Some phishing attempts are simple enough that we can learn how to spot them. Increasingly, scammers and attackers are crafting sophisticated phishing emails, combining their understanding of human psychology and technology to create emails that look just like they came from a company we trust and use, or a person we know and interact with regularly. The result is that any one of us, at any time, could fall for a phishing attack, especially if the attacker targets us or our organization.
But all hope is not lost! Changing your habits in the following ways can go a long way in helping you and your colleagues avoid being tricked by a sophisticated phishing attempt:
- Look for and listen to your email provider’s warnings. Most large-scale email providers, like Microsoft or Google have built-in filters that may warn you if you receive an email that has the characteristics of a phishing email. Pay attention to these warnings, and follow steps for how to respond if you receive a suspicious email.
- Use other tools before email, when you can! It’s very easy to get in the habit of using email for everything, but it’s often not the best tool. Instead, try to use dedicated tools that are more secure when they’re available. For example, use Slack for team discussions, and use a secure messaging app like Signal or Wickr for texting.
- Use your smartphone or tablet for email whenever you can. Phones and tablets, especially iPhones and iPads, are much harder to infect with malware than a laptop or desktop computer.
- Don’t send or download attachments on your computer! Instead, use a web-based tool like Google Drive to share and collaborate on files.
- Don’t click login links, and don’t send links. Instead, open a new tab and type in the address of the website, then navigate from there to the page you’re interested in. Further, don’t send links. If your team can get out of the habit of sending any links through email, you can ward off most phishing attacks because any link will be suspicious.
- Enable two-factor authentication (2FA) when it’s available. Two-factor authentication will add an extra step to your log in process. After you enter your password, you will be prompted to use a physical security key or a code from an app on your phone. This can make it more difficult for a phisher to get access to your account, even if they get your password. For help setting this up, see our guides on 2FA.
- Use a unique password on every website. This is for damage control. A unique password means that if you do get phished, the password you lost can only compromise that account. Password managers can make this easier.
- Use a password manager, to verify that you are on the correct webpage before inputting your log in information. It's not safe to set your password manager to auto-fill your credentials when a web page loads, but you can allow it to complete your username and password on a page once you prompt it to, usually with just a few clicks of your mouse. When you do this, your password manager will check the web address of the site you’re on, and only input your login if the site is the authentic one. For help with setting up a password manager, see our guide.
- If you receive an email with an attachment or a link, contact the sender to verify that it came from them. Call a known number for the person or service, rather than using one provided in the email. Do this anytime you receive a link or attachment that you were not expecting or that seems suspicious.
- Protect your personal accounts the way you protect your campaign or work accounts. If you are a candidate or working for a campaign, your personal accounts are valuable assets, and should be protected. Luckily, the methods for securing your personal accounts are the same as they are for securing your campaign accounts: enable 2FA, use a password manager and follow the recommendations above to avoid phishing.
If you've gotten a suspicious email, here are some steps you can take to prevent or limit any potential damage.
Want to know more? Sign up for a training on phishing.