10 Essential Tips to Protect Yourself from Phishing Attacks: A Comprehensive Guide

Adapting to the Changing Face of Phishing

Phishing techniques are constantly evolving, making previously effective advice obsolete in today's landscape. For example, the suggestion to check for a green padlock symbol next to the URL bar as a sign of a secure website is no longer reliable, as any website can now obtain a padlock regardless of their legitimacy. With that in mind, it’s crucial to update the old advice and stay informed about emerging phishing trends. This article aims to provide guidance on how to effectively avoid falling victim to phishing attacks.

1. Be Vigilant with Unexpected Emails

You should always independently verify unexpected communications. For instance, if you receive an email from your boss without prior context or expectation, it’s advisable to directly reach out to them through a different communication channel (such as Microsoft Teams or Slack) to confirm whether they did send the email or not. By taking this approach, you can protect yourself against potential phishing attacks, where an attacker might be impersonating someone that you're familiar with to get you to do things that you otherwise wouldn't question.

2. Embrace 2FA and a Password Manager

This is all about mitigating the potential damage caused by a security breach. By enabling two-factor authentication (2FA) on your account, you can prevent an attacker from gaining complete access even if they manage to breach your account. Additionally, 2FA can sometimes serve as an effective early warning system, because you will receive a notification when someone attempts to log into your account.

Another wise practice is using a password manager. It allows you to generate and maintain unique and strong passwords for each of your accounts. This ensures that if one of your accounts gets compromised, the security of your other accounts remains intact, as the attacker won't have access to the same password for multiple accounts.

3. Adhere to Strong Password Policies

To ensure the security of your accounts, it’s important to use strong and secure passwords. Always include a combination of special characters and numbers in your passwords. You can check if a password has been compromised previously, at websites like ' Have I Been Pwned ', which is a free service provided by Troy Hunt.

Additionally, it’s crucial to avoid using the same password for multiple accounts. If you find it difficult to manage multiple passwords, you should consider using a password manager which will streamline this process for you.

4. Watch Out for Bad Grammar

Reputable brands often use automated systems to send emails. For example, if you receive an email from PayPal with an invoice, it would be generated automatically, and your name would be included in the email template. As a result, there’s no legitimate reason why a professional email should have grammar or spelling mistakes. If you come across an email that is filled with errors, it’s most likely a phishing attempt.

5. Be Mindful of Your Online Footprint

If you become a target of an attack, hackers will typically utilise any information you have shared online to enhance the credibility of their fraudulent emails. For instance, if you've mentioned on Facebook that you're expecting a delivery from Amazon, a hacker could exploit this information to send a persuasive phishing email impersonating Amazon.

The key takeaway here is that it's important to be cautious about the information you share online. Keep in mind that even seemingly innocent details can be used in targeted attacks.

6. Limit Sensitive Information in Your Emails

If a phishing attack does succeed, and your email account ends up getting compromised, the attacker will have access to everything stored in it. For this reason, it's wise not to keep any important information within your email account. To give you an example, there have been instances where celebrities have had their explicit photos leaked online because they decided to keep them in cloud storage, which was linked to their email account.

7. Keep Your Software Updated

Phishing attacks often take advantage of vulnerabilities in outdated software. One example of this is the use of exploit kits. In the past, these kits were used to exploit weaknesses in outdated web browsers. Attackers also frequently target widely-used software like Microsoft products to compromise devices. To protect yourself, it’s important to keep your software up-to-date and install any available patches. Generally speaking, major vendors like Microsoft are proactive in releasing quick patches to address vulnerabilities.

8. Exercise Caution with Email Links

Attackers frequently exploit the features of email clients to hide dangerous links. So, when you receive an email instructing you to click on a link or interact with a certain element, it's much wiser to manually enter the URL into your browser. You can do this by hovering over the link or element to reveal the URL and then typing it into your browser. This simple step allows you to verify the legitimacy of the website and shields you from potential attacks.

9. Hide Your Email Address

In general, it's not a good idea to share your private email address openly on the internet for everyone to see. Hackers often scrape web pages in search of email addresses that they can collect and use for spamming. Moreover, if someone is specifically targeting you, they can use Google dorks to search for your email address if it has been shared publicly. This can then be used as a starting point to gather more information about you.

If you find yourself in a situation where you have to share your email address, it's recommended to disguise it using an uncommon syntax. This makes it more difficult for hackers to find and exploit. For instance, instead of writing your email address as "john.doe@gmail.com," you can write it as "john(dot)doe(at)gmail(dot)com."

10. Beware of Email Attachments

Email attachments are a notorious way for attackers to gain access to a system. This is because they extend the attack surface that the attackers can operate on. If you download a docx file, for example, you will most likely open that file in Microsoft Word or LibreOffice. Any vulnerabilities that are present in those two software suites can be abused by attackers. Additionally, some file types, such as .exe files, are capable of executing code directly.

To check email attachments for malicious code, one approach is to upload them to websites like VirusTotal and Hybrid Analysis . These platforms can analyse the attachments and provide insights into their potential threats. However, it's important to note that uploading sensitive files to third-party websites may not be ideal as it involves granting them access to your files. In cases where the attachments are work-related and you suspect something malicious, it's best to consult with your IT department for guidance on how to handle these attachments safely.

11. Protecting Yourself Against Phishing

Protect your business from social engineering attacks by using Keepnet's Phishing Simulator . This powerful tool is designed to help your staff identify and defend against phishing threats, which are becoming increasingly common and sophisticated. By conducting simulated phishing tests, your employees can gain valuable experience in recognising and handling these types of attacks.

To learn more about the features and capabilities of Keepnet's Phishing Simulator, we recommend watching our video guide: Phishing Simulator Campaign Manager

Next Steps

Get your 15 days free trial to see how we can protect you from Phishing attacks now!