You got phished. Now what do you do?
Q: I clicked on a phishing link, and my e-mail account was briefly taken over. Now that I have control of it again, should I do anything besides reset the password?
A: Phishing — coaxing a user into entering their username and password on a site that looks like the real thing but isn’t — continues to be a nuisance because it works. It doesn’t require sneaking malware onto your computer and instead needs just a moment’s inattention or undeserved trust from you.
(Browsers are supposed to screen for the rogue addresses hosting phishing attacks, but the databases they check can miss a new phishing site.)
Changing the password is the obvious move after regaining control over the account, but much of the “obvious” advice about creating strong passwords is wrong.
As the government’s National Institute for Standards and Technology recently acknowledged in a major update to its password-security guidelines, adding letters and symbols to a short password won’t do much against determined codebreaking — while writing longer passwords, even if they only involve letters, will.
You can also ignore the traditional tip to change your password every 30 or 90 days. If your new password isn’t something others could readily guess, you don’t need to change it in three months.
But one bit of password dogma does still apply: If you’ve used the phished account’s password on other accounts you value, you need to change those logins to use different passwords.
What if you e-mailed a password to yourself or saved a few passwords in a draft e-mail? (I’m not endorsing that practice, but I know it happens.) Sorry, you need to change them too.
Using a password-manager app to store your passwords in encrypted form is a safer alternative to squirreling away passwords in your e-mail. Beyond the basic password-manager features Apple includes in iOS and macOS and Google provides in Android and Chrome, Dashlane and LastPass remain free for basic use.
Next, check your sent mail for any evidence of scam or phishing e-mails the attacker may have sent to your friends. But since the attacker could also have deleted those messages after sending them, it wouldn’t hurt to ask your most frequent correspondents if they got anything weird from you after the phishing attack.
After that, make sure that your backup contacts — the e-mail or phone number that the mail provider could use to contact you if it sees suspicious use of your account — are current. Without that, you may have to wait days after a future compromise of your e-mail.
Finally, please set up two-step verification on the account. This security measure will have you confirm a login that looks weird by typing in a one-time code sent to your phone, most often via a text message but sometimes in an app like Google’s Authenticator.
With two-step verification enabled, even falling for a phishing site won’t let the bad guys into your account unless they also steal your phone or engage in significant deception.
This may sound like a lot of work, but when it’s done right you only ever get this nag in legitimately unusual circumstances, such using a new computer or logging on from a new country. Since your e-mail account usually controls access to most of your other important sites, such as your bank accounts, it’s worth this extra effort.