The people who are most likely to be phished or tricked into offering up your private information to a criminal through a link in email are the people who don’t know that can easily happen when you click on a link in an email, especially from unknown sender. If you clicked on this link, you probably know this. But everyone makes mistakes. So today is a good time to learn how to check links to avoid phishing.
Each day the average office worker receives 121 emails. Then there are all your personal emails. Depending on how effective you are at paring down your inbox, you could easily see more than 200 emails a day. And a basic rule of cyber security is the that your cyber defenses have to work all the time but the criminals only need to fool you once.
The simplest way to avoid phishing scams is to never click on a link in an email, ever. If you get an email from a bank or a retailer or your credit card company asking to follow up on something, go directly to their site to do it. Or, even better, contact them by phone. But this a lot to ask.
Spam never went away and continues to be one of the tools criminals rely on most because it works.
Hacking brains with words like ‘free’
Certain tactics and words disrupt our normal thought processes and make us much easier to fool. One of those words is “free.”
“We also find things like anything with something for free, you find people will always click on,” Kayleigh O’Donovan from MWR Infosecurity’s Phishd team recently told our Cyber Security Sauna podcast. “So even when we work with large financial organizations with high earners, law firms, you know, really well-paid individuals, and you offer them a free can of Coke, and they will always click. There’ll always be a high percentage of click rates on things like that.”
Awareness of phishing tactics is not enough to prevent attacks. Building a culture of security is what Phisd recommends for workplaces and you can do that on your own. One way you can do this is to teach yourself to check the links in your email.
This is simple. When you see a link, especially a link that is embedded in text like the one below, put your mouse arrow over it. Then check in the bottom left to see if it matches the URL the expect.
Expand shortened links
In general, avoiding shortened links is a smart tactic, since they by design hide where they are going. There is almost no reason to use them and Twitter, the one service that necessitated these links to save space, created its own shortener to avoid this security risk years and years ago. But if you feel the need to click on one, please use a site like CheckShortURL to expand it first.
This is more of an advanced tactic. Viewing email without all the html and images helps you quickly check your URLs. You can set up your Outlook inbox to show all emails like this or in Gmail you can view any email plain text by clicking on the three vertical dots next to the reply button and clicking on “Show Original”. The text will show up a new tab and you might be a bit overwhelmed by how much HTML code you see.
But that still not be good enough
Even if you check a URL, you could still be fooled. One reason we’ve been trying to make people aware of new top-level domains is that they make it even easier to create emails that trick you into seeming familiar or reputable. “So, for example, if Microsoft.com is already taken, Microsoft.xyz might not be,” Janne Kauhanen, host of our Cyber Security Sauna podcast explained.
That’s why you need backup
Make sure you’re always running internet security that scans the sites you visit to check their reputation, like the Browsing Protection in F-Secure SAFE. This helps protect you from harmful websites, even if you click on the wrong things.