How to Avoid Phishing Attacks

How to Avoid Phishing Attacks BVADK5B

Nobody wants to fall prey to a phishing scam. Phishing scams have been around practically since the inception of the Internet, and they will not go away any time soon. Fortunately, there are ways to avoid becoming a victim yourself.

A phishing attack usually comes in the form of a message meant to convince you to:

  • click on a link;
  • open a document;
  • install software on your device; or
  • enter your username and password into a website that’s made to look legitimate.

This tutorial will help you to identify phishing attacks when you see them and outline some practical ways to help defend against them.


Phishing for Passwords

When you receive an email from your bank, eBay, PayPal, or a similar website announcing a problem with your account. Invariably, the email offers a handy link to click, saying that you must enter your username and password to set things in order.

Don’t click the url link, no matter how realistic the email and website may appear. You’re seeing an ugly industry called phishing: Fraudsters send millions of these messages worldwide, hoping to convince a few frightened souls into typing their precious account name and password.

On your computer, you can usually see the destination URL by mousing over the link. But links can be further disguised with lookalike letters, or by using domain names that are one letter off from legitimate domain names and may direct you to a webpage that appears to go to a service that you use, such as Gmail or Dropbox. These fake replica login screens often look so legitimate that it’s tempting to type your username and password. If you do, you will send your login credentials to the attackers.

Finance-related sites may send you legitimate history statements, receipts, or confirmation notices, but they will never, ever email you a link for you to click and enter your password.

If you’re suspicious, visit the company’s real website by typing the real web address by hand into your web browser’s address bar. Chances are good that the real site won’t list anything as being wrong with your account.

Remember, it's easy to forge emails so that they display a false return address. This means that checking the apparent email address of the sender isn't enough to confirm that an email was really sent by the person it appears to be from.



Spear Phishing

Spear Phishing is an email targeted at a specific individual or department within an organization that appears to be from a trusted source. It's actually cybercriminals attempting to steal confidential information.

Spear Phishing attacks are targeted based on something the attacker already knows about an individual.

The best way to protect yourself from phishing attacks is to never click on any links or open any attachments.



How to Help Defend Against A Phishing Attack

  • Phishing attacks that utilization malware frequently depend on programming bugs keeping in mind the end goal to get the malware onto your machine. Typically once a bug ends up known, a software manufacturer will release an update to fix it. Staying up with the latest software updates reduces malware dangers.

  • While it’s easy for a human to be tricked by fake login pages, password managers are not tricked in the same way. If you use a password manager (including the built-in password manager in your browser), and it refuses to auto-fill a password, you should hesitate and double check the site you’re on. Better yet, use randomly generated passwords so that you are forced to rely on auto-fill, and less likely to type your password into a fake login page.

  • Install an Anti-Phishing Toolbar – Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free.

  • Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals.

  • Keep Your Browser Up to Date – Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.

  • Be Wary of Pop-Ups – Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.

  • Never Give Out Personal Information – As a general rule, you should never share personal or financially sensitive information over the Internet.

  • Some people expect to receive attachments from unknown persons. For example, journalists commonly receive documents from sources. But it can be difficult to verify that a Word document, Excel spreadsheet, or PDF file isn't malicious. In these cases, don't double-click the downloaded file. Instead, upload it to Google Drive or another online document reader. This will turn the document into an image or HTML, which almost certainly will prevent it from installing malware on your device.

  • You can also submit untrusted links and files to VirusTotal, an online service that checks files and links against several different antivirus engines and reports the results. This isn't foolproof—antivirus often fails to detect new malware or targeted attacks—but it is better than nothing.

  • Some phishing emails claim to be from a computer support department or technology company and ask you to reply with your passwords, or to allow a “computer repair person” remote access to your computer, or to disable some security feature on your device. The email might give a purported explanation of why this is necessary, by claiming, for example, that your email box is full or that your computer has been hacked. Unfortunately, obeying these fraudulent instructions can be bad for your security. Be especially careful before giving anyone technical data or following technical instructions unless you can be absolutely certain that the request's source is genuine.

  • Never use public, unsecured WiFi for banking, shopping or entering personal information online, even if the website is secure.

  • Phishers have the ability to spoof and/or forge the https:// that you normally see on a secure Web server and a legitimate-looking Web address, which – again – is why you should always type the web address yourself instead of clicking on displayed links.

  • Another simple way to mitigate your exposure to phishing messages is to use free virus protection and anti-spam software to protect yourself when malicious messages slip through to your computer. Since anti-malware tools are specifically engineered to protect against even the most complex threats, they are a vital tool to have installed on all your computers as they are designed to complement common sense.

  • Make sure to keep the operating system and antivirus program up-to-date.



How to Perform Anti-Phishing Checks

Did you find this tutorial helpful? Don’t forget to share your views with us.
A GeekPolice Security Tutorial