What tactics are used in phishing attempts?


Phishing messages can come from hijacked accounts of people you know, making them hard to distinguish from real messages. Additionally, cybercriminals commonly use infected documents or PDF attachments as vectors for their phishing attempts. Another common trick attackers use it trying to get victims to sign in on a fake login page where their usernames and passwords can be stolen.

How do you avoid phishing attempts?


Phishing attempts can often get through spam filters and security software that you may already have in place, so stay vigilant and trust your instincts. Keep an eye out for things like unexpected urgency or a wrong salutation. Think twice about clicking a link or opening a document that seems suspicious. Double-check that every URL where you enter your password looks legitimate. And if anything raises doubt, delete or report the communication.

Here’s how online services help fight phishing.



  • Facebook

    As a Facebook user, mitigating phishing is a matter of both verifying that communications that purport to come from the company / link to Facebook are authentic, and guarding against phishing attempts that might occur in direct communications between users on Facebook. In the first case, many scammers try to trick people with fake offers of free, rare, secret or exclusive digital goods (ex: coins, chips, gifts). When in doubt about authenticity, type www.facebook.com into your browser to get to Facebook directly. We also recommend checking official Facebook Pages or app Pages before clicking on any promotions. In communications on Facebook, it is advisable to verify the identity of the user you’re communicating with and to not click on suspicious links. Find out more from Facebook here.

  • Gmail

    Gmail’s built in spam protection analyzes patterns drawn from billions of messages to keep 99.9% of spam out of your inbox. You can help by selecting “Report Spam” for any suspicious emails that you receive. To reduce the risk of opening an infected document or PDF attachment, you can use Chrome or Google Docs to safely view attachments - This makes sure that Google servers will open the attachment, instead of your computer, reducing your chances of infecting your machine. To avoid phishing attacks by getting warned when you enter your Google password on a non-Google site, you can also install Chrome’s Password Alert extension.

  • iCloud

    iCloud automatically identifies most junk mail (spam) sent to your @icloud.com address or its aliases and moves the junk mail to your Junk mail folder. If you receive unwanted mail, you can mark it as junk. Messages marked as junk are displayed with a junk mail icon . Important: Because email messages in the Junk folder are automatically deleted after 30 days, periodically check the Junk folder for email messages that were marked as junk mistakenly. Read more about iCloud SPAM block.

  • LinkedIn

    Fraudsters may use a practice called phishing to try to obtain your sensitive data such as usernames, passwords, and credit card information. These fraudsters impersonate legitimate companies or people, sending emails and links that attempt to direct you to false websites, or infect your computer with malware. LinkedIn will never ask you for your password or ask you to download any programs. Find out more from LinkedIn here.

  • Outlook

    A great tool in Outlook is the ability to allow only safe senders by enabling this feature in the Junk Mail section. This sends all “unknown senders” to your junk folder-which disables links, pictures, and attachments until you move them to your inbox. This is the safest way to know that only those accounts you are expecting-will be in your inbox. This doesn’t stop a compromised known-sender’s account from coming through, but it will stop the phishing attempts that use similar email accounts. Read more from Microsoft here.

  • Twitter

    Phishing is when someone tries to trick you into giving up your Twitter username, email address or phone number and password, usually so they can send out spam from your account. Often, they’ll try to trick you with a link that goes to a fake login page. Whenever you are prompted to enter your Twitter password, take a quick look at the URL in the address bar of your browser to make sure you're on twitter.com. Additionally, if you receive a Direct Message (even from a friend) with a URL that looks odd, we recommend you do not open the link. Phishing websites will often look just like Twitter's login page, but will actually be a website that is not Twitter. Twitter domains will always have https://twitter.com/ as the base domain. Here are some examples of Twitter login pages:

    https://twitter.com

    https://twitter.com/login

    If you are ever unsure about a login page, go directly to twitter.com and enter your credentials there. If you think you may have been phished, change your password as soon as possible and visit our My account has been compromised article for additional instructions. Read Twitter Fake Twitter emails article for more information about phishing through email.

  • Yahoo

    If you receive an email that you think is a Phishing attempt (looks like they're from a legitimate company, but are meant to scam your account or personal info) -Using the Yahoo app, you can click the down arrow next to the SPAM Menu item and choose Report a Phishing Scam. This will forward the information on to Yahoo. You can also: right click and choose Block or Mark as SPAM. See more at Yahoo SPAM block.