DEV Community

Mustafa ERBAY
Mustafa ERBAY

Posted on • Originally published at mustafaerbay.com.tr

5 Practical Steps to Avoid Falling for Phishing Traps

Last month, I saw an email sent to the finance department of one of my clients that almost led to serious damage. The email appeared to be from the company's CEO and requested an urgent "invoice payment." However, a careful examination revealed it was a classic phishing attempt.

Phishing is one of the most common and effective methods cyber attackers use to steal your personal information, usernames, and passwords. They typically aim to trick you into voluntarily giving up sensitive information through fake emails, SMS messages, or websites. Having seen many different versions of these attacks over the years, I know they target not only large corporations but also individual users. In this post, I will share 5 practical steps you can take to avoid falling for such traps, based on my own experiences, and what to look out for.

1. How to Recognize Suspicious Emails and Messages

The vast majority of phishing attacks begin via email or messaging platforms. These messages have some common characteristics, and recognizing them forms your first line of defense. Carefully checking the sender's email address is the first and most important step. Attackers usually use addresses that are very similar to the original, but with a small letter or domain difference (e.g., example@mycompany.com instead of example@mycompany-support.com).

Furthermore, you need to be vigilant for grammar and spelling errors in the message content. Obvious errors in an email expected from a professional institution are a significant red flag. Generic greetings like "Dear User" or "Dear Customer," where the sender's identity is not fully clear, are also commonly found in phishing messages. I know that even a production ERP uses much more personalized language for customer notifications, so such a generic greeting always makes me suspicious.

ℹ️ Phishing Flow

A phishing attack usually proceeds in simple steps, but can become lethal with the victim's inattention.

Diagram

Urgency and threat elements in the message are also important indicators. They try to panic you and force you to act without thinking with phrases like "Your account will be locked," "You must act now," or "Your invoice due date is approaching." In a situation I observed on an internal banking platform, users often tended to click on a link immediately when faced with an urgent password reset request. However, banks never send direct links for such sensitive transactions; they always ask you to manually navigate to their website. In such urgent scenarios, always thinking twice and verifying the message makes a big difference.

2. What Should You Do Before Clicking Links and Attachments?

The most dangerous elements in a suspicious email are usually links and attachments. Clicking on them directly can redirect you to a malicious website or download harmful software to your system. Therefore, you should always make it a habit to perform an extra check before clicking any link or opening an attached file.

To see the real destination of a link, hover your mouse cursor over the link but do not click. Most email clients and web browsers show the real URL of the link at the bottom of the screen or in a tooltip. Will the URL you see take you to the site you expect? If the link looks like "yourbank.com" but when you hover over it, an address like "malicioussite.net" appears, this is a clear phishing attempt. Be especially careful with links that use URL shorteners (bit.ly, tinyurl, etc.). It's often harder to see where a shortened link goes, so I approach messages containing such links with suspicion.

⚠️ Shortened URL Danger

URL shorteners are frequently used to hide the true destination of malicious links. Avoid clicking shortened URLs from suspicious sources.

A similar level of caution is required for attached files. Never open emails from an unknown sender or those containing an unexpected attachment. Check the file extension of the attached file. Executable or macro-containing file extensions like .exe, .zip, .js, .vbs, .scr, .docm are particularly dangerous. In a manufacturing company's ERP, we constantly provided training to users to be careful when opening invoices received via email. While real invoices usually come in PDF format, phishing attackers often try to infiltrate systems using macros hidden in Excel or Word files. If you need to open an attachment and have doubts, you can reduce the risks by previewing the file in a virtual machine or a secure environment like Google Drive.

3. Why is Two-Factor Authentication (2FA) Crucial?

No matter how advanced phishing attacks become, even if attackers somehow obtain your username and password, Two-Factor Authentication (2FA) protects you with an additional layer of security. 2FA is based on the principle that when logging into a system, your password alone is not enough; an additional verification step (e.g., a code sent to your phone or a fingerprint) is required. That's why I make sure to use 2FA for all my critical accounts.

The main purpose of 2FA is to ensure that even if one factor (password) is compromised, the attacker cannot access your account because the other factor (a device you possess or biometric information) is not in their hands. The most common 2FA methods are:

  • SMS-Sent Codes: These are one-time codes sent to your phone. While practical, they can be bypassed with methods like SIM swap attacks.
  • Authenticator Apps (TOTP): These are codes generated at specific intervals (usually 30 seconds) by apps like Google Authenticator, Authy. They are more secure than SMS because they don't require an internet connection and are not affected by SIM swapping. I use this method in the admin panel of my own side product because its reliability is very important to me.
  • Physical Security Keys (U2F/FIDO2): These are hardware-based keys like YubiKey. They are one of the most secure 2FA methods because they require physical possession of the device and are highly resistant to phishing attacks.

💡 Use 2FA Everywhere

Enable 2FA on your banking, email, social media, and all other important accounts. This simple step will significantly strengthen your defense against phishing risks.

Many platforms keep 2FA off by default, so you may need to go into your settings and enable it manually. When you enable 2FA on an account, make sure to store your recovery codes in a safe place. These codes will allow you to regain access to your account if you lose your phone or lose access to your authenticator app. In my experience, 2FA has prevented suspicious login attempts countless times, which gives me extra peace of mind.

