Email phishing protection

Phishing is one of the most dangerous email security problems and comes in many forms. How can you protect yourself, your family, and your business?

Sample phishing email with malicious link highlighted.

Why use phishing protection?

Phishing protection is a security measure designed to protect individuals and organizations from phishing attacks. Phishing is a type of online scam in which an attacker poses as a legitimate entity (such as a bank, government agency, or well-known company) in order to trick the victim into giving away sensitive information, such as passwords, login credentials, or financial information.There are several different types of phishing protection available, including:

Email filters: These scan incoming emails for known phishing patterns and block or flag suspicious messages.
Web filters: These block access to known phishing websites or redirect users to a warning page if they try to access one.
Anti-phishing software: This type of software is installed on a device and helps to protect against phishing attacks by analyzing web pages and emails for suspicious content.
Training and education: This can involve teaching individuals how to recognize and avoid phishing attacks, as well as providing them with resources and protection solutions to reduce risk.

Overall, phishing protection is an important aspect of online security, as it can help to protect individuals and organizations from falling victim to these types of scams.

How can you protect against phishing attacks?

There are several steps you can take to protect yourself and your organization against phishing attacks:

Be cautious of emails and websites that ask for sensitive information: Be wary of emails and websites that ask for sensitive information, such as login credentials, financial information, or personal details. If you receive a suspicious email or visit a malicious website, do not click on any links or enter any information.
Use anti-phishing software: Install anti-phishing software on your devices to help protect against phishing attacks. This software analyzes web pages and emails for malicious content and can block access to known phishing websites or flag potentially malicious messages.
Use strong, unique passwords: Use strong, unique passwords for all of your accounts, and consider using a password manager to help you generate and store them securely.
Enable two-factor authentication: Two-factor authentication (2FA) adds an extra layer of security by requiring you to enter a code in addition to your password when logging in. This code is typically sent to your phone or email, so even if someone else has your password, they will not be able to log in without access to your phone or email.
Keep your software and devices up to date: Make sure to keep all of your software and devices up to date with the latest security patches and updates. This can help to protect against known vulnerabilities that could be exploited by attackers.
Educate yourself and others: Learn about phishing attacks and how to recognize and avoid them. Share this information with your colleagues and encourage them to be cautious as well.

By following these steps, you can help to protect yourself and your organization against phishing attacks and other online threats.

The most common phishing techniques

Phishing is a type of online scam in which an attacker poses as a legitimate entity in order to trick the victim into giving away sensitive information, such as passwords, login credentials, or financial information. Here are some of the most common phishing techniques:Email phishing: This involves sending a fake email that appears to be from a legitimate source, such as a bank, government agency, or well-known company. The malicious email may contain a link or attachment that, when clicked, downloads malware onto the victim's device or directs them to a fake website where they are asked to enter sensitive information.Spear phishing: This is a targeted form of phishing that involves sending a personalized email to a specific individual or group, often with the aim of tricking them into divulging sensitive information or access to an organization's systems.SMS phishing (smishing): This involves sending a fake text message that appears to be from a legitimate source, such as a bank or government agency. The text message may contain a link or phone number that, when clicked or called, leads the victim to a fake website or phone line where they are asked to enter sensitive information.Phone phishing (vishing): This involves an attacker posing as a legitimate representative over the phone and asking the victim to disclose sensitive information.By being aware of these common phishing techniques and knowing how to recognize and avoid them, you can protect yourself and your organization from falling victim to these types of scams. Here are a couple more detailed examples:Example 1An attacker sends an email claiming to be from a well-known bank, stating that the recipient's account has been compromised and requesting that they click on a link to reset their password. The link actually leads to a fake website where the victim is prompted to enter their login credentials and financial information, which the attacker then uses to access the victim's account and steal their money or credit card number.Example 2A scammer purchases a domain name and creates a fake website spoofing the login page of a popular social media app. They then send emails to a large number of users, claiming that their account has been compromised and directing them to log in to the fake website in order to reset their password. When the victim enters their login credentials on the fake website, the attacker is able to use them to gain access to the victim's sensitive data. This could lead to identity theft, bank account compromise, credit card theft, or impersonation of the victim.

Social engineering

Social engineering attacks refer to the use of psychological manipulation and persuasion to influence individuals to take actions that may not be in their best interest. In the context of phishing, attackers use social engineering tactics to create a sense of urgency or fear in the victim, making them more likely to take the bait and fall for the scam.One common tactic used in phishing attacks is the creation of fake websites or emails that look legitimate, but are actually designed to steal personal information or install malware on the victim's device. These fake sites or emails may be made to look like they are from a legitimate company, government agency, or financial institution, and may contain logos and branding that appear authentic.Another tactic used in phishing attacks is the creation of fake social media profiles or online profiles on dating or job websites. These profiles are used to build trust with the victim and gather personal information or persuade them to click on malicious links.In addition to these tactics, hackers and phishers may also use pretexting, which involves creating a fake identity or situation to obtain sensitive information from the victim. This may involve pretending to be a co-worker or supervisor, a customer service representative, or a member of a trusted organization.Overall, social engineering is a powerful tool that is often used in phishing messages to manipulate and deceive victims into divulging sensitive information or taking actions that they would not normally take. It is important to be aware of these tactics and to remain vigilant in protecting personal information online.

