Enhancing Your Cybersecurity: Essential Tips to Combat Phishing
Written on
In the initial segment of this discussion on phishing, I outlined what phishing attacks entail and how to identify them. If you haven't checked it out yet, you can find it here:
How to Prevent Phishing Attacks if You’re Not an Expert (Part 1 Of 2)
Learn how to recognize a phishing attack, so you don’t fall prey to one — even if you aren’t a cybersecurity expert.
During my experience with a major transportation client, they initiated a cybersecurity awareness initiative aimed at informing employees about cyber threats. However, their efforts didn't stop there.
They also deployed various technologies to monitor the network for potential attacks and tackled the greatest cybersecurity risk that organizations face: human behavior.
By modifying employees’ actions, encouraging them to pause and think before taking action, and providing them with tools to reinforce these changes, the rate of successful phishing attacks dropped dramatically—by over 90%.
Safeguarding yourself online is not just a technical issue; it's fundamentally about human behavior. Social engineering is the primary method employed in effective phishing attacks, exploiting human tendencies.
For instance, panic can cloud judgment. Phishing attempts often create a false sense of urgency to compel quick action.
Conversely, individuals are more likely to trust familiar contacts. If you receive an email from a friend’s account claiming, “This is SOOOO funny! Check out this video by clicking here!” you may be inclined to click it. If your friend’s account was compromised, you could be at risk too.
The most effective way to thwart these successful attacks is to alter instinctual behaviors. Just as in real life, where you might peer through a peephole or look behind curtains before opening a door, the same caution should be applied online: inspect and think before acting.
Now, let’s explore five habits that can help you avoid phishing attacks.
Habit 1: Minimize Mouse Clicks
> "Social engineering involves using deception, manipulation, and influence to persuade a person with access to a computer system to perform an action, such as clicking a link in an email." — Kevin Mitnick
Phishing schemes typically include an attachment or a link that leads to a malicious site or installs harmful software on your device. Always be cautious of any email requesting you to “click here for more information.”
Sometimes, it's straightforward to identify a dubious link. Hover your mouse over the link without clicking it.
Your email application should display the link's destination.
On mobile devices, exercise even greater caution, as you can't see where a link directs without clicking on it. If you're confident about the link, you can long-press it, which should show you the destination.
Examine the beginning of the link to verify that it directs to a legitimate site.
Be mindful that a brief tap on the link may inadvertently open it.
Attackers often use domain names that closely resemble real ones to mislead you (e.g., using amazon.net instead of amazon.com). They may also substitute similar-looking characters to create an email address that seems authentic (e.g., @annazon.com instead of @amazon.com).
Another tactic is to entice you into clicking a deceptive video link. You might receive a message saying, “Wow, is that really you in the video?” along with a link.
Clicking that link could result in various outcomes: - You might be redirected to a site that installs malware on your device. - You could end up on a site mimicking YouTube, TikTok, or Vimeo, which prompts you to log in, thereby compromising your user ID and password. - A download could initiate, and clicking on that file could install harmful software.
As a precaution, avoid clicking on email attachments, especially if they are unexpected; this could be a phishing attempt.
Habit 2: Adopt a Zero-Trust Approach to Electronic Communication
Cultivating a healthy skepticism towards all electronic communication is one of the most effective strategies for self-protection. Assume that any email could be fraudulent, including those from trusted contacts.
Recently, I received an email from a family member claiming to have stage IV cancer, expressing a desire to keep it secret from their partner, and requesting financial assistance for treatment. While the email address was legitimate, the content raised red flags.
Knowing this person well, I was surprised they would confide in me without informing their partner. I texted him for clarification, only to learn that his account had been hacked.
Many others received the same email and nearly acted on it. He had to send out a general alert to inform everyone of the breach, not to mention dealing with subsequent banking and insurance inquiries.
Of course, not every unexpected email is fraudulent. I once received a message from an airline containing ticket information for a friend. Although unexpected, I confirmed with him that new regulations required him to designate someone for emergency contacts, which turned out to be me.
Regardless, refrain from sharing personal information in response to unsolicited emails unless you are entirely certain of their legitimacy. If you suspect a request is genuine, don’t click on any links; instead, navigate directly to the company's website through their app or browser. This ensures you are accessing the correct site and that your information remains secure.
Habit 3: Safeguard Your Email
Constantly second-guessing every communication can be exhausting. One way to reduce the influx of questionable emails is to fortify your defenses.
Imagine it like a basketball game, where your opponents are aiming for the basket, and the crowd chants, "De-fense! De-fense! De-fense!"
Strengthening your defenses means fewer unsolicited emails make it to your inbox, allowing you to spend less time assessing their legitimacy.
Here are some tools to bolster your email security:
Spam Filters
Most email services like Gmail, Yahoo!, and Hotmail come with built-in spam filters. Although they are not foolproof, they generally perform well—sometimes too well. Relying solely on them may necessitate periodic checks of your spam folder to ensure legitimate emails haven’t been misclassified.
Occasionally, attackers discover methods to bypass spam filters. Just because an email appears in your inbox doesn't guarantee its safety.
Antivirus Software
If you accidentally click on a link or open an attachment that attempts to install malware, antivirus software serves as an additional line of defense. You can utilize built-in options (like Windows Defender) or acquire a third-party tool.
Keep in mind that antivirus software is only effective if its database is regularly updated.
Email Aliasing
Email aliasing is an effective way to safeguard your email accounts and minimize inbox clutter. Services like Temp Mail, Paced Email, ForwardEmail, and AnonAddy allow you to create an alias for your email address.
Some unscrupulous companies harvest email addresses and sell them to others. By utilizing these services, you can prevent unwanted emails from reaching your primary inbox.
Disable Automatic Link Previews
Most email applications automatically display embedded images or links, enhancing visual appeal but also having unintended consequences. One such consequence is informing the sender that you have opened their email.
This tactic is also employed in marketing, where emails include an invisible 1x1 pixel image that downloads upon opening the message. This indicates to the marketing company that their email has been read, allowing them to track the effectiveness of their campaigns.
Attackers can exploit this same technique to determine whether you have read their messages, encouraging them to continue sending emails in hopes you will eventually click on a link.
You can disable automatic image downloads in most email clients. For instance, here's how to do it in Gmail.
Habit 4: Secure Your Accounts
Email is often the gateway to accessing your personal information. Once attackers breach your email account, they will likely attempt to reuse that password on other platforms to gain further access.
Here are four strategies to protect your accounts:
> "Passwords are like underwear: don’t let people see them, change them often, and don’t share them with strangers." — Chris Pirillo
Create Strong Passwords
The primary issue with passwords is their tendency to be easily guessable. Create complex passwords that are difficult to crack, but still memorable.
Instead of traditional passwords, consider using passphrases—a sequence of five or six words separated by spaces or special characters. These are much harder for password-cracking software to guess.
For instance, the fastest password crackers can test approximately 100 billion passwords per second.
Using an 8-character password (the average length) can be guessed in: - Less than 2 seconds for lowercase letters only. - Less than 9 minutes for mixed-case letters. - Less than 14.5 hours for a combination of uppercase, lowercase, and special characters.
However, a 5-word passphrase (e.g., “light-slime-cliff-steam-bliss”) could take: - 70 trillion years to crack using only lowercase letters.
This calculation is on the conservative side. By varying the length of each word or incorporating numbers and special characters, you can significantly enhance security.
Utilize a Password Manager
Remembering multiple passphrases can be overwhelming. A password manager can alleviate this burden.
With a password manager, you can have unique passwords for each of your accounts without needing to memorize them all. You only need to remember the password to access the manager itself.
Basic Security: You’re in Trouble if Your Passwords Aren’t Driving You Mad
Unless you use a password manager.
Enable Multifactor Authentication (MFA)
In my previous job at a large transportation firm, MFA was the most effective measure in minimizing account theft.
If someone manages to guess your password, they will still need to provide a second form of identification (a second factor) to access your account. During the MFA setup, you will be prompted for this second factor (typically an email sent to your account, an SMS to your phone, or an authentication app). As long as you don’t approve a login request blindly, attackers will struggle to breach your account.
Basic Security — Use MFA to Protect Your Online Accounts
It’s straightforward and enhances your peace of mind.
Use a Virtual Private Network (VPN)
A VPN keeps your online activities private, preventing others from monitoring your actions on shared networks. For instance, using public Wi-Fi (in hotels, cafes, or airports) exposes your device's content to anyone on that network.
Even more concerning, some individuals may set up fake free Wi-Fi networks to lure unsuspecting users. Once connected, they can capture all your browsing activities, including user IDs and passwords.
If possible, avoid free Wi-Fi. If you must use it, protect yourself with a VPN.
Habit 5: Embrace Inconvenience
In my sessions on online protection, I often encounter resistance. Many express that “using password managers, MFA, and scrutinizing every email is too cumbersome. I’d rather take my chances.” While this might seem acceptable for the time being, you never know when that attitude could lead to trouble.
> "Security is always excessive until it’s not enough." — Robbie Sinclair
Safeguarding yourself online also protects you offline, but it comes with trade-offs. For instance, you may not see images automatically when opening an email. Each time you log into your account, you’ll need your phone handy for verification.
I understand the frustration. At times, I feel exasperated by the security measures I’ve set up. However, it's ultimately a matter of weighing costs against benefits.
A significant data breach—like those experienced by Equifax, Yahoo!, and Facebook—can have long-lasting repercussions. The effects might not be immediate; it depends on the attackers' patience.
For example, LinkedIn suffered a data breach in 2012. Five years later, I received an extortion email referencing that breach, including my password. My initial reaction was shock. Fortunately, I had changed my password long before. Many, however, neglect to update theirs for years.
Final Thoughts
When a data breach occurs, accountability lies with the company involved, yet you bear the consequences. However, by applying the strategies outlined here, you can make it more difficult for attackers to access your accounts and disrupt your life.
Often, a breach of one account can jeopardize several others. To mitigate this risk, make it slightly more challenging for yourself. If it’s harder for you, it will be harder for potential attackers.
The most effective way to enhance your online security is to adopt a few new habits. Gradually, you can develop these practices.
Remain cautious of unexpected electronic messages (emails, SMS, social media), and avoid clicking indiscriminately on links. Instead, if you suspect a request for information is genuine, navigate directly to the official website.
Utilize antispam and antivirus tools. If you subscribe to numerous newsletters, consider employing an email alias service to protect your primary email address and lessen inbox clutter.
Secure your accounts with robust passwords by leveraging a password manager and enabling MFA. A password manager makes it difficult for anyone to guess your passwords, while MFA adds an extra layer of defense in case your password is compromised.
Implementing these changes will likely introduce some inconvenience to your online activities. You might view this as a nuisance or as an opportunity to reduce your online time. In the end, that seems like a worthwhile trade-off.
Although I publish on Medium, my primary work involves B2B copywriting and content creation for technology and service companies. Connect with me on LinkedIn to engage further.