7 Security Tips: Be the Phish That Got Away

Phishing attacks

Every once in a while your email spam filter lets an email slip by it and make it into the mail box that could be proclaiming anything from a bank asking its customer to “verify an account” to the Spanish lottery commission congratulating you on “winning the lottery”.

This kind of attack aims to pull a slight of hand trick on web users and fooling them into providing their private information to the attacker. In a phishing attack, the aim is to bait the user into believing that the email and website they are getting redirected to are legitimate. The scheme collapses once the user doesn’t take the bait.

The aim of this post is to discuss some of the best precautions you can take to protect yourself.

Tip 1 Be skeptical

Any legitimate organization would not ask for your user name, password or credit card information over email. Unless you are 100% sure that the email is legitimate, you should just ignore it. But if you can’t help but think the email might be legit, you should never trust the links sent to you by email. Instead, browse to the relevant website by typing the company or bank’s URL address by yourself. If there is anything that the company wants to inform its users with, then it will have it announced on their website.

“Chances are if you were never in Spain and never bought a lottery ticket in your life, you will not win the lottery. “

Tip 2 Never click on links in e-mails

This cannot be emphasized enough when it comes to phishing attacks: Never click on any links in suspicious emails. If you feel that you must check out a link, it’s preferable to reach the page on your own accord by copying that link and pasting it into the browser. The reason is that while a link might look like its linking to a legitimate website, it might actually be redirecting you to a completely different one. See the image below.

Don't Click on The Links

Tip 3 Use phishing filters

You are better protected from malicious attacks if you use an up-to-date browser. Internet browsers such as Internet Explorer 7.0+ and Firefox 2.0+ have built in phishing filters that will warn you when you’re trying to access a suspicious website. Even phishers and scammers attest to the effectiveness of using an up-to-date browser.

FireFox Phishing Filter

Tip 4 Keep an eye on your browser’s add-ons

Some browser add-ons are known to be malicious spyware, which other than sending loads of information about your Internet usage and maybe passwords, can cause your browser to hang repeatedly. This includes products such as MyWay.MyWebSearch, FunWeb and FunWebProducts. To be safe, just keep plugins that you need and trust enabled, and disable the rest.

IE8 addon page screen shot

Tip 5 Check SSL certificates

That’s not something that people often do, but if you’re too worried about your security, you should check that the website you’re about to divulge sensitive information to is well authenticated. Make sure that the certificate belongs to the relevant company, eg. Microsoft for Hotmail or Google for Gmail and so on.

Check SSL certificates

Tip 6 Use an up-to-date anti-virus software

Keeping your PC virus free is very important, too. Some viruses were reported to wait for you to access your bank account, that’s when it starts capturing all keystrokes hit along with screen shots of what you are currently viewing and send all this information back to the attacker. Others can trick your browsers into redirecting you to the attacker’s website even though you typed in the correct URL! Just take my word for it and keep your anti-virus software up-to-date.

Tip 7 Turn the table

If you still think that the email or website is legitimate, it is preferable to provide the wrong information the first time around, this is the last defense you, as a user, have. If the email or website is legitimate then they will inform their customer that the information is incorrect, while a phishing website wouldn’t know any better, and in most cases just redirect the user to the legitimate site’s homepage.

Finally, if you slip and give out your password to a phishing website, close it, login to the legitimate website, and change your password immediately. That’s just until researchers finish up cheap password fobs, image-based passwords and other password replacement options they have hidden for the future.

Stay safe and be always skeptical whenever someone asks about your private information, and just like your mother used to say “Don’t trust strangers“!

Are there any tips that you would like to add to those? Have you ever been a victim of such an attack? Please let us hear your side of the story.