What do letters with the text “You won 100,500 som!” have in common? and "Your account is blocked"? They can be both real (less often) and a trick of scammers (more often). In the latter case, the goal is to make the recipient believe in a hoax, go to a phishing site and enter confidential information on it: logins and passwords or card details. We tell you how to recognize a phishing attack and protect yourself from it.

1. Check emails carefully

When you receive any letter, do not rush to answer or follow the instructions from it: pay attention to important details first. What should be of concern?

• Thrilling topic. Large transfers, monetary compensation, account hacking or blocking, fraudulent transactions… Attackers try to grab attention by playing on the feelings of the victim, especially greed or fear.
• Forcing the situation. Phrases like "urgent!" and “you only have 3 hours left”, an abundance of exclamation marks are also tricks from the arsenal of scammers who only dream of making you hurry, panic and lose your vigilance because of this.
• Errors, typos and strange characters in the text. Some criminals are indeed illiterate, but sometimes attackers deliberately misspell words, such as "drawing prizes," or change some of the letters to similar Latin ones. So they try to bypass spam filters.
• Strange sender address. A jumble of random letters and numbers or a “left” domain in the address of the sender of a letter that supposedly came from a large organization is a sure sign of a fake.
• Link in email, if available. More precisely, the address of the site to which it leads. To see it, you need to hover over the link and carefully check the address. Often, relying on the inattention of victims, criminals insert links to sites with the names of well-known companies or brands with a slight change, such as sumsung.com or qoogle.com, into messages. Therefore, you need to check the link very carefully.

In most cases, such a check will be enough to identify a phishing bulk email. But, unfortunately, the name and address of the sender can be forged, and the link can be shortened to an unreadable form, or a chain of automatic redirects from less suspicious addresses to the phishing site itself can be set up.

Therefore, if possible, do not follow links from emails at all if you did not request them. For example, a notification from a bank or from an online store can be checked by calling the phone number from the contract. In a social network - enter by typing the address manually. Check the information about the draw on the official website of the company conducting it, which you will find through a search engine. And so on.

2. Stay vigilant in instant messengers and social networks

You need to be careful not only with letters in the mail, but also with messages in instant messengers. And also in social networks: the bait link can be contained in a friend's post on Facebook, in the response of fake brand representatives on Twitter, a personal message in Discord.

You should also be suspicious of banners - the picture on them may not have anything to do with the site to which you will be transferred. Resources where banners are placed, as a rule, cannot control what exactly the user will see and where they will go. So even from a completely respectable site, you can follow the banner to a phishing page or much worse.

What to do? As in the case of mail, check all links very carefully, or better not click on them at all.

3. Stop before entering the card number!

Bank card details are particularly sensitive information. They provide direct access to your money. Therefore, no matter how you get to the site - by link, banner, from search results or by typing the address manually - before entering your card details, stop again and check where you are.

First, take a look at the address bar. The signs of danger are still the same - typos, numbers instead of letters, hyphens in unexpected places and strange domains. If you see one of them, leave the site and try entering its address again.

Secondly, in the same address bar, click on the padlock on the left. By itself, it does not guarantee security, but upon clicking, a suggestion will appear to learn more about the owner of the site. Click on the "Details" and "More Information" buttons until you see the name of the organization that owns the site.

If you often shop online, including from small businesses and private sellers, we recommend getting a separate card for this, storing small amounts on it, and replenishing just before you are going to pay something. Even if the data of this card is leaked as a result of phishing, you will not lose a lot of money.

4. Use different passwords

If you use the same password for different accounts, even a very strong one, and once you enter it on a phishing site, you risk losing all your accounts. Therefore, it is important that the password be unique for each site and application.

If you find it difficult to come up with and remember dozens of passwords for every pizzeria and online store, a password manager will help you.

Firstly, with this solution, you will only need to remember one unique master password, which will open access to all others. They, in turn, the application will substitute itself on the necessary sites.

By the way, this also works as an additional check for phishing: if the application did not automatically set the username and password, then most likely you are on a fake page. It looks similar to a human, but it has a different address, which is why the password manager does not substitute credentials on it.

Secondly, password managers themselves generate difficult-to-hack combinations - one less headache.

Thirdly, password managers have useful additional features. For example, Password Manager checks your passwords and warns you if they are too weak, not unique, or have already been included in one of the leaked password databases, that is, they are known to criminals.

5. Turn on two-factor authentication to secure your accounts

Many phishing attacks aim to hijack an account. However, you can make it so that attackers cannot log into your account, even if they receive a username and password. Set up two-factor authentication in all possible services - and for authorization you will need an additional temporary code that will come to you by mail, SMS or in a special authenticator application. And the attacker will not come.

However, it must be remembered that especially careful phishers can also forge a window for entering a one-time two-factor authentication code. Therefore, to protect the most important accounts, it is better to use a hardware authenticator that connects to USB - for example, YubiKey or Titan Security Key from Google.

To connect to mobile devices, some authenticators (though not all) are equipped with NFC and Bluetooth. The advantage of a hardware key is that it will never give out a secret to a fake site: in order to get the correct answer from it, you need to send the correct request, which is known only to the real site.

6. Use strong protection

Of course, it is difficult to constantly be on the alert and check all, all, all addresses, links, and so on. But this task can be automated and entrusted with anti-phishing protection, for example, Antivirus program. The antivirus will warn you in time that you are trying to go to a malicious page and will block the threat.