How to: Avoid Phishing Attacks

On your path to improving your digital security, you may encounter bad actors who attempt to undermine your security goals. We call these bad actors adversaries. When an adversary sends an email (or text message or message in an app) or link that looks innocent, but is actually malicious it’s called “phishing.”

A phishing attack usually comes in the form of a message meant to convince you to:

• click on a link
• open a document
• install software on your device
• enter your username and password into a website that’s made to look legitimate

Phishing attacks are typically designed to trick you into giving up your passwords or trick you into installing malware on your device. Attackers can then use malware to remotely control your device, steal information, or spy on you.

This guide will help you to identify phishing attacks when you see them and outline some practical ways to help defend against them.

While we talk mostly about email phishing in this guide, these techniques aren’t limited to email; they can work over the phone, over SMS, or in apps with chat functions. 

Types of Phishing Attacks anchor link

Phishing for Passwords (aka Credential Harvesting) anchor link

Phishers try to  trick you into giving over your passwords by sending you a deceptive link. Web addresses in a message may appear to have one destination, but lead to another. On your computer, you can usually see the destination URL by hovering over the link. But links can be further disguised with “lookalike letters,” or by using domain names that are one letter off from legitimate domain names and may direct you to a webpage that appears to go to a service that you use, such as Gmail or Dropbox. These fake replica login screens often look so legitimate that it’s tempting to type your username and password. If you do, you will send your login credentials to the attackers.

So before typing any passwords, look at the address bar of your web browser . It will show the real domain name of the page. If it doesn't match the site you think you’re logging into, don't continue! Seeing a corporate logo on the page doesn't confirm it's real. Anybody can copy a logo or design onto their own page to try and trick you.

Some phishers use sites that look like popular web addresses to fool you: https://wwwpaypal.com/ is different from https://www.paypal.com. Similarly https://www.paypaI.com (with a capital letter “i” instead of a lowercase “L”) is different from https://www.paypal.com. Many people use URL shorteners to make long URLs easier to read or type, but these can be used to hide malicious destinations. If you receive a shortened URL like a t.co link from Twitter, try putting it into https://www.checkshorturl.com/ to see where it's really going.

Don’t trust the email sender, either. It's easy to forge emails so that they display a false return address. This means that checking the apparent email address of the sender isn't enough to confirm that an email was really sent by the person it appears to be from.

Spearphishing (voice phishing, SMS phishing, etc) anchor link

Most phishing attacks cast a wide net. An attacker might send emails to hundreds or thousands of people claiming to have an exciting video, important document, a shipping notification, or billing dispute.

But sometimes phishing attacks are targeted based on something the attacker already knows about an individual. This is called “spearphishing.” Imagine you receive an email from your Uncle Boris that says it contains pictures of his kids. Since Boris actually has kids and it looks like it is from his address, you open it. When you open the email, there is a PDF document attached to it. When you open the PDF, it may even display pictures of Boris’ kids, but it also quietly installs malware on your device that can be used to spy on you. Uncle Boris didn't send that email, but someone who knows you have an Uncle Boris (and that he has children) did. The PDF document that you clicked on started up your PDF reader, but took advantage of a bug in that software to run its own code. In addition to showing you a PDF, it also downloaded malware onto your computer. That malware could retrieve your contacts and record what your device's camera and microphone sees and hears.

Another form of spearphishing is voice phishing, where an attacker impersonates a specific target, possibly even going as far as making an AI clone of their voice. If the voice sounds off or is asking you for unusual things such as money, ask them to verify their identity another way (such as telling you something only the two of you know or sending a message from another account). 

The best way to protect yourself from phishing attacks is to never click on any links or open any attachments. But this advice is unrealistic for most people. Below are some practical ways to defend against phishing.

How to Help Defend Against A Phishing Attack anchor link

Keep Your Software Updated anchor link

Phishing attacks that use malware often rely on software bugs in order to get the malware onto your machine. Usually once a bug becomes known, a software manufacturer will release an update to fix it. This means that older software has more publicly-known bugs that could be used to help install malware. Keeping your software up to date reduces malware risks.

