On your path to improving your digital security, you may encounter bad actors who attempt to undermine your security goals. We call these bad actors adversaries. When an adversary sends an email or link that looks innocent, but is actually malicious it’s called phishing.
A phishing attack usually comes in the form of a message meant to convince you to:
- click on a link;
- open a document;
- install software on your device; or
- enter your username and password into a website that’s made to look legitimate.
Phishing attacks can trick you into giving up your passwords or trick you into installing malware on your device. Attackers can use malware to remotely control your device, steal information, or spy on you.
This guide will help you to identify phishing attacks when you see them and outline some practical ways to help defend against them.
Types of Phishing Attacks Anchor link
Phishing for Passwords (aka Credential Harvesting)
Phishers can trick you into giving them your passwords by sending you a deceptive link. Web addresses in a message may appear to have one destination, but lead to another. On your computer, you can usually see the destination URL by hovering over the link. But links can be further disguised with lookalike letters, or by using domain names that are one letter off from legitimate domain names and may direct you to a webpage that appears to go to a service that you use, such as Gmail or Dropbox. These fake replica login screens often look so legitimate that it’s tempting to type your username and password. If you do, you will send your login credentials to the attackers.
So before typing any passwords, look at the address bar of your web browser. It will show the real domain name of the page. If it doesn't match the site you think you’re logging into, don't continue! Remember that seeing a corporate logo on the page doesn't confirm it's real. Anybody can copy a logo or design onto their own page to try and trick you.
Some phishers use sites that look like popular Web addresses to fool you: https://wwwpaypal.com/ is different from https://www.paypal.com/. Similarly https://www.paypaI.com/ (with a capital letter “i” instead of a lowercase “L”) is different from https://www.paypal.com/. Many people use URL shorteners to make long URLs easier to read or type, but these can be used to hide malicious destinations. If you receive a shortened URL like a t.co link from Twitter, try putting it into https://www.checkshorturl.com/ to see where it's really going.
Remember, it's easy to forge emails so that they display a false return address. This means that checking the apparent email address of the sender isn't enough to confirm that an email was really sent by the person it appears to be from.
Most phishing attacks cast a wide net. An attacker might send emails to hundreds or thousands of people claiming to have an exciting video, important document, or billing dispute.
But sometimes phishing attacks are targeted based on something the attacker already knows about an individual. This is called “spearphishing.” Imagine you receive an email from your Uncle Boris that says it contains pictures of his kids. Since Boris actually has kids and it looks like it is from his address, you open it. When you open the email, there is a PDF document attached to it. When you open the PDF, it may even display pictures of Boris’ kids, but it also quietly installs malware on your device that can be used to spy on you. Uncle Boris didn't send that email, but someone who knows you have an Uncle Boris (and that he has children) did. The PDF document that you clicked on started up your PDF reader, but took advantage of a bug in that software to run its own code. In addition to showing you a PDF, it also downloaded malware onto your computer. That malware could retrieve your contacts and record what your device's camera and microphone sees and hears.
The best way to protect yourself from phishing attacks is to never click on any links or open any attachments. But this advice is unrealistic for most people. Below are some practical ways to defend against phishing.
How to Help Defend Against A Phishing Attack Anchor link
Keep your software updated
Phishing attacks that use malware often rely on software bugs in order to get the malware onto your machine. Usually once a bug becomes known, a software manufacturer will release an update to fix it. This means that older software has more publicly-known bugs that could be used to help install malware. Keeping your software up to date reduces malware risks.
Use a password manager with auto-fill
Password managers that auto-fill passwords keep track of which sites those passwords belong to. While it’s easy for a human to be tricked by fake login pages, password managers are not tricked in the same way. If you use a password manager (including the built-in password manager in your browser), and it refuses to auto-fill a password, you should hesitate and double check the site you’re on. Better yet, use randomly generated passwords so that you are forced to rely on auto-fill, and less likely to type your password into a fake login page.
Verify Emails with Senders
One way to determine if an email is a phishing attack is to check via a different channel with the person who supposedly sent it. If the email was purportedly sent from your bank, don’t click on links in the email. Instead, call your bank or open your browser and type in the URL of your bank's website. Likewise, if your Uncle Boris sends you an email attachment, call him on the phone and ask if he sent you pictures of his kids before opening it.
Open Suspicious Documents in Google Drive
Some people expect to receive attachments from unknown persons. For example, journalists commonly receive documents from sources. But it can be difficult to verify that a Word document, Excel spreadsheet, or PDF file isn't malicious.
In these cases, don't double-click the downloaded file. Instead, upload it to Google Drive or another online document reader. This will turn the document into an image or HTML, which almost certainly will prevent it from installing malware on your device. If you're comfortable with learning new software and willing to spend time setting up a new environment for reading mail or foreign documents, there are dedicated operating systems designed to limit the effect of malware. TAILS is a Linux-based operating system that deletes itself after you use it. Qubes is another Linux-based system that carefully separates applications so that they cannot interfere with each other, limiting the effect of any malware. Both are designed to work on laptop or desktop computers.
You can also submit untrusted links and files to VirusTotal, an online service that checks files and links against several different antivirus engines and reports the results. This isn't foolproof—antivirus often fails to detect new malware or targeted attacks—but it is better than nothing.
Any file or link that you upload to a public website, such as VirusTotal or Google Drive, can be viewed by anyone working for that company, or possibly anyone with access to that website. If the information contained in the file is sensitive or privileged communications, you may want to consider an alternative.
Use a Universal 2nd Factor (U2F) Key at Login
Some sites allow you to use a special hardware token with advanced capabilities to avoid phishing attempts. These tokens (or “keys”) communicate with your browser to establish per-site credentials for logging in. This is called Universal 2nd Factor or “U2F,” because it is a standard way to require a second authentication method—in addition to your passphrase—at login. You simply log in normally, and (when prompted) connect the key to your computer or smartphone and press a button to log in. If you are on a phishing site, the browser will know not to log you in with credentials established on the legitimate site. This means that even if a phisher tricks you and steals your passphrase, they won’t compromise your account. Yubico (one manufacturer of such keys) provides more information about U2F.
This should not be confused for two-factor authentication in general, which may or may not provide phishing protection.
Be Careful of Emailed Instructions
Some phishing emails claim to be from a computer support department or technology company and ask you to reply with your passwords, or to allow a “computer repair person” remote access to your computer, or to disable some security feature on your device. The email might give a purported explanation of why this is necessary, by claiming, for example, that your email box is full or that your computer has been hacked. Unfortunately, obeying these fraudulent instructions can be bad for your security. Be especially careful before giving anyone technical data or following technical instructions unless you can be absolutely certain that the request's source is genuine.
If someone sends you a suspicious email or link, don’t open or click on it until you’ve mitigated the situation with the above tips and you can be confident it’s not malicious.