Phishing is a huge security problem and menace to society because there is no one single fool-proof way of preventing or avoiding it. Sadly, it plays on human psychology, such that even people who are tech-savvy and know what they are doing often fall flat for it.
Well, all hope is not lost. As deceitful and polished the bad guys try to make their phishing emails & websites look, they still slip up! Giving us many indications and plenty of chance to detect it’s a phishing attack, and therefore allowing us to gallantly avoid it.
Now, as someone who has enormously researched & studied the subject of phishing the past few years, and have also been responsible for sending a few phishing emails myself, and setting up phishing websites to educate & train users on how to detect and avoid phishing. I have kind of developed a “mind” process which includes a series of checks I run to ascertain the genuity of a website or authenticity of an email before me—before I ever opened it (very important).
Don’t miss: How do You Identify a Phishing Website?
In the few points listed below, I share that process including all I have learned in avoiding and preventing falling for phishing attacks in general. Let’s get to it.
- 1. Before you open any email, engage critical thinking
- 2. Do not open unsolicited emails
- 3. Assume every email is a phish
- 4. Watch out for phishing emails coming from “trusted contacts”
- 5. Verify delicate email messages using alternate means of communication
- 6. Learn how to unmask shortened links
- 7. Stay away from public WiFi networks
- 8. Start using a password manager today!
- 9. Clean your computer with a capable anti-malware software
- 10. Invest in learning personal cyber security
1. Before you open any email, engage critical thinking
Yes, before I even attempt to open an email to reveal it’s content, I usually would pause for about 3 to 5 seconds and ask myself these 3 quick questions:
- Was I expecting this email?
- Does this email come from someone I know or service I use?
- (Judging from the email subject line) Is this a reasonable email I should be receiving at this time?
By the time I engage my critical thinking for a few seconds and truthfully answer myself those questions, I would have already known whether or not to open or trash that email.
And when I do open the email, I always ensure I am not acting on the email or clicking links in it based on my current emotional or physical state. This is important so as not to have my Amygdala hijacked.
I especially recommend Chris Hadnagy’s book on phishing, titled Phishing Dark Waters where I first saw that term, Amygdala. The book is such an invaluable resource. I can’t recommend it enough.
But in short, “The amygdala is a small part of the brain that is largely responsible for generating emotional responses. An amygdala hijack is when something generates an overwhelming and immediate emotional response”.
2. Do not open unsolicited emails
Did you know that sometimes the ONLY action a criminal hacker wants you to take on a phishing email is to open it?
By just merely opening an email, a hacker can fingerprint you. Fingerprinting is a pre hacking technique to find out more about a target victim.
Fingerprinting will allow an attacker know what device type you are using, and most especially the VERSION of that device. A phishing email meant to fingerprint a target would usually not contain any malware or viruses or call to action. The sole purpose is for the victim to open the email.
And when he does, the attacker can now know what device you are viewing the email with, whether it’s an email client or browser – and the version. If you are on a computer, he can know the operating system and version as well.
This information is very important to the attacker. This is so that when he goes to send the actual malicious phishing email, he can laden it with a malware attachment that can successfully bypass your computer’s security control measures based upon the fingerprinting results.
3. Assume every email is a phish
This probably should be the first on this list. Your phishing training will only kick into play when you are already suspicious of an email.
It doesn’t matter what you have been taught about phishing or your experience dealing with it, if you do not approach every email you receive as a potential phish, you might swallow a “phishing hook” stomach-deep before you realize it—assuming you even get to realize it.
So it’s safe to assume that EVERY email is a phish. I wouldn’t consider this an over-the-top approach or paranoia at all because phishing is one of the biggest cybercrime threats organizations and individuals are facing today.
In fact, the researchers at FireEye after examining over 500 million emails from January through June 2018, reported that ONE in every 101 emails is a hacking attack. While in a more recent 2019 research, Verizon reported that of the 2,013 confirmed data breaches, 32% included phishing attacks. Now, this is 2020, these statistics have been forecasted to blow up exponentially, more so because of the Coronavirus pandemic.
4. Watch out for phishing emails coming from “trusted contacts”
Cybercriminals will do anything to appear as “trustworthy” as possible so that they can increase the likely hood of the victim taking the phishing bait. One particular means of achieving this is through the impersonation of trusted contacts. Allow me explain!
After a cybercriminal is able to successfully phish the credentials of say, an employee of an organization (which is quite easy to do by the way), he may then start sending phishing emails as that user to other employees of the organization. And as you can imagine, this is a big problem!
Unfortunately, if you were the recipient of such a phishing email, it would be significantly difficult to detect it is a phish. Because the attacker might take advantage of an existing email communication already going back and forth to send a malicious link or ask the other fellow to install some malware.
Again this ties right into the previous tip: treat every email as a potential phishing email. So that even if you actually fell for the phish, you won’t be taken too much by surprise. And at that point, after you’ve discovered, you can quickly roll your credentials and you use a capable anti-virus software to get rid of any malware installed.
5. Verify delicate email messages using alternate means of communication
Develop a habit of ALWAYS verifying email messages that request you to urgently take a delicate action. E.g executing a $10m off-shore wire transfer.
A simple 30 seconds phone call to the person that supposedly sent you that email (or text message, WhatsApp message, etc) may just be what would foil that potential phishing attack. This is too important I cannot emphasize it enough!
Because cybercriminals love to impersonate authority figures in organizations to trick other employees, particularly in the finance department, to carry out directives critical to business like a wire transfer order.
