How to protect against phishing attacks

How to protect against phishing attacks

Kevin Acher author picture

by Kevin Acher

Co-Founder & CMO

06 Jun 2024 · 9 minutes to read

Nowadays, being hacked is one of the dangers that one can fall into while on the Internet. There are many ways someone can be a victim of hacking as it can come in many shapes and forms. However, there is one that stands out the most for users who are trying to protect their most valued accounts: Phishing

Phishing commonly tricks its victims into giving up their personal details or sensitive data using emails, telephone calls, or text messages resulting in identity theft or financial loss. In many cases, spoof emails are sent, pretending to come from large and recognized organizations or companies, as an excuse to gain private information putting the victim later on in difficult situations like ransomware or credit card fraud.

Phishing has its origin during the mid-’90s carrying its first attacks on AOL Inc, or America Online, an American web portal, and online service provider, which affected a lot of people turning it into what is now a big headache for internet users. The word has been changed and turned to phishing in relation to the group of people, known as “phreaks”, who first planned these scams. As its name suggests it compares internet users to fish as potential victims ready to fall for any traps or baits in the form of emails containing malicious attached files or links to fake websites.

show hook stealing user data
Since its origins phishing has evolved and developed in so many ways to scam Internet users around the world. Before you can protect your accounts against phishing it is important to know how to identify phishing and its different kinds.

Here we have listed some of them:

Real Case

Let’s imagine how would phishing work in a real situation. Let’s say you have been recently hired to be a community manager as part of the Public Relations Department of Facebook. After a certain time, one day you wake up not knowing that hackers targeted Facebook and breached its security system. In the process, hackers manage to stole almost the totality of Facebook’s employee’s credentials related to their work account and personal account. Unfortunately for you, you are one of these people.

In this case, hackers then now have the email address you use for your Instagram personal account. It is at this point that they decide to target you to get the missing information which is your Instagram account password. To do this, they send you an email posing as “Instagram” telling you that someone is trying to access your account without your permission, and must log in at once to change your personal details to prevent it.

Randomly, you open your mail at 1.00 a.m. while watching Stranger Things season 4 finale. So, more focused on what’s happening to Eleven and her friends you don’t pay enough attention to the content of the email, and immediately click on the link provided to change your details. Not aware that this link takes you to a fake Instagram website, you are then asked to type in your credentials (email and password) for your Instagram account. With no hesitation at all, you follow the instructions, voluntarily giving away your credentials, or more specifically your password for hackers to gain access to your Instagram account.

Obviously, it’s not easy for everyone to identify when an email is a scam or fake at first sight, or when a text message is a fraud. It makes it even more difficult if the person being attacked is caught off guard or under stress. But, what would have happened if you had put more attention to the email?

Surely, you would’ve seen some subtle signs enough to tell if a source is reliable or not. These are some red flags to watch out for in case you think you are being targeted:

This last example about links and domains is the one you should be paying more attention to whenever you get this kind of suspicious email. If we take the same example I mentioned before the sender’s email address supposedly coming from Instagram won’t even match the one Instagram officially use to contact its users but instead will be something like:

More importantly, if you look closely at the masked link by hovering over it you will also notice that the domain is somehow strange. An example of it can be like the one you can see: (a is missing)

How to avoid Phishing?

show hook stealing user data
If a phishing attack is not prevented in time, victims can be affected heavily. As a result, in case a target is a single person this can lead to a financial loss like fraudulent charges, loss of important files or other documents in their device, fake social media posts, and ransomware. Similarly, if an organization or a business has been compromised some of its consequences may be the exposure of personal information about staff and customers, future damage to the employer’s reputation, a company’s value decrease, and ransomware.

Avoiding these situations is important. At this point, many of you may be asking: but, how? To this, there is no easy answer, but surely you can take some precautions to avoid being scammed. You can start by using security technologies to fight fishing such as multi-factor authentication or two-factor authentication. 2FA will be an effective way in securing your device from phishing.

As we mentioned in our previous article, Two-Factor Authentication (2FA) provides your accounts with an extra security layer. What does that mean you say? Mind that, 2FA is a security system that requires a second piece of evidence or token before granting access to your account. This second piece of evidence or token may ask you about “something you know”, “something you have”( a phone), or “something you are” (Face ID or Touch ID). If you have enabled the 2FA feature in your accounts like Twitch or before logging out, the next time you log in, these accounts will ask you to enter your email and password, and once done will ask you to enter the second piece of evidence. Under any possible phishing attack, phishers will have it difficult to gain access to your account for a simple reason. Even if they have your email and password, and try to log in, they will quickly be facing a big challenge which is entering your 2FA token. Since 2FA is something that is unique and only belongs to you, phishers will be pulling their hair out before there’s a chance they can possibly get it.

Authenticator App is a great 2FA tool to secure your accounts. Not only it generates and keeps your codes, based on a Time-Based one Time password (TOTP), but also recently included another great feature. Authenticator possesses to its advantage the possibility of backing up, restoring, and synchronizing all your data with its “Sync & Backup” option that will come in handy whenever you lose or switch to a new device. As for the new feature, Authenticator has added a Browser Extension to minimize phishing attacks. The Browser’s auto-fill built alerts the user of suspicious domains when it’s completely different from the ones associated with your account.

To give you a practical example, once Browser Extension has been enabled you will see the Authenticator App icon in the top left or right corner of your Menu bar. Upon entering your credentials in your accounts like Facebook or Instagram, these will then ask you to enter your codes, at this point you can prompt Authenticator App to auto-fill your codes by just clicking on it! Et voilà! You’re back in! Worst case scenario, if the website is designed by phishing attackers whenever trying to auto-fill your code it will warn you that the domain is not the same, and so not to be relied on.

Final Thoughts

All in all, in situations in which you think your account is compromised, think before acting and avoid getting yourself in trouble. Remember that any renowned website will never ask easily for credentials or sensitive information online. Be sure to never let your guard down and always keep your accounts secured.

Share this article: