Seven Best Practice to Protect Yourself from a Phishing Attack

Sebastian Abbinanti Perspectives

Phishing attacks typically occur through e-mail. The attacker will send you an e-mail with a link that would take you to an authentic-looking site. In a typical phishing attack, the link will take you to a fake site and ask you to login. If you login, the login almost always fails, but not before the attacker has captured your username and password.

Phishing e-mails usually tend to be from one of the following sources:

  • Your bank
  • Your Employer
  • Your E-mail Provider (Office 365, Gmail)
  • Your File Sharing Provider (OneDrive, DropBox)
  • A social media provider
  • A trusted supplier or vendor

Once the attacker has your username and password, he or she can login to the real site with your credentials.

A typical scenario goes like this:

You receive an e-mail from a trusted individual asking you to click a link to login to your Microsoft Office 365 account to receive a shared file.

You click the link which brings you to a login page. You login, but nothing happens. You think there must be something wrong with the link, so you go back to your e-mail, and reply to the message and inform the sender of the issue.

Your reply, however, does not go to the trusted source you believe to have send you the e-mail. It instead goes back to the attacker, unbeknownst to you.

While you wait for a response which won’t come, the attacker uses the credentials you supplied when you logged into the “site” that “didn’t work” to actually login to your e-mail and download all of your contacts.

Now the attacker sends a similar e-mail to all your contacts, this time purporting to be from you. The e-mail will be similarly structured with a link used to coax your contacts into giving up their logins.

Rinse and Repeat.

Seven Best Practice to Protect yourself from a phishing attack

  1. Don’t open attachments in e-mails from unknown senders.
  2. Never Click a hyperlink in an email. The is especially true if the e-mail was not expected or comes from an unknown sender. Always confirm that the e-mail was send from a trusted source and that he or she actually sent you a hyperlink. You can also hover-over the hyperlink to make sure that the URL is where you actually want to go.
  3. Never enter sensitive information into a pop-up window. Make sure you only provide sensitive information online when you deliberately went to a site that requires such information. If you are on a website for fishing lures and all the sudden a Google Login page pops up, closed the window and leave the site—as the site might have been compromised.
  4. Verify that you are using a secure site. Confirm HTTPS:// in the address bar instead of HTTP://. Also you can click on the lock icon in the address bar. This will help you verify the website is actually real.
  5. Check for spelling and grammar errors in the e-mail subject and body. Spelling and Grammar errors are a telltale sign of a phishing e-mail.
  6. Verify the sender’s address. You can verify the senders address by hoovering over the sender’s name in the e-mail. If it doesn’t look quite right, don’t trust the e-mail.
  7. When in doubt, pick up the phone. There is no easier way to confirm the authenticity of an e-mail than to call the sender.