Let’s Not Go Phishing Today: Tips for Home Computer Users

Every so often, a family member or friend will ask me if an email they received is a phishing email. That’s part of my job as the unofficial family tech person. Email phishing and its cousins vishing (voice phishing) and smishing (text phishing), are still a serious problem for the average home computer user. While businesses are slowly implementing phishing detection tools—and, more importantly, user training—to help tackle the problem, home computer users are, for the most part, left to fend for themselves.

Our goal in this post is to provide a few tips and tricks for those oft-forgotten home computer users—your old-school neighbor, your unassuming grandma, or your friend who’s just not that tech savvy—in their effort to use their computer without losing their life savings by clicking on the wrong link.

To get straight to the tips for identifying phishing emails, scroll past the first few sections. Or, continue reading to learn more about the phishing problem, why it matters, and then finish up with the phishing tips.

Why It Matters

Phishing is the use of social engineering techniques—tactics that use psychological manipulation like impersonating someone you know—to get you to take an action that can lead to your downloading a virus or malware, having your account credentials stolen, becoming an extortion victim, or some other malicious action.

While detection and blocking technology has advanced over the years, Dark Reading, a cyber security news site, estimates that up to one percent of all emails that make it to the end user’s mailbox are phishing emails. For home users, who typically have to rely on their internet service provider (referred to as an ISP) or their browser (like Chrome or Safari) to keep them safe, the number is probably higher. Still, 1% doesn’t sound like much—until you consider that to get to that point, these phishing emails are the best of the best. Suddenly, it starts to make sense as to why up to 70% of phishing emails are opened by the recipient.

Who Owns the Phishing Problem?

My friends and family are not creators or purveyors of technology; they are primarily users. Asking them to identify phishing emails by deciphering the email raw source or header is not in their wheelhouse, nor should it be. We take planes, trains, and automobiles without knowing much about how they work. It should be possible to safely receive and interact with an email without having to understand sender authentication or bone up on RFC 5322.

Back in 2005, when most of us first heard of phishing, we had a pretty good idea which businesses and people would contact us and how they would reach us. Today, nearly every company or organization we interact with has a website, an email subscription, an app, social media, and maybe a phone number or two. The daily number of messages we receive via email, phone, text, and so on has easily increased 10-fold (100-fold?) over that time. Do you really have any idea how many accounts you’ve created in your lifetime, and if so, how each of them reaches and interacts with you?

Making matters worse is the proliferation of data collection services—legitimate, shady, and illegal—which will sell personal information to nearly anyone with a purchase order, credit card, or better yet, the latest cryptocurrency. Personal data such as your name, address, last four digits of a credit card, and much more are readily available. As a result, a phishing email can use your name and provide additional personal details along the way in an effort to make you believe it is valid ← that’s social engineering at work.

What Can You Do?

For home computer users, the phishing problem may not be of your making, but you cannot rely on technology if you want to safely function in today’s highly connected world. Phishing uses some really crafty tactics (i.e. social engineering) to get you to believe that when you receive a message from the bad guys, it is okay to do what they are asking you to do. That means you have to be at your best when the incoming message chime rings.

To that end, below we’ve provided you with a little social engineering education in the form of some easy to remember tips you can use to ferret out a phish. We’ll use email in our examples, but the techniques can apply to most inbound communications you’ll receive. In addition, you don’t have to have any special technical superpowers, just some common sense and the ability to lower your FOMO (fear of missing out) threshold.

You can read the tips below, but we’ve also prepared a 20-minute Let’s Not Go Phishing Today webinar which provides a little more depth for each of these tips. You can read the tips below, watch the webinar, or both. The webinar is available on the Backblaze channel on BrightTALK. Keep in mind that you will need to register to watch.

Tip 1: No trust and not useful.

Situation	You receive an email from a business, organization, or person. You are certain you do not know or trust the sender and you were not expecting to receive the email.
Example	You receive an email to lower your mortgage interest rate from a bank you do not use. Oh, and you rent.
Considerations	There are zero reasons to open this email. There is no upside here at all for you. Even if this is not phishing, it is most likely spam.
Disposition	Delete the email while crooning, “But there ain't no Coupe de Ville hiding at the bottom of a Cracker Jack box,” in the style of Meat Loaf (“Two Out of Three Ain’t Bad,” Bat Out of Hell, 1977).

Your on-stage moment is at 2:27.

Tip 2: No trust, but you’re not sure.

Okay, tip one was pretty simple. They get a little harder now.

Situation	You receive an email from a business, organization, or person. You might know the sender, but you really weren’t expecting an email.
Example	You receive an email and the sender name sounds familiar, but that’s it. Maybe you stopped by a store and provided your email to the clerk, maybe you bought a shirt from them two years ago, or maybe it’s just some advertisement you saw, but nothing is ringing a bell.
Considerations	Don’t open the email right away, let it sit in your inbox for a day or two to see if there is a follow up message or perhaps you remember something. Often phishers will use time to pressure you into acting. Surely you would have remembered something so important, so don’t let time pressure you into doing something you shouldn’t. Trust yourself. If you do open the email do not click on any of the links and do not call any phone numbers you may find in the email. Just read the email to see if anything jogs your memory.
Disposition	After a day or two, if nothing rings a bell, delete the email. If it was important, they’ll resend. Click delete. If you think the email could be legit—Okay, really, just lower your FOMO threshold and click delete. I am sure that a bank in Ireland is not waiting to give you a million dollars if you call them.

Fun fact: $1 million in $1 bills weighs 1.1 tons. Say that three times fast!

Tip 3: Trust, but verify.

Situation	You receive an email from a business, organization, or person. You know the sender, but you weren’t really expecting an email from them.
Example	You receive a promotional email from a business. You are a customer of this business and even have an online account with them. You were not expecting the email, but the email makes you an offer that is interesting to you.
Considerations	You can receive promotional emails anytime, but they are more prevalent around holidays and marketing events like Cyber Monday. Phishers know this and will use this to their advantage to avoid detection. A phisher can send out millions of emails in an attack spoofing a given business. If you have a relationship with that business, you are prime pickings. Do not assume that just because you are a customer, the email is legitimate. A phisher can also send out very targeted emails using personal information they have collected from data breaches and other sources, both public and private. Just because an email has your name and other personal details, it does not mean it is legitimate. If you decide to open the email do not click on any of the links and do not call any phone numbers you may find in the email. Read the email and see what they are asking you to do.
Disposition	If you think the promotional offer is legitimate, then open a new browser window and type in the URL to go to the website, or open the app on your phone/tablet for that business. You may have to sign in to your account, but the promotion should be available in one of those places. If the promotion is only available via the email, contact customer service for the business and ask. Remember to use the website or app to contact customer service, not any of the contact information provided in the email. Sometimes, an offer is only available by clicking on a link in the email. In my opinion this is lazy marketing and puts you at risk. Let the business know this is not acceptable.

Spam or Phish?

The email described above could be just a spam email. Whether an email is spam or phishing can be confusing, but in general spam messages are just trying to sell you something and phishing emails have some harmful intent. That said, the same tips we are using for identifying a phishing email can be used to identify spam messages as well.

Tip 4: Trust, but still verify.

Situation	You receive an email from a business, organization, or person. You know the sender and you were expecting the email.
Example	You receive an email on the 10th of the month from your credit card company saying your statement is ready. They always send you this email on the 10th of the month. The email says you can click on the link to sign in to your account and view the statement.
Considerations	It is highly likely this is a legitimate email, but given this email concerns your financial affairs, being extra careful is imperative. Opening up a web browser and typing in the URL to go to the bank’s website to sign in there is safer. This also enforces the good behavior of not clicking on links in emails. Many financial companies and health care providers are starting to maintain a list of messages they send you via email and/or text. You can log into your account to view the list to make sure that any message you received was actually sent by the provider—before you interact with the message. This is an excellent best practice and such businesses should be commended for thinking about their customer’s online safety and security.
Disposition	Even if you think the email is legitimate, use a web browser to access your online account, or use their app to take the requested action.

Downloading Email Attachments?

Only download an attachment that you were expecting to receive, preferably after you were notified via another email—or better yet another method such as a text message. For example, you or whomever you’re interacting with may say, “Hey Monique, I’m going to email those pictures in a minute.” Downloading unsolicited or unexpected attachments is not recommended.

Think of email, text messaging, and voicemail as read-only services, especially when it comes to your financial and health information. This is sometimes really hard with text messages that encourage you to “click this link to…” and voicemail messages saying “call us back at a specific number.” Such messages offer convenience and help move things forward—and sometimes, they are the only way to get things done. At that point, you have to trust the vendor and your instincts.

What to Do When You’re Forced to Click

There are two common situations where you are forced to click a link in an email or message in order to move forward: email newsletters and two factor (2FA) or multifactor (MFA) authentication.

We’re this happy about 2FA security too.

Newsletters

Newsletters can deliver valuable information and often link to other content for additional details. The trouble is, those links are often obscured by tracking redirects used to count how many clicks the link gets—It’s a marketing thing. The average user has little hope of figuring out where the link is actually going, so they are faced with ignoring the information or clicking to the unknown. Let’s break down an example.

