How to prevent phishing attacks

Personal information being fished.

Phishing is a social engineering attack aimed at tricking you into revealing your personal information or spreading malware onto your device. It is used to steal passwords, take over accounts, and enter systems without authorization. It can occur through any channel: via telephone, email, a web page, or even in person.

The word phishing refers to the term fishing, as in “fishing for passwords,” and is possibly a portmanteau of phone and fishing. It’s also likely related to an early hacking term, phreaking, as phishing was already a common social engineering tactic even before the rise of the internet.

Jump to…
12 ways to prevent phishing attacks
How to detect phishing attacks
Tools to prevent phishing attacks
Common types of phishing attack
FAQ: About phishing attack prevention

12 ways to prevent phishing attacks

Are phishing scams avoidable? They certainly are if you know how to identify and prevent them! We are sharing you with 12 effective ways to prevent phishing attacks.

1. Know what a phishing scam looks like

Knowing what a phishing scam looks like can prevent you from falling for one. They often imitate trusted organizations or promise you something for nothing.

  • Phishing emails: “Account verification required” or “Password reset request”
  • Advertisements: “You’re the lucky winner!”
  • Typo-squatting: googel.com instead of google.com
  • Search engines: “You searched for your bank, here is your ‘bank’” (sends you to scam site indexed on search engine)

2. Report phishing emails

Were you able to spot a phishing email that just sneaked into your inbox? Kudos to you! Don’t forget to report it to your email service provider. This helps your email service provider to identify similar messages as spam in the future and keep them away from you as well as other users. If the phishing email is posing as a business that exists in real life, let the business know as well.

3. Think before you click

Be cautious about any links provided in emails, text messages and social media posts coming your way unexpectedly. Do you recognize the sender’s email address or phone number? Modern email services often don’t show the sender’s full email address, so it’s important to look at that full email address before replying. Does the URL of the website look legitimate to you? Think twice before you click or tap on a link.

4. Install an anti-phishing toolbar

An anti-phishing toolbar is a browser extension that helps to detect phishing scams. They keep you on the radar of malicious emails, suspicious links, and fraudulent websites. Anti-phishing toolbars can be free or paid and cater for personal or enterprise uses.

5. Verify the target site’s SSL credentials

SSL stands for “Secure Sockets Layer.” A website that is SSL-certified, usually starting with “https” keeps your data encrypted from the moment it enters a web browser to reach its server. Meanwhile, websites that do not have an SSL certificate can leave your personal data exposed.

Checking whether a website is SSL-certified is just one way to see if it’s safe. There are other ways to find out if a site is safe to use.

6. Use a password manager

A password manager like ExpressVPN Keys stores your logins safely. ExpressVPN Keys also helps verify the URL of a site before letting you sign in with a stored password. And when it doesn’t match, it refuses to fill the fields with your credentials, preventing you from falling for a phishing scam.

7. Don’t ignore those updates

Attackers are constantly looking to exploit app or system vulnerabilities to do harm to your personal data or devices. Keeping your apps or devices updated will give you the latest security fixes and protect you from hacks or data breaches. Are manual updates too much of a hassle? See if you’re better off with auto updates.

8. Install firewalls

Granted, firewalls probably can’t do much in helping you detect phishing emails or text messages in the first place. But they can warn you about malicious sites and prevent you from interacting with them, in case you have landed on one.

9. Be wary of pop-ups

Common pop-ups asking for our permissions to use cookies, save passwords, or send notifications are generally considered safe. However, watch out for pop-ups asking for your login credentials or credit card information. Any personal information you enter into a fake sign-in prompt will go to the servers of the attackers, who will then use them to access your account and other potentially linked ones. This phishing technique is called the browser-in-the-browser attack.

10. Don’t give out important information unless you must

This one seems to go without saying but we’ll touch on it anyway! If you want to sign up for an online service, you must provide some personal information like your name and email address, at the very least. Needless to say, you will also need to provide your home address if you’re doing online shopping.

Otherwise, feel free to leave out all the optional fields. The less personal information you put out there, the less the attackers can use against you. Better yet, instead of giving out real information, use a throwaway email address, burner phone number, prepaid credit card number.

