Last updated on March 27, 2024
Phishing attacks are a group of malicious scams devised to steal user data such as login credentials and credit card numbers. Phishing attacks are one of the most common online scams. Myriads of phishing scam techniques and thousands of victims make this attack profitable to hackers. Mercifully, you can prevent phishing scams if you know how to identify them.
10 Tips to Protect Yourself From Phishing
1. Learn to Identify Phishing
2. Don’t Fall Into the False Sense of Security
3. Don’t Click On That Link
4. Don’t Trust Unsecure Sites
5. Don’t Disclose Personal Information
6. Update Regularly
7. Block Pop-Ups to Prevent Phishing Scams
8. Enable 2FA With WebAuthn/U2F Security Keys
9. Enable Firewalls
10. Raise Phishing Awareness
How To Prevent Phishing Attacks
Here are 10 tips for keeping yourself safe from phishing.
1. Learn to Identify Phishing
- Urgency
- Money Baits
- Grammar Mistakes
- Impersonal Messages
If an email message you received tries to scare you or wants you to act fast, that is a big red flag. Malicious actors often exploit the user’s fear and impulsiveness to force them to act quickly and without thinking.
An email message that says that if you do not do something within one hour, your account will be suspended? Urgency is a good sign that an email message may not be genuine; if they wanted you to do something immediately, they would call you instead of sending you an email message. Trying to induce fear is another example of a popular phishing tactic. Suspending your account sounds scary, so people are much more likely to do something to avoid getting their account suspended.
But some phishing emails do not use scare tactics or urgency. And yet most people get a hunch there is something wrong with these email messages. The reason is simple: Most phishing emails are impersonal and weirdly articulated. Be wary of email messages that lack personality (that address you as “you”, “user”, “person”, or “customer”) and especially of email messages with grammatical mistakes.
There is one last tactic some phishers use. And that is a money-oriented tactic. If you get an email message that says you won money, your relative died and left you inheritance money, or somebody you know is in a tough spot and needs money from you, then you can be almost sure this is a phishing scam.
2. Don’t Fall Into the False Sense of Security
- Be Aware of Spear Phishing
- Learn to Recognize Targeted Phishing Tactics
Many people think that phishing scams are apparent. And they are right to some extent. There are scams so obviously fraudulent they become the target of many jokes. One of these obvious scams is the Nigerian prince scam. Unfortunately, plain scams like this put many users to sleep. People start thinking that phishing is unsophisticated and that they can easily tell it is a fraud every time. And that is precisely what hackers want.
Phishing attacks do not necessarily follow a simple formula of sending the same message to thousands of people. Some phishing scams are targeted and aim to trick only one or a dozen people. These targeted phishing attacks are called spear phishing.
Spear phishing attacks are very specific and target only a selected individual or organization. This kind of scam contains some of the personal information that hackers got from your social media profile or even a social media profile of your friends. Including personal information in a malicious email message significantly increases the credibility of the message.
Here’s an example of a targeted phishing attack.
1. Hackers have information that members of your company are taking part in a cybersecurity conference. Hackers got this information from your company’s Facebook page.
2. Hackers prepare a fraudulent email message where they act as an employee from your company who went to the conference.
3. Bad guys send an email message only to you and include details about the conference to make it look less suspicious.
4. The email message contains a link that looks like a link to your company’s product login site and asks you to log in to read important news on the conference.
5. You click the malicious link and log in to what you think is your company’s product login site.
6. Your login credentials are intercepted by the hacker, who can then use them on the legitimate site of your company’s product.
While the preceding scenario still resembles a plain phishing attack, the bad guys’ email message is much more believable due to all the details.
3. Don’t Click On That Link
- Triple-Check the Authenticity of Every Email
- Do Not Click on Links Inside Email Messages
Exercise extreme caution when checking the email messages you received. Never click on any links inside emails. If you receive an email message with a link to your bank login page, go to the bank page independently instead of clicking that link. You can add a bookmark with the bank website address to ensure you never make a mistake when typing the address by hand.
If the email message you received asks you to do something with your bank account, call your bank and ask if they sent you an email like this. If your bank confirms the veracity of the email message, you should still manually enter the address of your bank login page or use a bookmark. Hackers may know that a bank is sending users email messages and start sending their own fraudulent email messages during that time.
Triple-check the authenticity of every email message you receive. If you absolutely have to click on a link inside an email message, triple-check the link in the address bar.
4. Don’t Trust Unsecure Sites
- Ensure the URL of the Website Starts with HTTPS
- Ensure there is a closed padlock icon next to the URL
Never enter any sensitive information on a website whose URL does not start with HTTPS and does not have a closed padlock icon next to it. Do not download any files from such a site and browse the site with extreme caution. Note that some web browsers hide the HTTPS and www portion of the URL. For example, if you use Google Chrome, you must click twice in the address bar to see the full URL.
5. Don’t Disclose Personal Information
- Never Enter Personal Information on Suspect Sites
- Do not Share Sensitive Information on Your Social Media
Never enter your personal information such as your login, password, credit card number, address, signature, and date of birth on a website unless you are absolutely sure of the site’s authenticity. The general idea is: If you are unsure, do not do it.
