this in the future.

1. Call the bank and freeze your bank cards

This is probably the first thing you will want to do. Get ahead of the game stop what you're doing now and call the bank and stop whatever malicious activity is being attempted from happening. Tell them you're a victim of a phishing scam and you want to lock your account until it's safe again.

2. Change passwords in priority order

Next up you want to change your password as it is now compromised. The goal of most phishing scams is to get your password so they can then hack your account. I recommend changing your email address password first as this is often the key to accessing every other account you have. If you have reused this password before (don't worry most people have done this, just don't do it again!) then you will have to go and change every password on these accounts as well.

3. Log out of all devices

If a user has managed to access your account then a quick way to get them out is by signing out of all devices. Many platforms offer this functionality.

4. Check the activity of any important accounts you have (Google, Gmail, Outlook, Facebook etc.)

This step is more of a double check than an action. Most people don't realise that websites often have activity trackers. For example in Google if you go into your account and view the security history you can see what devices have logged into your account, and where they come from. This can give you an idea of what has been hacked or not.

What to do next

Setup 2 factor authentication

This is an extrememly important thing to do. Using a multi factor authentication means that a user will need 2 forms of authentication to get into your account. This typically takes the form of a text message that you receive after entering your password. It's not guaranteed security but it is a huge step in the right direction. You should set this up on as many account as you can.

Make sure all your passwords are different

Please please stop using the same password for every account. This will cause you such enormous headaches if you get phished again. By changing your password between websites you're taking away a huge area of attack for criminals

Setup a password manager

This last step is a big one and may take some people weeks to get up and running, dependent on how many accounts they have signed up for. A password manager is a single place to store all your passwords. The password manager will generate stronger passwords for you on every website you visit and all you have to do is remember one single (and long) password for the password manager. You should set one up and over time gradually transfer your passwords to the password manager whenever you login to a new website. I strongly recommend doing this at the same time as the last step, then you can be resetting your passwords and adding them to the password manager in tandem.

Train yourself to not be phished

We have a free phishing simulator that you can play Phish Me If You Can, it uses real world phishing emails and monthly challenges to help more people become aware of what a phishing email is and how to avoid them by learning.