8 Ways to Protect Yourself Against Phishing Attacks

You know that “Congratulation! You’re the lucky winner” email and the voicemail with an offer to buy your house are scams. While phishing is a digital extension of some of the oldest tricks in the book, phishing techniques nonetheless continue to evolve and fool even the most discerning of us.

Cyber adversaries modify their names, tools and strategies often, but they still love their tried-and-true phishing techniques. After all, why significantly change something that still works? Proofpoint’s 2024 State of the Phish Report found that “71% of working adults admitted to taking a risky action, such as reusing or sharing a password, clicking on links from unknown senders, or giving credentials to an untrustworthy source.” Coupled with the report data that nearly 70% of organizations were impacted by ransomware, it is evident that the big phish remains a critical issue for individuals and businesses. 

Phish Facts: Understanding the Threat

Phishing is a fraudulent attempt to trick individuals into divulging sensitive information (usernames, passwords and banking details) by pretending to be a trusted source, often through an email communication.

You may have also heard of many phishing variants – “vishing” for phone call and voicemail spam, “smishing” for fraudulent SMS text messages, “quishing” for QR code deception and “spear phishing” for more “pointed,” personalized phishes that falsely appear to be from individuals the victim knows. For a more technical deep dive into spear phishing attacks, check out our blog.

Regardless of the medium or flavor of the phish, the strategies and objectives are the same. Attackers typically seek financial or reputational gain. To do so, they try to lure the victim into downloading malware (via a link or attachment) or divulging sensitive or valuable information like usernames, passwords, employee IDs, bank account information and more. Phishing is a common technique for obtaining this information and gaining access to a victim system. Emails are the most common action vectors in social engineering breaches according to the 2024 Data Breach Investigations Report from Verizon. Optiv has a few recommendations for how to protect yourself and your organization from phishing emails.

Don’t Take the Bait: How to Avoid a Phishing Attack

1. Study the subject line. Watch for overly urgent subject lines and language like "Verify your account" or “URGENT.” Emails saying your account has been compromised are common phishing bait.
2. Be wary of attachments. If you see an unsolicited approach with an attachment, do not rush to open it. “Spear phishing attachments” are widespread cyber adversary techniques.
3. Check the domain. If the @domain.com part of the email does not exactly match the corporate website URL, you are likely reading a scam email.
4. Know your HTTPs. Is the enclosed link secure? Verify the URL begins with “https” and, when hovering over the link, there is a closed lock icon near the address bar.
5. Update your browser. Companies release patches for newly detected malware all the time, so let their developers do the hard work for you.
6. Do some recon. Instead of clicking a suspicious link, copy the link and paste it into a community anti-phishing or malware research database site like PhishTank or Scumware to verify if this is a known phishing link. Attackers can also send “shortened” URLs using free services like Bitly or TinyURL to mask suspicious looking domains, which can be revealed and checked using URL “expanders.” 
7. Train, retrain and train again. Your company may leverage security training and phishing simulations. Learn from your mistakes so you can be more wary of suspicious emails and actively adopt a Zero Trust mindset.
8. Report potential phishing emails to IT. When in doubt, report; don’t click. If the suspicious sender is allegedly someone you know, reach out to them to verify that they sent the email.

Cyber adversaries continually find ways to evolve their techniques, so no single tactic provides 100% protection. But by fostering a culture of phishing awareness from a policy and training perspective, organizations can be more vigilant in preventing cyberattacks.