Use a Password Manager with Auto-fill anchor link

Password managers that auto-fill passwords keep track of which sites those passwords belong to. While it’s easy for a human to be tricked by fake login pages, password managers are not tricked in the same way. If you use a password manager (including the built-in password manager in your browser), and it refuses to auto-fill a password, you should hesitate and double check the site you’re on. Better yet, use randomly generated passwords so that you are forced to rely on auto-fill, and less likely to type your password into a fake login page. However, note that websites can (and do) change their login pages, and sometimes doing so can interfere with auto-fill working properly, even on legitimate websites. When in doubt, head directly to a website’s login page from your browser, not by clicking a link in a message.

Verify Emails and Text Messages with Senders anchor link

One way to determine if an email or text is a phishing attack is to check via a different channel with the person who supposedly sent it. If the email or text was purportedly sent from your bank, don’t click on links. Instead, call your bank or open your browser and type in the URL of your bank's website. Likewise, if your Uncle Boris sends you an odd looking email attachment, send him a text message and ask if he sent you pictures of his kids before opening it.

Open Suspicious Documents in Google Drive anchor link

Some people expect to receive attachments from unknown persons. For example, journalists commonly receive documents from sources. But it can be difficult to verify that a Word document, Excel spreadsheet, or PDF file isn't malicious.

In these cases, don't double-click the downloaded file. Instead, upload it to Google Drive or another online document reader. This will turn the document into an image or HTML, which almost certainly will prevent it from installing malware on your device. 

If you're comfortable with learning new software, willing to spend time setting up a new environment for reading mail or foreign documents, and get enough of these sorts of emails to justify the extra time requirements, consider using a dedicated operating system designed to limit the effect of malware. Tails is a Linux-based operating system that deletes itself after you use it. Qubes is another Linux-based system that carefully separates applications so that they cannot interfere with each other, limiting the effect of any malware. Both are designed to work on laptop or desktop computers.

You can also submit untrusted links and files to VirusTotal, an online service that checks files and links against several different antivirus engines and reports the results. This isn't foolproof—antivirus often fails to detect new malware or targeted attacks—but it is better than nothing. However, note that any file or link that you upload to a public website, such as VirusTotal or Google Drive, can be viewed by anyone working for that company, or possibly anyone with access to that website, such as in the case of VirusTotal. If the information contained in the file is sensitive or privileged communications, you may want to consider an alternative.

Use a Universal 2nd Factor (U2F) Key at Login anchor link

Some sites allow you to use a special hardware token with advanced capabilities to avoid phishing attempts. These tokens (or “keys”) communicate with your browser to establish per-site credentials for logging in. This is called Universal 2nd Factor or “U2F,” because it is a standard way to require a second authentication method—in addition to your passphrase —at login. You simply log in normally, and (when prompted) connect the key to your computer or smartphone and press a button to log in. If you are on a phishing site, the browser will know not to log you in with credentials established on the legitimate site. This means that even if a phisher tricks you and steals your passphrase, they won’t compromise your account. Yubico (one manufacturer of such keys) provides more information about U2F. 

This should not be confused with two-factor authentication in general, which may or may not provide phishing protection. Passkeys are a newer option of login that can provide phishing protection, and you should consider using it when offered. With passkeys, your browser knows exactly which site goes with which passkey, and isn’t tricked by fake websites.

Be Careful of Emailed Instructions anchor link

Some phishing emails claim to be from a computer support department or technology company and ask you to reply with your passwords, to allow a “computer repair person” remote access to your computer, or to disable some security feature on your device. These emails often have an insistent tone and try to use fear to trick you into something.

For example, an email might give a purported explanation of why this is necessary by claiming that your email box is full or that your computer has been hacked. Unfortunately, obeying these fraudulent instructions can be bad for your security. Be especially careful before giving anyone technical data or following technical instructions unless you can be absolutely certain that the request's source is genuine. Most companies will not reach out to troubleshoot for you. At most, they may send you a notification about an upcoming change or data overage alongside a link to public documentation.

If someone sends you a suspicious email or link, don’t open or click on it until you’ve mitigated the situation with the above tips and you can be confident it’s not malicious.

Disable External Images in Your Email Software anchor link

Images inside an email can be used to track who opened an email and when. You’ve probably encountered plenty of these in marketing emails, but they can be useful in phishing, too. So, instead of allowing every image to load in every email all the time, it’s best to set your email client—whether that’s an app like Outlook or a service like Gmail—to “Ask before displaying external images.” With this option set, you will need to click an option in every email to load images. Some email apps may also offer other privacy measures, like Apple’s Mail app, which loads all images remotely by default.