You know not to click on links in sketchy emails. Everybody knows that. And yet, people fall for these phishing attacks all the time. Case in point: The FBI suspects a phishing email is how the Russian hackers who were indicted this week got into Yahoo. Ditto for the breach of the Democratic National Committee, and the Sony Pictures hack. In fact, there’s currently a Gmail phishing scam going around that even super savvy techies are falling for.
Phishing scams work by tricking you into clicking on a link or attachment that either infects your machine with malware or takes you to a page that looks totally legit, but isn’t and is designed to steal your private information. According to the the Anti-Phishing Working Group, 100,000 new phishing attacks get reported every month, and thousands of people fall for them. But you are smart. You can increase your chances of avoiding phishing scams if you follow these three steps and, above all, remember that when it comes to your email you can’t really trust anything.
“At the heart of phishing is a scam,” says Aaron Higbee, chief technology officer at the phishing research and defense company PhishMe. “The people who are sending a phishing email have to be clever email marketers to get a user to engage.” Often they do this by preying on your emotions.
That’s why the most important thing experts recommend is to listen to your gut. When something feels off, it probably is. But since the whole point of phishing (and its more tailored and targeted counterpart spear phishing) is to get you to do something without raising alarm bells, you need to practice skepticism even when things seems fine. You should be generally reluctant to download attachments and click links, no matter how innocuous they seem or who appears to have sent them.
“We’re conditioned to try to help people and be nice. You don’t want to seem rude or defensive,” says Trevor Hawthorn, the chief technology officer at Wombat Security, which works on phishing and security awareness. “But one of the most important things people can do is when something is being asked of them, when there’s some sort of call to action, think about the context of what the sender is asking you to do. If there’s a sense of urgency that’s when I would be a smart skeptic and slow down.”
This takes practice. Wombat has found that when people do consistent anti-phishing training—say, once a month—they are better at avoiding phishing links than when they haven’t had lesson in a few months. Your job may not offer a phishing prevention program, but you can still work to be skeptical about all your email all the time. It’s easier said than done, but keeping that attitude in mind can only help.
This is particularly important and difficult now that attackers can send spear phishing emails that look like they are from your friend or your bank. And things get even more complicated in cases when the messages are from legitimate sources, because attackers have taken over a real email account or phone number and are phishing from it.
“I’ve been told for years don’t click emails from someone I don’t know,” Higbee says. “But attackers might actually start originating their phishing emails from people you know. Why wouldn’t I click an email from somebody I know? Attackers use that technique to propagate things like malware and ransomware.”
So what can you do? First, scrutinize the address it says it came from and the text of any URLs it contains to weed out firstname.lastname@example.org from email@example.com. If the source is legit, but the text is out of character, ask yourself, “Would my Mom really send me this email?” Again, if something feels weird about an email that someone you know sends—especially if it has a request in it—bear in mind there’s a distinct possibility they’ve been hacked. Reach out to them separately and ask if they sent you an email.
Even if you’re appropriately skeptical and avoid clicking on most links, you might get phished. The recent Gmail phishing scam is so clever that even some IT professionals fell for it. So experts agree that beyond trying to avoid phishing scams, you need to prepare defensively in case you do get phished. That means taking standard cybersecurity precautions like enabling multi-factor authentication on all accounts that offer it, using a password manager or other system to maintain strong, random, unique passwords, and backing up your data.
“If there was a silver bullet, if there was that piece of technology, a plugin, some email filter that could actually stop phishing attacks we would be out of business,” Higbee says. “But the core of this problem is human intuition and insight.” The key to protecting yourself is to be on guard. Phishing scammers are wily, but so are you. Stay vigilant.