11. Avoid using public networks

Public Wi-Fi networks are often open, unsecured networks. Not only can third parties see what you are doing online, but attackers can also create a fake Wi-Fi access point and harvest your login credentials once you are connected to it. If you must use a public network, take these precautions to stay secure.

12. Watch out for shortened links

Shortened links aren’t a new thing. They are often used in social media posts to leave more character space for the rest of the message. The problem is they usually conceal the original link and turn it into random numbers and characters. This makes it difficult for us to gauge where the link will actually take us. For all we know, they can direct us to a fake website used to steal our login credentials or do harm to our devices.

How to detect phishing attacks?

While there are different ways phishing attacks can occur, there are also warning signs you can watch out for, which we’ll go over below.

The message is sent from a public email domain

Legitimate companies or organizations have their own domain, for example, username@netflix.com. They never use public domains, like username@google.com or username@outlook.com, which generally belong to personal accounts. If an email poses as a large corporation but uses a public domain, it’s likely to be a phishing attack.

Verifying a caller’s identity can be difficult, as numbers that show up on caller ID are easy to spoof. Banks, governments, or courts will hardly ever call you to request personal information. If they do, ask for the caller’s name, title, and department, then call back with a publicly listed number.

Obvious grammar and punctuation mistakes

Many phishing emails contain spelling and grammar mistakes in the body text, subject line, or URLs provided within. This is uncommon for any collaterals sent out by large, professional organizations which uphold a high standard of content quality.

Asking for personal information

Unless you’re expecting to hear from a company or service (for example, after you request a password reset), they won’t reach out to you asking for your personal information like your passwords or credit card number. If you receive an unsolicited call requesting your personal info, ask for their name and contact number, then make an independent check with the organization in question. For unsolicited emails, it’s always safer to ignore them.

Threats and potential consequences

Phishing attackers can pose as the government, tax department, or your bank. They’ll start off by saying you have an overdue payment or haven’t done your tax return, and threaten you with legal action if you don’t transfer the money to them.

Including suspicious links or attachments

As a rule, most companies don’t send you unsolicited emails. So ask yourself, why should you have received this email? Your alarm bells should be ringing especially if the email contains links or attachments.

Urgent deadlines

It’s common that phishing scams use a false sense of urgency to trick you into taking immediate action. For example, they can say that there have been unexpected activity on your account and ask you to click on some instructions or risk getting your account shut down. Another example of opening would urge you to claim an offer or prize that’s only available for a limited time.

Tools to prevent phishing attacks

While staying alert is usually the best defense against phishing, we are only humans. Even the most vigilant person cannot stay alert 24/7. That’s where automated tools come in. They provide you with passive set-and-forget protection against phishing attacks.

  • Avanan protects email and a range of cloud applications against phishing, malware, and viruses.
  • Barracuda Sentinel prevents phishing attacks that bypass traditional email gateways.
  • BrandShield monitors social media and detects phishing sites and pages.
  • Cofense PDR detects phishes that have bypassed SEGs from all major vendors.
  • RSA FraudAction keeps you safe from phishing and malware, rogue mobile apps, and fraudulent social media pages.
  • IRONSCALES combines human and automated intelligence to fight back against business email compromise, fake login pages, and more.
    KnowBe4 is a platform for security awareness training and simulated phishing attacks.

Common types of phishing attacks

Spear phishing

Spear phishing is one of the most common phishing techniques. It typically takes the form of emails appearing to be coming from a legitimate business or organization. The goal is to get you to reveal your personal information like your passwords, credit card numbers, bank account information, or spread viruses onto your device.

The email includes your name and other information that looks legitimate. It makes you think it’s real and ultimately do as asked in the email, like opening an attachment or clicking the links inside the email.

Examples of spear phishing

A common spear phishing email pretends to come from a legitimate online store—telling you about a successful transaction, incomplete order, or shipping notice. In 2015, attackers pretended to be Amazon and sent out almost 100 million emails titled “Your Amazon.com order has dispatched,” making recipients install Locky ransomware.

