Disasters exist in different forms — historic flooding, theft of business data, or a family medical emergency. One common factor about all these situations is that your stress levels will be elevated, impacting your ability to focus and be attuned to close details. It’s in these moments of stress that phishing attacks become most successful. Phishing is almost always a threat, but they tend to get most aggressive during a disaster. It’s when you’re extra stressed and exhausted from dealing with a crisis, that they can more easily hook you.
What is phishing?
Phishing is a social engineering attack where people are deceived into revealing personal or confidential information. They do this in various ways, but most often by mimicking many details of legitimate and trusted sources, such as financial institutions.
How does it work?
Social engineering for information has become incredibly complex. It uses cognitive biases to try to trick individuals to divulge information. These biases include our tendency to trust authority figures, intimidation tactics, social/peer pressure, scarcity/urgency, and familiarity.
What are some examples?
- An email supposedly from a business asking to update an account password using a link.
- A text saying fraud has occurred, click the link to confirm a purchase.
- An email saying a package couldn’t be delivered, they need to reschedule, or your package will be sent back.
How can you add protection to your Disaster Preparedness Plan?
Being aware of phishing and when it’s most likely to occur will help you reduce the likelihood of being hooked. Adding it to your plan will help you be active and make choices to protect your information.
Keep key information handy
I keep a document with my financial account information, it includes all the details I would generally look up online. This includes location of local branches, phone numbers, my account numbers, and my login credentials. This is saved locally (not in the cloud) with a unique name that isn’t “my-finanancial-info.doc”.
As I don’t change accounts regularly this isn’t a burden to maintain.
There is also a printed copy that I keep in a safe location.
Add extra protections to your accounts
When available turn on extra steps to protect your account, these include methods such as 2FA. Don’t use the same password for every account – a password manager will help you manage them. Make sure email addresses on your accounts are current and you know how to access them.
Don’t show email images by default
Many phishing campaigns show images that look very close to ones that are legit. By not having an email program automatically show images allows you to first focus and review content. Once a risk is identified, then it’s easy to show images on a case-by-case basis. As a bonus, this can also reduce mobile data usage!
Reduce social media use
Social media is tricky, it’s designed to tempt and form addiction to see what happens next. The lure of clicking—thanks to social engineering—is huge. This is where links get even more tricky, as many are shortened, and headlines are often crafted for click bait. A verified account doesn’t necessarily mean you’re safe to click. If something looks tempting, I’ll first verify the information from other sources.
Make social media even less tempting
One way to make social media less exciting is to change the colors on my devices, often to greyscale. This is supposed to make social media less enticing. In my case I had to go a step further to inverted greyscale as I find black and white images extra compelling. Some services also let you turn on data saving modes which often limit loading of images and videos.
Don’t provide unnecessary information
While there are often fields for all your personal information on your social media account, only provide the minimum necessary. Depending on what you do, a third-party mailbox and street address may reduce stress about what location information is disclosed. I also think a good practice is to turn off location sharing as much as possible.
Create a clear checklist of steps to take if you’re hooked.
- Change your passwords. Immediately. Even if you use a password manager.
- If you think you are a victim of identity theft (FTC link), immediately let your financial institutions and the IRS know.
- Depending on what was disclosed, tell your customers. No one wants to share bad news, decide now on how you’ll do it.

Note: this is a 2021 update and consolidation of posts originally written in 2012, 2015, and 2016.