I was phished, now what?

The first step in recovering from responding to a phishing attack is to reset your password. For reference, you can do so by following the instructions at https://password.umsystem.edu

If that password was also used with other sites then it needs to be changed there as well. Each affected account should be treated as compromised which means changing those passwords as well (though each changed password should be set to something unique and unrelated to the other passwords being set). Each account should then be checked for malicious activity. Such activity may include, but is not limited to:

• money transfers
• unauthorized purchases
• mail forwarding
• account linking
• changes to security questions
• changes to account recovery

In general there are three types of malicious activity. First, those that directly have an adverse affect on you (such as draining a bank account). Second, those that harm others (such as sending scam emails from your account). Third, those that allow regaining access in the future (such as adding an email account they control as a method for account recovery). Apply these principles to each affected account to look for signs of malicious activity.

Any Account

Some of the factors to consider are common to many online accounts. Some questions to consider:

• Changes to how the account is accessed, like addition of a new MFA token or method.
• Have any new devices been recorded as accessing the account?
• Changes to contact information? Password hints? These may be used to regain access to your account at a later date
• Does the provider give a history of where logins have occurred from?
• Does the provider give a history of what actions have been taken?

Financial Accounts

Things to check with financial accounts include not only unauthorized withdrawals and charges, but also changes to beneficiaries and contact information. Keep in mind the three principles when considering what someone malicious might have done. Some questions to consider:

• Unauthorized withdrawals and charges.
• Any there any linked accounts? For example, a bank account with an investment account.
• Changes to beneficiaries?
• Scheduled actions?
• Changes to bill pay?

Email Accounts

Things to check with email accounts include not only spam or phishing that may have been sent, but also scams to friends and loved ones. Some questions to consider:

• Did you have any sensitive information in email that an attacker could have obtained and then used?
• Are there any linked accounts? If you have another account whose password can be reset by access to this account make sure that it has not been compromised.
• Check the delete items folder.
• Check for any rules that might delete, move or forward emails.
• Was the account used to send messages to friends or loved ones to try and con them?

Final Advice

Do not re-use or otherwise share passwords: each site or account should have its own password so that a compromise of that site or account does not affect others. In order to manage passwords for each site a password manager like LastPass or 1password is helpful. If you use an Apple device then take advantage of Keychain. You can even have it generate the password for you. Automatically generated passwords are stronger because humans follow patterns whether we think about it or not and bad actors take advantage of this to extrapolate passwords.