As a rule of thumb, never disclose personal information on public websites where everybody can see your private information. Many people voluntarily reveal sensitive information without realizing this data can be picked up and used during a spear-phishing attack. While you do not necessarily have to go to the extremes of leaving your social media profiles blank, we recommend you think twice before you publish any information.
6. Update Regularly
- Keep Your Software Up to Date
- Turn On Automatic Updates
- Always Update Your Browser
Regular updates, especially automatic ones, can be very annoying, so, understandably, you may be tempted to ignore or turn them off. Don’t. Regular updates are necessary and can improve your protection against phishing. Always keeping up to date with your software ensures that you are also up to date with modern cyberattacks and phishing attack methods.
Software updates often patch holes in security and correct vulnerabilities in older versions of the software. Since your browser is the first line of defense against phishing attacks, make it a point always to update your web browser.
7. Block Pop-Ups to Prevent Phishing Scams
- Use Popup-Blocking and Anti-Phishing Addons
- Always Close Pop-Ups Using the X Sign in One of the Corners
Pop-ups can be very annoying. But being irritating is not the worst thing about pop-ups. Unfortunately, hackers often use malicious pop-ups to start a phishing attack. Thankfully, all modern web browsers allow you to block most types of malicious pop-ups. We recommend installing additional anti-phishing, ad-block, or popup-blocking addons on your web browser.
Should a malicious pop-up succeed in evading your blocking add-ons, think twice before you close the pop-up. One popular trick hackers use when designing malicious pop-ups is to have a cancel button as a part of the pop-up. Never click a cancel button inside a pop-up, as it will likely redirect you to a phishing site. Always close pop-ups using the X sign in one of the corners.
8. Enable 2FA With WebAuthn/U2F Security Keys
- Deploy Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) For All Your Users
- Use WebAuthn/U2F Security Keys to Prevent Phishing
Any Two-Factor Authentication (2FA) method can prevent phishing to some extent. Still, a particular category of phishing-resistant Multi-Factor Authentication (MFA) methods is especially effective against phishing.
Phishing-resistant Two-Factor Authentication is one of the best ways to prevent phishing attacks. WebAuthn/U2F Security Key are physical key fobs you can use as an extra layer of security during logins. Such security keys prevent phishing attacks by storing the domain name on the security key. During a phishing attack, the user is often unknowingly redirected to a fraudulent website. The fake site is a malicious duplicate of the legitimate site, so users may enter their login credentials without thinking twice. After the user enters their login credentials, a hacker intercepts the login and password information. The hacker can then use this information to sign in to the user’s account on the legitimate site.
WebAuthn/U2F Security Keys verify the website’s domain name for the user and terminate the log-in attempt immediately after the domain name has not been confirmed. A security key that checks the domain name for the user is a nice thing to have because sometimes hackers use malicious site replicas so good that the human eye cannot tell the difference between the fake and the original. For example, a hacker may deceive a human user by using homoglyphs.
Even though two domain names may be indistinguishable to the human eye, a security key can tell the difference and interrupt the sign-in process before it is too late. But not many people use security keys, and hackers sometimes use homoglyphs when creating fake domain names. For example, a hacker may send you a link from a domain whose name is a carbon copy of the legitimate domain name with one slight difference.
Can you tell the difference between these two links?
The first link has the Cyrillic character “е” instead of the Latin character “e” and is a fake website. The difference is impossible to tell by a person. But a security key will instantly pick on the first domain name, render it false, and save the user from authenticating into a fake site. Thus, security keys, such as these using the FIDO2 standard, are an excellent way to prevent phishing.
9. Enable Firewalls
- Enable Filtering on Your Email Server
- Use Network Firewall
- Use Desktop Firewall
Ensure your company’s email server has security features that filter emails from malicious senders and place them in the spam folder. Good filters evaluate if the received email message is suspicious and put the message in the spam or block it altogether.
But email filters may not be enough. You need to use both desktop and network firewalls to create a shield of defense against outside intruders. Firewalls monitor and filter incoming and outgoing network traffic based on your company’s pre-defined security policies.
10. Raise Phishing Awareness
- Conduct a Security Training For Your Employees
- Be Aware of Other Kinds of Cyberattacks
You should use all advice in this article to prevent phishing. Make sure all employees in your company are safe from phishing scams.
Every company should conduct comprehensive cybersecurity training for their employees. Next to phishing, ransomware attacks are a prevalent way hackers operate. Every employee has to be aware of ransomware and phishing schemes and know their part in identifying, detecting, preventing, and remediating cyberattacks.
Prevent Phishing Today
There is no single fool-proof way to prevent phishing attacks, but combining all tips outlined in this article will significantly improve your safeguards against this attack. You can train yourself to get better at identifying and preventing phishing attacks and use security means such as phishing-resistant Multi-Factor Authentication and firewalls to get the better of hackers. You can also train your employees, friends, and family members to increase the general awareness of phishing.
Rublon is a 1$-per-user MFA solution that supports FIDO2 standard security keys and protects hundreds of applications from cyberattacks.
