What is Phishing, and How Can I Protect Myself?
Phishing is an attempt to obtain private information such as usernames, passwords, security questions, and credit card details for malicious purposes. Phishing attacks happen most frequently via email that looks like it’s been sent from a trusted source. It’s important to understand how phishing attacks can manifest and what you can do to avoid becoming a victim.
1. Anytime you receive an email asking you to share personal data, download a file, open an attachment, or click to visit a website, be wary. Phishing lures can appear extremely legitimate in an attempt to fool you into providing personal data, downloading a file, or visiting a website that looks genuine but is actually malicious. Whenever you receive an email asking you to perform one of these actions, never proceed until you’ve contacted the message’s apparent sender to verify authenticity. It’s best to give that person a call or compose a new email — never click “reply” to respond to a message you’re questioning.
2. Be suspicious of messages telling you that your computer is infected with a virus or malware, that your account has been suspended, or that your computer/account had an unauthorized login attempt. Phishers have great success in sending messages with scary headlines to convince you that your system has been compromised. Never click on any links or attachments in messages such as these, and never dial the “tech support” phone number listed, unless you’ve verified the message’s accuracy.
3. If you use gmail, confirm that the message is authenticated by following these instructions. If a question mark appears next to the sender’s name, the message isn’t authenticated. This means gmail doesn’t know if the message actually came from the person who appears to be sending it. If you do see a question mark, be extremely cautious about replying to the message, clicking on links, or downloading attachments.
4. Learn how to view an email message’s full header, which will be necessary when reporting or forwarding phishing emails to the organizations listed below, or for analyzing the header for more details about the sender. A message’s full header will show where the email originated, and it traces the server path from sender to recipient. If you are a gmail user, follow these instructions to view the full header. In Apple Mail, follow these instructions. In Outlook, follow these instructions.
5. Analyze the message’s full header. First, view the full header using the instructions above. Then follow the instructions labeled “How to read full email headers” using Google’s Messageheader tool. Once the header has been analyzed, review the fields labeled SPF, DKIM, and DMARC. If any or all of these fields indicate anything other than “pass,” the message may be malicious. To determine the sending country of the message, you’ll need to use another tool. In the results of the message header you just analyzed, locate the first instance of an IP address (typically on line 0 or line 1) in the “From” column. The IP address will be a number that looks something like 18.104.22.168 or 22.214.171.124. Highlight and copy the IP address, then use a tool such as www.iplocation.net to track the sender’s geolocation. If the email was sent from a country you don’t normally have dealings with, it may be malicious.
6. Before clicking on any link in an email you question, check the link’s destination. Just hover your cursor over a link (whether text or graphic) to see where it will direct you upon clicking. If it’s a link that looks suspicious to you, or directs you to a domain you aren’t familiar with, don’t click.
7. Chrome users may want to consider installing the Password Alert extension. This extension helps protect against phishing by alerting a user if they enter their Google password on any webpage other than Google’s own sign-in page. (Please note, this is a third-party extension so is not directly supported by Google.)
9. If the phishing sender is using a gmail address, report the gmail abuse to Google. If you receive what appears to be a phishing email from Apple, forward it to firstname.lastname@example.org. To forward phishing scam messages to Microsoft, email email@example.com.
10. Forward deceptive messages to the Federal Trade Commission at firstname.lastname@example.org.
12. If you believe you’ve found a phishing site on the web, report the phishing page.
13. Report phishing to PhishTank, a collaborative clearinghouse for data and information about phishing on the Internet.
14. Use a phishing episode as reminder to update your security practices. This is an ideal time to review and update your security, including changing passwords and implementing two-step authentication for devices.