Ransomware and how to beat it

Ransomware is a type of malicious software that encrypts a victim's files, making them inaccessible until a ransom is paid to the attackers. Ransomware attacks can be financially devastating for businesses, as they can disrupt operations and lead to financial losses. To protect your data from ransomware, it is important to take the following precautions:

Back up your important files regularly: This way, if your files are encrypted by ransomware, you will have a copy that you can restore.
Keep your operating system and antivirus software up to date: This will help protect your computer from new threats.
Be cautious when opening email attachments or clicking on links in emails: Ransomware is often delivered through malicious email content, including attachments and links. Do not open attachments or click on links from unfamiliar sources.
Avoid downloading software from untrustworthy websites: Be sure to download software only from reputable sources.
Use a firewall: A firewall can help block incoming connections that may be malicious.
Disable macros in office documents: Macros can be used to deliver ransomware. Disabling macros in office documents can help prevent this type of attack.

Ransomware can be some of the nastiest cybersecurity risks as hackers may charge millions of dollars for recovery. The tips above can protect you from these attacks.

Reporting phishing

If you believe that you have received a phishing email or have encountered a phishing campaign, there are several steps you can take to report it:

Forward the email to your email provider: Most email providers have a dedicated email address for reporting phishing scams. You can typically find this address by searching online or by contacting your email provider's customer support. Forward the suspicious email to this address to report it. Gmail and Apple products have spam filters and such functionality built in to their email clients.
Report the website to the Federal Trade Commission (FTC): If you have encountered a phishing website, you can report it to the FTC by visiting their website (www.ftc.gov) and clicking on the "Report a Scam" button.
Report the website to your web browser: If you are using a web browser like Chrome, Firefox, or Safari, you can often report suspicious websites directly through the browser. Look for a report phishing option in the browser's security or privacy settings.
Report the email or website to the company or organization being impersonated: If the phishing email or website is pretending to be from a specific company or organization, you can report it to them directly. Many companies have a dedicated email address or webpage for reporting phishing scams.

By reporting phishing scams, you can help protect others from falling victim to these types of attacks and assist in the efforts to combat them.

What to do if you’re phished?

If you think you may have been a victim of a phishing attack, there are several steps you can take to protect yourself:Change your passwords: If you provided your login credentials as part of a phishing attack, it's important to change your passwords immediately. Use strong, unique passwords for all of your accounts, and consider using a password manager to help you keep track of them.Watch for suspicious activity: Keep an eye on your accounts for any unusual activity, such as unexpected charges or login attempts from unfamiliar locations.Report the attack: If you received a suspicious email or visited a fake website as part of a phishing attack, report the incident to the company or organization that was impersonated in the attack. You should also report the attack to your email provider and to the authorities, such as the Federal Trade Commission (FTC) in the United States.Enable two-factor authentication: This is an extra layer of email security that requires you to enter a code in addition to your password when logging in to your accounts. This makes it more difficult for attackers to gain access to your accounts even if they obtain your password.Stay alert: Stay vigilant and be on the lookout for other phishing attacks in the future. Use anti-phishing tools, such as browser extensions that can help identify fake websites, and continue to educate yourself about the tactics used by phishers.

Anti-phishing training

Anti-phishing training is a type of security awareness training that teaches individuals how to recognize and avoid phishing attacks. Phishing is a type of cybercrime in which attackers send fake emails or websites that appear to be from legitimate sources in order to trick people into divulging sensitive information, such as passwords or financial information. Anti-phishing training helps individuals identify and protect themselves from these types of attacks by teaching them to recognize common tactics used by phishers and to be cautious when receiving emails or visiting websites that request personal information. This type of training can be provided through a variety of methods, such as online courses, in-person training sessions, or simulations that test individuals' ability to identify phishing attempts.

Use Skiff Mail for private, secure email

With email as a primary threat vector today, we recommend switching to Skiff Mail for private, end-to-end encrypted, and secure email. Here are some tips for using Skiff securely:Use multiple aliases: By keeping your aliases random and private, hackers, cybercriminals, and scammers will have no idea who you are and how to find out real identity information. Skiff offers unlimited aliases (using dots and plus signs), even on the free plan. Paid plans can access more aliases, shorter aliases, and custom domains.Image and content proxying: Skiff Mail reduces security threats and tracking by proxying remote content inside emails. This significantly increases user privacy by hiding your IP address and device information.End-to-end encryption: On Skiff Mail, only you have access to your data. Even if a cyberattack were to compromise your network or data storage, all data is encrypted with keys that only you own - not the case on Microsoft or Google email products.If you’re looking for robust email protection for yourself, your family, and your colleagues, you should switch to Skiff.Have any questions? Contact us on Twitter, Reddit, Discord, or at [email protected].