Phishing is the way a bad actor lures an unsuspecting user into clicking on an email link (or any other link) and immediately making them a digital victim of fraud.

Sometimes the repercussions are smallish (i.e., spamming one’s friends). Sometimes one clicks on a phishing email unleashes a severe, debilitating ransomware attack (i.e., shut down an entire organization until a ransom is paid). In any case, the threat of phishing has gotten exponentially worse in recent years and everyone needs to take note. In fact, the Department of Homeland Security even called it out in its 2024 Homeland Threat Assessment report.

A few key reasons why this is happening with increased frequency and impact:

• More sophisticated trickery. AI can help bad actors create increasingly accurate and compelling email content to dupe individuals.

• More of our lives are lived online. As we spend more of our lives tied to our computers and smart devices, particularly for schools post-Covid, bad actors see an opportunity to extort and demand large sums of money. We are also still not taking password and data protection seriously …making the task of those with bad intentions easier. (… more than 70% of us reuse passwords… not good!)

• Data is the fuel to AI’s growth. Data is big business and shady players will pay as they seek to build their own AI applications and train them on large sets of data.

All of these issues can be both hard to navigate and incredibly distressing for the youngest online users. So a few tips for making sure families can identify and handle phishing attempts and what do to when a breach does happen.

Staying Alert

The good news is that there are a lot of simple actions we can all take to stay safe, including:

Identify Who an Email is *From*

Well, yes, that one is from Aunt Martha, but the bank, or favorite retailer? Are you sure it’s *really* them? Especially if the message contains a note of urgency —e.g., you are in trouble, at risk of legal action, could lose money, lose access to an account, or fear that someone you love is in trouble — you are more likely to be looking at a fraudulent phishing attempt. Bad actors want to push your emotional buttons and get you to click without thinking.

Don’t Be Distracted by Branding

Bad actors are also getting more sophisticated in their ability to mimic social media companies, banks, utilities — any favorite, trusted brand — by replicating their branding, including logos, company colors and other detail.

No matter how tempted you are to overlook suspicious content because it “looks like x,y,z brand” try to catch yourself.

(Almost) Never Click on Email Links

Marketer friends out there, I know you’ll be saddened by this recommendation, but it’s a prudent one: don’t click on email links. You don’t really need to, do you?

If it’s from your favorite brand/team/hotel/entertainment and so on you can just open another browser window and go right to the site. It’s a good habit to get into as it will cut down the chances of getting ensnared in fraud.

Check the Domain

A surefire way to know if an email represents a phishing attempt — no matter the slick branding, seemingly correct physical mailing address, or a message that seems plausible and tailored to you — is to check the domain.

An email from a brand will ALWAYS come from their core clean domain, so for instance, google.com, facebook.com, etc. Anything other than this is not legit, even if somehow you can decipher the company’s name nestled into address characters…it’s still not from them.

This is a great example as it is a nice, “clean” (so no funny characters) email. You might even think that it’s a Meta partner, hired to help with copyright violations. Well, no, it would only EVER come from Meta.

Right Click on Links

If you are pretty sure that an email is legit but still worry about the links (and for some reason really want to use the link, such as a custom link with a code) then you can right click, copy the link and first paste it in a word document, etc. Then you can see if it’s actually on a company’s domain.

So this is okay: gap.com/specialofferforyou

This is not okay: abcgap.com/acebtteyoudeal

Only do this if you are a skilled right clicker and/or are mostly sure it’s legit as you don’t want to risk ending up clicking the link.

Whoops… What Now?

Okay, so it’s too late, you clicked, it’s a scam and you are devastated. Well, first, change all of your passwords (more on that below) use a malware software program checker to scan your computer. If the scam email was related to banking, call your bank asap. If it was connected to your work or school account, quickly tell the IT department. Especially when you consider the ramifications for many more people from just one email, don’t be coy, tell everyone.

Password Managers

If you haven’t, this is the time to sign up for a password manager. There are a few good ones and you can find different levels from free to paid. What these tools will give you is a way to generate and organize very secure passwords. Bad actors are getting much more sophisticated in their ability to crack emails. A good password manager stays on top of encryption requirements and hacking trends, so not only help you generate and store - but they are paying attention to the ‘industry.’ These are great for kids too and you can set up a family account and give kids autonomy as well as share passwords.

Have I Been Pwned?

Becoming ensnared in a breach is, of course, usually not something you initiated, nor may you even know about it. It’s a reason to keep your passwords strong and for changing them frequently. You can also check websites such as “Have I Been Pwned” and see if you were in a breach or “pasted” on the dark web. This doesn’t necessarily mean your email is at risk, but it is a great reason to change your password.

The more we all pay attention and act with suspicion in all instances, the chances of being compromised decreases considerably. Kids are fast learners and the best teachers of adults too!

MORE TIPS FROM FTC