Like any classic hustle, phishing has staying power. The fake emails and texts that lure you into a digital con—Free cruise! Act now!—may not comprise a very technical hack, but the attackers behind them still put a lot of resources and expertise into giving their cons as much authenticity as possible.
That’s what makes it so difficult to protect yourself against phishing. You know not to click links in shady emails. You know to think twice before clicking any link in any email. (Right?) The same goes for downloading attachments and putting your personal information or login credentials into any form that you have any reason not to trust. And yet! Phishers can just needle you forever, waiting for that one moment when you finally slip up. If you do, you instantly subject yourself to any number of unfortunate consequences, whether it’s identity theft, fraud, or malware that runs rampant on your device.
Follow these three rules to keep from getting hooked.
Rule 1: Use Context Clues
The best way to spot a phishing scheme is to listen to your gut. Remember, even if an email looks like it comes from a friend, that doesn’t mean it’s safe. If you weren’t expecting an email from someone, or if you were but the email seems rushed, or their tone is off, or they’re sending you a Facebook message when they usually text you … If anything seems even a little bit off, check with the purported sender on another platform to confirm that they actually reached out.
If a message comes from a person or entity you don’t already know, consider the context of why you might be receiving it and whether the message really makes sense. Most online services won’t, for instance, appear out of the blue, asking you to make account changes through an email link. And even if they do, you should always navigate to the site separately, log in, and check to see what’s actually going on. Treat attachments with even more suspicion and avoid opening them altogether, particularly if you didn’t ask for them or didn’t have a pre-arranged plan to receive them.
Rule 2: Remember the Basics
Following standard digital defense advice will help with phishing as well. Keep a backup of your data. Enable multifactor authentication on every account that offers it. Close accounts you don’t use anymore. And set up a password manager to keep track of unique, robust passwords. All of these steps make you a tougher target, but more importantly, they’ll help contain damage if you ever do get phished.
Rule 3: Know Thyself
At its core, phishing defense requires an awareness of the human traits scams prey on. “The thing I find fascinating about phishing is it’s really exploiting a very primal part of human behavior,” says Crane Hassold, a threat intelligence manager at the security firm PhishLabs, who previously worked as a digital behavior analyst for the FBI. “It’s all about curiosity, trust, and fear. Those qualities are really hardwired into humans, so a lot of protection against phishing has to do with conditioning yourself to look out for things that could be a red flag.”
This means being in touch with your instincts and emotions as you read your messages. That sense of urgency, or that threat from an authority figure, or that random ask for help, all conspire to force you to click. You need to recognize those emotions before acting on them and consider the possibility that a message has nefarious reasons for trying to elicit them. It’s time to really internalize a hard truth: No one is ever going to give you free cruise tickets. Truly never.
Activist? Journalist? Politician? Consider Yourself a Target:
Start by encrypting everything, sign up for Google Advanced Protection, take a tour of Tor, and deploy physical measures to increase your digital security.