4. The Art of Creating and Managing Strong, Unique Passwords

Phishing typically aims to steal your password. Therefore, using strong and unique passwords is one of the most fundamental defenses against these attacks. Many people tend to use "memorable" passwords, but such passwords are often easy to guess or can be quickly cracked with dictionary attacks. My recommendation is to use unique and complex passwords for each platform.

So, how do you remember unique and complex passwords for hundreds of different accounts? The answer is to use a password manager. Applications like LastPass, Bitwarden, and KeePass allow you to store all your passwords in an encrypted vault and access them with a single master password. This way, you can generate and use random passwords that are 20-30 characters long, containing uppercase and lowercase letters, numbers, and special characters for each account. Considering that even in a production ERP, we implement separate password policies for each module and user, it is essential for individual users to adopt this discipline as well.

ℹ️ Password Managers

Password managers are tools that help you create, store, and auto-fill strong and unique passwords. They are one of the cornerstones of cybersecurity.

One of the biggest advantages of using a password manager is that when you log into a site, the password manager only suggests the password that matches the correct domain name. This prevents you from accidentally entering your password into phishing sites because you won't have a saved password for the fake site. Also, never reuse your passwords across multiple accounts. If one site is breached and your password is leaked, all other accounts where you used the same password will also be at risk. This is a common attack vector known as "credential stuffing," and it was one of the points I paid most attention to when protecting user data for one of my mobile applications. Using different passwords for different platforms prevents a breach from creating a domino effect.

5. What is the Role of Keeping Your Software and Systems Updated?

While phishing attacks often trick users through social engineering, they sometimes exploit system vulnerabilities through malicious software. Therefore, keeping all your software, operating systems, and web browsers updated significantly strengthens your defense against such attacks. Software updates typically include patches that close security vulnerabilities.

Cyber attackers constantly scan for known vulnerabilities (CVEs) in software and try to exploit them to infiltrate systems. For example, a security flaw in an old browser version or an email client could lead to malicious software infecting your system even by opening a malicious email. On our Linux servers, we regularly implement CVE tracking and hardening steps like kernel module blacklisting. Similarly, individual users need to adopt this discipline for their personal computers and mobile devices.

Enable automatic update features for your operating system (Windows, macOS, Linux, Android, iOS). Always keep your web browser (Chrome, Firefox, Edge, Safari) updated to the latest version. Keeping your antivirus software up to date and performing regular scans is also important. Using an outdated version of software is like inviting open doors. In a client project, I saw a web application using an old PHP version being attacked repeatedly. After the update, such attempts significantly decreased.

🔥 Neglecting Updates

Delaying software updates leaves your system vulnerable to known security flaws. This can make it easier for phishing attackers to infiltrate your system with malicious software.

These updates not only close security vulnerabilities but also offer performance improvements and new features. Therefore, you should not view updates as a burden, but as a vital investment for your digital security. I even set up automatic update mechanisms on my own VPS, because manually tracking everything is time-consuming and prone to errors.

6. What If You Still Fall for a Trap?

Even the most careful individuals can sometimes fall for phishing traps. The important thing is to know what to do in such a situation and act quickly. The moment you realize you've entered your password on a phishing site or opened a malicious attachment, don't panic, but act immediately.

First, immediately change the passwords for all accounts where you entered your password or suspect might be affected. If you used the same password elsewhere, changing those passwords is also critically important. This is why using unique passwords is a huge advantage at this point. If 2FA is enabled, it will buy you a little more time, but a password change is still essential. Then, check the security of your financial information, such as bank accounts and credit cards. Contact your bank for any suspicious transactions.

If you downloaded a malicious attachment or noticed an abnormality on your computer after clicking a link (e.g., slowdown, strange pop-ups, file loss), immediately disconnect from the internet. Then, perform a comprehensive scan of your system with reliable antivirus software. If the situation is serious and you're unsure, don't hesitate to seek professional help. Once, in the test environment of my own side product, I noticed that an attachment I accidentally opened was slowing down the system. I immediately isolated it and performed the necessary scans to resolve the issue at its root.

Finally, report the phishing attempt to the relevant authorities. This helps prevent others from falling into the same trap and contributes to tracking down the attackers. You can report the situation to the security unit of your email provider or the platform you are using (e.g., your bank). Remember, cybersecurity is not just a technical issue, but also a process that requires continuous vigilance and proactivity.

Conclusion

Phishing attacks are one of the most common and insidious threats we can encounter in our digital world. However, with the right knowledge and habits, we can largely avoid falling for these traps. Steps such as recognizing suspicious emails, being careful with links and attachments, using Two-Factor Authentication, creating strong and unique passwords, and keeping your software updated form the foundation of your digital security.

My years of experience have shown that no matter how strong the technical infrastructure, the human factor can be the weakest link in cybersecurity. Therefore, it is everyone's responsibility to continuously learn and remain vigilant against threats in the digital environment. Implementing these steps will help protect your personal data and ensure a safer internet experience.

Top comments (0)