Whaling

A whaling attack targets senior executives within an organization typically in emails by posing as a legitimate client, partner, or member of the organization. The goal is to get the victims to authorize high-value wire transfers, provide sensitive corporation information, or click on a link that delivers malware.

The term whaling stems from the size of the attack. Whaling emails are more sophisticated than typical phishing emails. Their content is highly personalized—containing the target’s name, job title, and other relevant information. Not only that, the emails are also crafted with fluent business terminology, industry knowledge, and personal references.

Examples of whaling

  • A whaling attacker posed as the Snapchat CEO and emailed a senior employee of the company for payroll information.
  • A fraudster pretended to be the new CEO of Mattel and emailed the company’s senior executive for a money transfer.
  • Fraudsters posed as the CEO of Seagate and sent an email to the company’s HR department, which unknowingly handed them valuable staff information, including social security numbers, and salary information.

Smishing

A smishing attack takes the form of text messages and tricks victims into sharing their personal data. Smishing, vishing, and spear phishing essentially have the same goals, except they use different means of communication to target the victims. Smishing uses SMS messages and texts, vishing uses phone calls, and spear phishing uses emails. Learn more about how smishing works.

Examples of smishing

Smishing attackers usually say one of the following things to make you give in your personal information:

  • “A suspicious purchase has been made with your credit card”: Posing as your bank, the attacker will ask for your identifiable information, claiming to revert the purchase for you.
  • “Congrats! You’ve won”: The message will say you’re the one lucky winner. Needless to say, you will have to verify your identity first.
  • “Your package has been dispatched”: Want to check on the delivery progress? Tap the link provided.

Vishing

Vishing lures victims into providing their personal information in phone calls. As said, it has the same goals as smishing and spear phishing, which use different means of communication to target the victims (text messages and emails respectively).

Examples of vishing

A vishing attacker typically pretends to be calling from the government, tax department, police, or the victim’s bank. The impostor coerces the victims into providing the information being asked—by making them believe they are doing something in their best interests, like avoiding a criminal charge or having their bank accounts shut down. A similar trick is done through voicemails which tell the victims to call back immediately to avoid serious repercussions.

Search engine phishing

Search engine phishing is a new technique. Attackers get a victim to access malicious websites they have indexed on legitimate search engines. The search engine results page shows the fake website matching the keywords entered by the victims. The trick exploits our reliance on search engine results as they are convenient and secure.

Examples of search engine phishing

A search engine phishing website can do one of these things:

  • Highly discounted products or services: They want you to make the purchase with your credit card info they’ve been waiting for!
  • Posing as a legitimate service: Fake Coinbase sign sites showed up for keywords like “Coinbase login.” This form of phishing usually involves banking or financial services.
  • Fake job Offers: They’ll ask you for your social security number. Don’t give it out!

Angler phishing

In angler phishing, an attacker poses as a customer support agent and answers a disgruntled customer who takes to social media to complain about a product or service. The impostor suggests an immediate fix—one that typically requires the customer to click on a link to troubleshoot their issue. Clicking that link, however, will install malware onto the target’s device or steal their login credentials.

Examples of angler phishing

A fake customer service rep will provide a link that they claim can help you regain access to your account. Not satisfied with a service? The impostor will say they want to “make things right,” prompting you to follow a link or send them a private message to provide additional details for compensation.

Pharming

A pharming attack redirects a victim to a fraudulent website when they enter a correct website address into a browser. It starts off by installing malicious code on a computer or server. The code will change the destination address in the background and redirect the victim to a fake website that resembles a legitimate one. It will then prompt the victims to log in to the malicious website with their real credentials.

Examples of pharming

Pharming often targets banks or financial institutions to intercept login credentials and banking information of customers. A pharming attack in 2007 targeted customers from over 50 financial entities including Barclays Bank, PayPal, and eBay, and infected over 1,000 devices per day.

FAQ: About phishing attack prevention

Who are the victims of phishing?
How do you know if you are phished?
What is the difference between spam and phishing?
Who created phishing?
Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.