Skip to main content

22 Ways to Protect Yourself Against Phishing Attacks

August 13, 2019

New research shows phishing scams remain a significant cybersecurity issue. Here are some ways to avoid being the next victim.

Phishing just won’t go away. In fact, it’s getting worse. A recent Proofpoint cybersecurity survey identified phishing attacks as one of the top data security problems facing businesses, with 83% of organizations worldwide reporting attacks in 2018. Overall, respondents answered a quarter of the survey’s phishing threats and data protection questions incorrectly – a serious concern for IT departments everywhere given the emphasis placed on detecting and avoiding these attacks.

Proofpoint surveyed companies in 16 industries and evaluated more than 20 departments. Communications divisions responded the most accurately, with Customer Service, Facilities and – ironically – Security doing the worst. Finance industry respondents were the most knowledgeable while Education and Transportation brought up the rear, missing 76% of the questions.

What’s going on? Organizations seem to be getting worse at preventing phishing attacks. Fortunately there are some fairly simple ways to improve. Perhaps it’s time for a refresher.

What is phishing and how does it work?

Phishing definition: a fraudulent attempt to trick individuals into divulging sensitive information (usernames, passwords and banking details) by pretending to be a trusted source, often through an email communication.

Spear phishing – a more personalized way of targeting a victim – leverages three potential weaknesses in a recipient:

  • The apparent source appears to be a known and trusted individual
  • The message contains information supporting its validity
  • The request seems to have a logical basis

Phishing emails typically try to lure the recipient into doing one of two things: a) handing over sensitive or valuable information; or b) downloading malware. There are several types of phishing, and each has the potential to wreak havoc in an organization.

How to avoid phishing scams

From an organizational perspective, the FTC provides a helpful overview and good advice for recognizing and avoiding phishing.


  1. Protect all computers in the organization by using security software. Set the software to update automatically so it can deal with any new security threats.
  2. Protect all mobile phones and tablets by instituting a mandatory update policy on devices that access your network. These updates could give you critical protection against security threats.
  3. Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to an account. This is called multi-factor authentication. The additional credentials required to log in to an account fall into two categories:
    • Something a user has – like a passcode you get via text message or an authentication app.
    • Something a user is—like a scan of a fingerprint, a retina, or their face.

    Multi-factor authentication makes it harder for scammers to log in to accounts if they do get a username and password.

  4. Protect your data by backing it up. Back up data and make sure those backups aren’t connected to the usual network – for example copy computer files to an external hard drive or cloud storage. Back up the data on your phone, too.

These are critically important and useful steps toward safeguarding yourself and your organization against cybercriminals. In addition:

After employing the above, train staff to read all emails with a critical eye:

  1. Never trust any source that requests sensitive information via email.
  2. Is the email professionally written? Misspelling and grammatical errors are hints you’re being phished.
  3. Never trust a source that doesn’t know your name and account information. If the greeting is generic, it’s probably a scam.
  4. Watch for overly urgent subject lines and language like "Verify your account." Emails saying your account has been compromised frequently tip off a phishing attack.
  5. Does the email contain attachments? If it’s an unsolicited approach with an attachment, it may well be a scam.
  6. Is the email from a legitimate domain? If the @domain.com part of the email doesn’t exactly match the corporate web site URL, it’s likely a scam.
  7. Make sure the site is secure – does the URL begin with “https”? When you mouse over the link is there a closed lock icon near the address bar?
  8. Is your browser up to date? Companies release patches for newly detected malware all the time, so let their developers do the hard work for you.
  9. Install an anti-phishing toolbar or plugin on your browser.
  10. Does the email’s message contain a shortened URL? Hover over it (but don’t click). Check your status bar – does it show a legitimate address? If not, it’s a scam.
  11. Instead of clicking on a suspicious link, type the institution’s root URL (the https://abc.com part) of the into the browser to access the web site.
  12. Stay informed. When you Google “how to avoid phishing” the search returns well over 15 million results, so it isn’t difficult to stay abreast of the latest news and prevention best practices. Pay close attention when there’s a story about a new tactic.
  13. Retake your company’s security and anti-phishing training. If you score less than 100% study up and try again.
  14. Instead of double-clicking a suspicious file, upload it to an online document reader like Google Drive, which will convert it into HTML or a PDF. This will allow you to review the document while preventing it from installing malware on your device.
  15. Be wary of pop-ups, which are frequently employed in phishing attacks. Most commonly used browsers allow you to block pop-ups by default.
  16. Trust your gut. Does the email feel different or off? If it purports to be from someone you know, is its content inconsistent with the tone and vocabulary you’re used to from the source?
  17. When in doubt, do not click. Make “don’t click” your default setting. Only click a link once you’re sure it’s safe.
  18. Report potential phishing emails to IT or, if they’re allegedly from someone you know contact them to ask if they sent it.

Hackers are clever and are always innovating new ways to breach cybersecurity defenses, so no single tactic is likely to afford 100% protection. But organizations can do a lot from a policy, procedures and training perspective to be more aware of phishing and how it works.

Related Blogs

May 09, 2019

Business Email Compromise (BEC) Fraud is Exploiting the Cloud

Business Email Compromise (BEC) fraud has been officially tracked by the FBI since 2013 and has been identified in more than 100 countries with losses...

See Details

April 16, 2019

That Time I Clicked on a Phish

Even the savviest of us can “fall for” a phishing email. Here are a few things to look for to help spot them quicker.

See Details

June 05, 2019

Protect Yourself from BYOT (Bring Your Own Threat)

With the increase in mobile and remote work environments, organizations can be at risk or under threat by not securing devices, access and credentials...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.