Go Phish: How to protect yourself from phishing scams

Phishing is a common scheme in which a cyber criminal lures in a user with the intent to steal the recipient’s sensitive information, such as credit card information, usernames and email addresses, and social security numbers.

Phishing scams reel in users using these three common forms:

  • Phishing email messages
  • Phishing phone calls
  • Fake phishing website

In the aftermath of massive data dumps from LinkedIn and MySpace, a question several of our users have asked is, “what can a hacker do with my compromised information after I changed my password?”

Without a working password, you can still become a viable target of cyber criminals through phishing scams.

Although you may think you are well prepared to spot a phishing attempt, cyber criminals are always developing sophisticated methods to dupe you when you least expect it. Stay one step ahead of hackers and learn how to identify and protect yourself from common phishing scams.

Beware of Phishy Emails

Beware of phishing emails. Learn how to spot a phishing email.

Cyber criminals most commonly use fake phishing emails to steal a user’s account information or trick them into clicking a link that downloads malware. Although you may receive an email that looks legitimate, look out for distinct changes that could indicate the email is illegitimate.

5 Ways to Identify Phishing Emails:

  • Check the sender’s email address: A big clue to identifying a fake email is the sender’s email address. Cyber criminals will often create an email account that closely resembles a company’s official email address. For instance, a phishing email address from Amazon might look like “accounts@mazoneurope.com”. Notice the “A” in “Amazon” is not included in the email address. Also, be wary of emails that do not provide any other contact information except for the sender’s email address.
  • High sense of urgency: To prompt users to submit their information, hackers will often create a sense of urgency to open a link and re-submit your account information with a threat of losing your service. For instance, a phishing email from a bank or another financial institution might ask for you to “confirm your account” and re-submit your payment information or else your account will be terminated.
  • Link to a fake website: In order to “confirm” your account information, a cyber criminal will attach a link that often times looks exactly like a link the real company website. Also be weary of hyperlinks embedded in the text. To see the full URL of a hyperlink, simply hover over the link with your mouse. When in doubt, do not click the link or open any attachments. If you do want to visit the site, type the name directly in your browser — especially if you intend to enter your login information on the site.
  • No personalization: Since cyber criminals often send hundreds of emails at a time, another great clue to a fake email is the lack of a personalized greeting. Proceed with caution if the email doesn’t include your name or username, or addresses you simply as “Customer” or “Account Holder.”
  • Bad spelling/grammar: Be on the lookout for misspelled words and bad grammar in the body of the email.

Want even more protection from phishing emails? Use Dashlane’s password manager! Dashlane intuitively compares the URL of a suspicious website to the URL stored in your account before automatically filling your username and strong password. If it doesn’t recognize the URL of a website, it will not autofill your credentials.

Is this unsolicited phone call legitimate?

Protect yourself from suspicious phishing phone calls

Scammers may also attempt to steal your information over the phone by posing as a representative of a company who is trying to sell you a product, or is posing as a Customer Support agent.

A tell-tale sign of a phishing phone call is if the call is unsolicited. For example, a criminals will attempt to sell you a software product or a luxury vacation rental and ask for your payment information over the phone, but won’t offer a reachable business phone number where you could contact them. In other cases, a criminal will pose as a representative of a company or government agency that asks for sensitive information–like your password or social security number–in order to update your account information.

Legitimate companies and services, including Dashlane, protect their users by never asking you for any personal information over the phone. Dashlane’s User Support team, for example, is trained to never ask for your email address or Master Password over the phone or on any public platforms. To further reinforce our user’s password security, Dashlane never stores your Master Password or any of its derivatives on our servers.

Phony Phishing Websites

Don't fall for phony phishing websites

Detecting a phony website can be tricky as cyber criminals develop sophisticated websites that look very much like a real company’s webpage. This only reinforces the need for established companies and services to be explicitly clear about their communication policies with their customers. Although there may be an official company logo on the site, there are always some clues that can help determine if the site is a fraud.

4 Ways to Identify a Phishing Website:

  • Check the website’s URL: Similar to phishing emails, the URL of a fake website may look nearly identical to a legitimate website. Make sure to look out for any misspellings, unusual words or special characters before or after the company’s name, and URLs with unusual endings, like “paypal.it” instead of “paypal.com.”
  • Look for a padlock in the Address bar: To tell if the website can be trusted, check for a padlock or a key on the far left side of the address bar. By clicking on the key or padlock icon, your browser will tell you if the site has a valid, trusted server certificate, has a secure TLS connection, and if the resources on the page are served securely.
  • Check for a secure connection: In the address bar of your browser, look for “https://” at the beginning of the address URL to verify the site is secured. If a site is listed just has a “http://”, the site could be insecure (broken) and could be a clue that it’s a fake website.
  • Enable pop-up and phishing protection in your browser: Chrome and Firefox browsers both have security features that can alert you if you visit a phishing website, if that page is a source of malware, and if you’ve recently downloaded a file detected as malware. Make sure to enable these features in your browser’s settings.

To protect yourself and your private information, turn on two-factor authentication (2FA) on supported websites and applications. With 2FA, a hacker who has your username and password will be unable to enter your account without physically possessing your smartphone, security token, or any other authentication device. For added security and convenience, you can also use 2FA or Universal Second Factor (U2F) authentication devices with your Dashlane account!

Now that you can spot a phishy email, phone call, and website, go a step further to protect your digital identity with a password manager. Password managers, like Dashlane, can alert you about a potential security breach and can identify potentially compromised passwords and accounts. Moreover, password managers will help you create strong, unique passwords for every website, making it even harder for hackers to crack your encrypted password.

To learn more about how to protect yourself and your sensitive information from other common Internet scams and cyber attacks, take a look at these other resources from our blog:

How to Make Strong Passwords Even Stronger

13 Ways You (and Your Accountant) Can Avoid Security Headaches at Tax Time

A Beginner’s Guide to Using Two-Factor Authentication and U2F to Secure Your Passwords

3 steps for when your Gmail is hacked

How not to get caught by a Man-in-the-Middle Attack