Some phishing emails can be very hard to spot. Phishers are experts at crafting emails and websites that look just like those from a legitimate organization. For example, a sophisticated phisher can send an email that looks just like it came from your bank, with a login link that looks identical to their website, but use that link to steal your password.
Other phishers will even customize emails specifically for a single person, a practice known as “whaling.” This email might even look like it comes from someone you know personally. These emails can be impossible to distinguish from the real thing without careful examination by an expert.
To avoid being phished, even by sophisticated emails, you can build a few habits for using email safely whether it looks suspicious or not:
- Look for and listen to your email provider’s warnings. Most large-scale email providers, like Microsoft or Google have built-in filters that may warn you if you receive an email that has the characteristics of a phishing email. Pay attention to these warnings, and follow steps for how to respond if you receive a suspicious email.
- Use other tools before email, when you can! It’s very easy to get in the habit of using email for everything, but it’s often not the best tool. Instead, try to use dedicated tools that are more secure when they’re available. For example, use Slack for team discussions, and use a secure messaging app like Signal, Wickr or WhatsApp for texting.
- Use your smartphone or tablet for email whenever you can. Phones and tablets, especially iPhones and iPads, are much harder to infect with malware than a laptop or desktop computer.
- Don’t send or download attachments on your Mac, Windows, or Linux computer! Instead, use a web-based tool like Google Drive to share and collaborate on files.
- Don’t click login links, and don’t send links. Instead, open a new tab and type in the address of the website, then navigate from there to the page you’re interested in. Further, don’t send links. If your team can get out of the habit of sending any links through insecure email, you can ward off most phishing attacks because any link will be suspicious.
- Enable two-factor authentication (2FA) when it’s available. Two-factor authentication means that you need an extra step in addition to your password to log in, like a physical security key or a code from an app on your phone. This can make it more difficult for a phisher to get access to your account, even if they get your password. For help setting this up, see our guides on 2FA.
- Use a password manager that completes your login info with just one click. It is not safe to set your password manager to auto-fill your credentials when a web page loads, but you can allow it to complete your username and password on a page once you prompt it to, usually with just a few clicks of your mouse. When you do this, your password manager will check the web address of the site you’re on, and only input your login if the site is the authentic one. For help with setting up a password manager, see our guide.
- Use a unique password on every website. This is for damage control. A unique password means that if you do get phished, the password you lost can only compromise that account. Password managers can make this easier.
- If you receive an email with an attachment or a link that you were not expecting, or that seems suspicious, contact the sender to verify that it came from them. Call a known number for the person or service, rather than using one provided in the email.
- Protect your personal accounts the way you protect your campaign accounts. If you are a candidate or working for a campaign, your personal accounts are valuable assets, and should be protected. Luckily, the methods for securing your personal accounts are the same as they are for securing your campaign accounts: enable 2FA, use a password manager and follow the recommendations above to avoid phishing.
Want to know more? Sign up for a training on phishing.