How to: Avoid Phishing Attacks

When an attacker sends an email or link that looks innocent, but is actually malicious, it’s called phishing. Phishing attacks are a common way that users get infected with malware—programs that hide on your computer and can be used to remotely control it, steal information, or spy on you.

In a phishing email, the attacker may encourage you to click on or open a link or an attachment that may contain malware. Phishing can also occur via Internet chat. It’s important to double-check links that are sent to you via email or chat.

Web addresses in emails can be deceptive. Web addresses in mail may appear to say one thing, but if you mouse over them to see where they really point, they might show another destination address.

Some phishers use sites that look similar to popular Web addresses to fool you: is different from !  Many people use URL shorteners to make long URLs easier to read or type: but these can be used to hide malicious destinations. If it's a shortened URL like a link from Twitter, try putting it into to see where it's really going.

Another way you may be tricked is if you are sent a link to a file that claims to be hosted on a service like Google Docs or Dropbox; if you follow the link, you might see what looks like the login screen for one of these services, and you would be tempted to type your username and password. But the link might have gone to a fake site with a replica of the login screen. So, if you've followed a link, before typing any passwords, check the address bar of your web browser. It will show the real Internet domain name that the page came from. If it doesn't match the site you're supposedly logging into, don't continue!

Remember that just seeing a corporate logo on the page doesn't confirm it's real. Anybody can copy a logo or design onto their own page to try and trick you.

How Does Phishing Work?

Imagine you receive an email from your Uncle Boris that says it contains pictures of his kids. Since Boris actually has kids and it looks like it is from his address, you open it. When you open the email, there is a Word document attached to it that when you open, a strange window pops up for a couple of seconds and then goes away. Now your screen displays an unreadable Word document, or maybe even displays pictures of Boris’ kids! 

Uncle Boris didn't send that email, but someone who knows you have an Uncle Boris (and that he has children) did. The Word document that you clicked on started up the Word program, but took advantage of a bug in that software to run its own code. In addition to showing you a Word file, it also downloaded malware onto your computer. That malware could retrieve your contacts and record what your device's camera and microphone sees and hears.

It's easy to forge emails so that they display a false return address. This means that checking the apparent email address of the sender isn't enough to confirm that an email was really sent by the person it appears to be from.

Other phishing attacks are less targeted: someone might send emails to hundreds or thousands of people claiming to have an exciting video, important document, or billing dispute, or claiming to be from your employer's computer support department. Sometimes instead of installing software on your computer, these emails will ask for personal details, financial information, or passwords. Some of the recipients will be fooled and will pass along the sensitive information that the email sender asked for.

How to Help Defend Against A Phishing Attack

The best way to protect yourself from phishing attacks is to never click on any links or open any attachments sent to your email: this is unrealistic for most people. But how do we differentiate between the malicious attachments and links and the non-malicious ones?

Verify Emails with Senders

One way to determine if an email is a phishing attack is to actually check with the person who sent it via a different channel. If the email was purportedly sent from your bank, you could call your bank or open your browser and type in the URL of your bank's website instead of clicking on any links in the email.  Likewise, instead of opening an attachment from Uncle Boris, you could call him on the phone and ask if he actually sent you pictures of his kids.

Put Files on Your Website or a Shared Service

If you frequently send files to someone, such as a co-worker, consider sending the files in other, more easily verified, ways than inside an email attachment. Upload the files to a private server you both have access to, or use a service such as Google Drive, SpiderOak, or Dropbox to share files. If you normally share files by uploading them to your website or putting them on a company file server, an email coming from you containing an attachment would immediately seem suspicious to the receiver. Breaking into and changing the data on a server is (hopefully) more difficult than crafting a fake email.

Open Suspicious Documents in an Online Document Reader

Some people expect to receive attachments from unknown persons. Especially, for example, if they are a journalist receiving documents from sources, or dealing with the public at an organization. In these cases, it’s difficult to verify that the document or link you are about to open isn't malicious.

For documents like these, try opening them in Google Docs, Etherpad, or another online document reader. This can often mitigate many of the common exploits that are embedded into malicious documents.

If you're comfortable with using or learning new software, and willing to spend a lot of time setting up a new environment for reading mail or foreign documents, there are dedicated operating systems designed to limit the effect of malware. TAILS is a Linux-based operating system that deletes itself after you use it. Qubes is another Linux-based system that carefully separates applications so that they cannot interfere with each other, limiting the effect of any malware. Both are designed to work on laptop or desktop computers.

You can also submit untrusted links and files to VirusTotal, an online service that checks files and links against several different anti-virus engines and reports the results. This isn't foolproof—as antivirus often fails to detect new malware or targeted attacks—but if you don't already use an anti-virus program, it is better than nothing.

Any file or link that you upload to a public website, such as VirusTotal or Google Docs, can be viewed by anyone working for that company, or possibly anyone with access to that website. If the information contained in the file is sensitive or privileged communications, you may want to consider an alternative.

Be Careful of Emailed Instructions

Some phishing emails will claim to be from a computer support department or technology company and ask you to reply with your passwords, or to give a “computer repair person” access to your computer remotely, or to disable some security feature on your device, or to install a new application. They might give a purported explanation of why this is necessary, for example claiming that your email box is full or that your computer is broken or has been hacked. Unfortunately, the consequences if you obey these fraudulent instructions can be very bad for your security. Be especially careful before giving anyone technical data or following technical instructions unless you can be absolutely certain that the request's source is genuine.

Use Email Authentication

A more difficult, but effective technique in preventing phishing is to use software that can help ensure that an email is from who it says it is from, and hasn't been tampered with. Using PGP to encrypt and sign your emails can do this. If you sign an email using PGP it tells the receiver that the signed contents could have only come from someone who has your PGP private key, and its contents are therefore unlikely to be malicious in nature. The downside to this method is that both parties must have PGP installed and know how to use it.

If you are at all suspicious of an email or link someone has sent you, don’t open or click on it until you’ve mitigated the situation with the above tips and can be confident it’s not malicious.

Last updated: 
JavaScript license information