Situation	You receive a newsletter from a company you do business with and have received newsletters from them before.
Example	Backblaze sends you a customer newsletter. There’s an article on a new feature and you want to learn more. To do so you have to click on a link, but when you rollover the link (don’t click) it reads something like: `“https://hub.backblaze.com/xxt/XXt/R+000/xx-h-99/V88XHdW7_bXrN4b0ml7W7xsyK94Tmm-9N2x86z13q3phV1-WJV7CgHCJW7swZm-8j6kXwW6cD…”` plus 50-60 more characters that are not displayed.
Considerations	It may seem it goes to the Backblaze website (backblaze.com), but without seeing the entire URL you can’t be sure. It could end with `“.../bad-guys-website.com“,` which would not take you to Backblaze. Were you expecting this newsletter or at least have you gotten a newsletter from Backblaze before? If it is the first time, did you just sign up? What is the intent of the newsletter? Providing information or asking for something? If the newsletter is asking you to sign in to your account for example, it is easy enough to open a new web browser window and sign in from there.
Disposition	This one is all about trust, timing, and clicks. Let’s assume you trust Backblaze as a good sender, the newsletter looks very Backblaze-y, and this is something you would expect. If you do click on the newsletter links, there are two primary things to consider. First, if the link takes you to a sign up or sign in page, stop. Always open a new browser window, enter the URL to go to the site, and sign in from there. Second, make sure the click takes you where you expected to go. If you get pop-ups for downloading a toolbar or extension, land on an unexpected webpage, or other unusual browser behavior (e.g. an automatic download), close the browser window and everything else on your system. Then, run a full antivirus scan immediately. If you are not inclined to click on any links in newsletters, we understand. In our case most of the links on a Backblaze newsletter will go to our blog or our website. You can open a new browser window and find the content on the Backblaze website. This works for the many different newsletters you may get daily. That is: You can usually find the content directly versus clicking on the link.

Tell Us More…

The problem with not clicking on the links in newsletters and other similar communications is that marketing folks lose information about what is important to the recipients, but your peace of mind is more important. So, a healthy alternative is that you could send an email or post something on social media about what you like and what you don’t. Even visiting the pages and interacting with the articles the newsletter highlighted will help. Marketers get feedback, you give your opinion on good content, and you’re a little safer from phishing attacks.

2FA or MFA

More and more websites are requiring the use of two factor or multifactor authentication. Here are a couple of scenarios to help you deal with the messages you might receive.

Scenario 1

Situation	Your bank’s website uses text message-based two factor authentication to confirm access to your accounts.
Example	Using a browser, you log in to your bank's website. A couple of seconds later, you receive the text on your phone with a code that you need to enter on the website.
Disposition	By asking to log in to your bank, you expect to get the text which provides the authentication code. You’re good.

Scenario 2

Situation	Your bank’s website uses two factor authentication to confirm access to your accounts. You believe it is text message-based authentication.
Example	Using a browser, you log in to your bank's website. A couple of seconds later, you receive an email asking to click a link to allow the log in to your account.
Considerations	This is one of those cases where you need to know how the bank will contact you for the second factor. It could be a text message with the code (like the first example above). It could also be by clicking the link in a test message, or through an authentication app on your phone, or by email message, or even by phone. Given the timing of the events in this example, it is highly likely that you had set up email as your second factor. But, sometimes it is not that easy to tell, especially if there are several minutes before you get the authentication message—or worse, if you don’t get the message at all. One way to make this easier on you is to try to use the same authentication method for each website. The trouble is that different companies support different methods and not others. In some cases, you may be able to find information on the bank’s website to determine the authentication method they use.
Disposition	If you’re not sure of the authentication method that was set up, you can abandon the sign-in, then open a new browser window and start again. If you get the same authentication method, you can be reasonably confident you're doing the right thing.

Moving Forward

Over the past couple of years, vendors involved with providing email, text, and voicemail services have gotten better at detecting and eliminating phishing, spam, and malware before it reaches you. That’s great. But the bad guys haven’t given up, and many would say they’ve gotten better.

These tips are a good starting point for improving your ability to stay safe using the internet, email, and your phone. There are many websites and resources where you can learn more and stay informed about phishing and other forms of malware. We listed a few below. You can click on the links, but (if you are a little paranoid at this point), you can search for “consumer phishing resources” or just “phishing resources” using your favorite search engine. Good luck, and stay safe.

Select Phishing Resources

Knowbe4: The world’s first and largest new-school security awareness training and simulated phishing platform.
Phishing.org: A project from KnowBe4 that is a resource for IT professionals to keep you up to date on the latest phishing threats. The Resources page has some free tools to help improve your phishing knowledge.
Phishing info from the Federal Trade Commission.
A phishing primer from the National Cybersecurity Alliance.