If organizations can empower lower-level employees to always use an alternate method of communication to verify delicate email instructions appearing to come from board members, CEO phishing scams, or Business Email Compromise (BEC) attacks, like I have described above could help them save millions that would have been lost in a potential cyber attack.
6. Learn how to unmask shortened links
A key way bad guys love to share their malicious phishing links is to mask it using free link shortening services.
This not only makes the shortened link portable and easier to share around, but it may succeed in deceiving clueless users into thinking the shortened version is the actual link and therefore relax any suspicion they may have.
But it’s super easy to unmask shortened URLs or links, you don’t have to click on it and land on the destination first to find out.
Unshorten.it is one link uncloaking service I like to use. It supports uncloaking many of the links shortening services around, e.g .co, goo.gl, bit.ly, amzn.to, tinyurl.com, ow.ly, youtu.be, etc. You can use another link uncloaking website if you wish. A quick Google search can help you with that.
A general rule is that if you are suspicious or unsure where a shortened web link is going to lead, simply avoid clicking on it.
7. Stay away from public WiFi networks
People love free WiFi and they would mindlessly connect to one where ever and whenever it’s available. Cybercriminals are aware of this, therefore they take heavy advantage of people’s willingness to connect to free hotspots to steal their sensitive data.
There are basically two ways attackers do this, either they:
- Attack you on a public WiFi you are connected to, say an Airport, Hotel, University, or Coffee shop WiFi. And use advanced techniques to EXTRACT important information such as account usernames & passwords, bank & credit card numbers, etc as you browse the web. Or;
- They create an Evil Twin or replica of the same WiFi networks and provide you FREE WiFi on them. But as you surf the web, they can VERY easily sniff on everything you are doing online, even to the cute cat pictures you are viewing on social media.
If you must use a public WiFi network:
- Ensure you are not logging in to sensitive online accounts
- Ensure you are not conducting financial transactions
- Most importantly, always use a VPN (virtual private network) service.
8. Start using a password manager today!
Now let’s put phishing protection or knowing how to avoid phishing aside for a moment. If you’re an internet user and have not been using a password manager, STOP RIGHT NOW and go install a password manager AND START USING IT! I cannot over stress this.
How a password manager works is that apart from it helping you secure and remember the numerous passwords you have for different websites, it saves the URL of those websites along side the usernames & passwords.
So how is this helpful or important?
If a scammer is mimicking the domain name (or URL) of a website that is saved in your password manager, trying to trick you to input your login credentials, your password manager will not respond. This is because there would be a mismatch of the fake domain name and the original domain name that has been saved. Simple & neat!
When you rely on your password manager to always help you fill in your login credentials into websites, you can trust that it’s correctly validating the domain names where you would have slipped into a phishing net.
9. Clean your computer with a capable anti-malware software
As a computer user it’s absolutely essential you have an anti-malware software that is consistently scanning your computer for resident threats as well as online threats as you surf the web.
Traditional anti-virus programs like Windows Defender are good but those have their place. If you want to stand a chance at detecting some of the latest evolving threats, you will need something tougher.
Malwarebytes is one of such next-gen anti-malware programs I recommend everyone to install right away, and immediately run a quick scan to see what it detects.
I can guarantee you that even on a quick scan, Malwarebytes will uncover a significant number of malicious programs & scripts that’s been running on your PC and stealing your data for who knows how long.
So in protecting you from phishing attacks, you can know that even if you mistakenly become a victim of a malware-based phishing attack, you will stand a very high chance that your anti-malware program will be able to detect, quarantine and flush it out when you engage it.
10. Invest in learning personal cyber security
If you have to invest some money into buying ebooks on personal digital security or better yet, online courses that teach cybersecurity, do it! It’s absolutely worth it. Instead of allowing yourself to be a low-hanging fruit to the raging cyberattacks out there which are becoming increasingly worse every year.
Go on, train yourself in personal cyber security. Stay updated with the current cybersecurity trends. This is how you get to find out the level at which malicious actors are evolving cyberattacks.
If you have been paying at least some attention to current happenings in the cybersecurity world, you should have found out by now that hackers have found novel ways of defeating previously very reliable phishing protection measures (some top government sites are still recommending till date) like:
- 2FA or MFA
- Hovering on links in emails &
- Detection of malware-laced email attachments
I will demo all of these soon, watch out for the links.
This is why you will not find any of these as a phishing protection or prevention measure on this list because they’ve been conquered.
But that is not to say using 2FA isn’t important. It’s extremely important you enable 2FA on important accounts. It’s only advanced phishing that can bypass these measures for now.
Mediocre phishers are still relying largely on the victim’s cluelessness of phishing attacks to succeed. But you never know how experienced the malicious hacker that will come after you might be.
It’s only a hacker that can really tell you how hackers are doing it. Others who are not in the profession may be able to talk the talk but not able to walk the walk.
I’m an ethical hacker who is active in the field and following & participating in the evolving trends of phishing. This is why I’m able to tell you first hand how to avoid, prevent, or overcome phishing attacks.
So please take these tips seriously. But also keep in mind it’s not an exhaustive list. There are more things I could still talk about here, as I research more I’ll update this list.
And if you are a non-technical person as I’d expect, this could take a while for you to grasp and integrate into your online workflow.
But it’s better to inconvenience yourself a little with the extra security steps than to be a ground-scrubbing fruit to EVERY cyberattack out there, especially this novel phishing attacks.
I believe you have learned a thing or two from this post and you’re ready to start practicing it. If so, would you please share this post, because you would be helping someone else prevent phishing and also helping them generally stay safe online.