Tips to avoid phishing and keep your accounts secure
One of the benefits of using Apple devices is tight security, but no matter how secure a device is, there’s nothing that can protect against bad habits. No amount of anti-virus software or other security measures can protect you if you willfully click a link in a phishing email and give a thief your bank account information.
Here are a few tips to help you avoid phishing schemes and keep your accounts secure.
First, a definition for the uninitiated. According to phishing.org:
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
The information is then used to access important accounts and can result in identity theft and financial loss.
One of the most common phrases I hear is “my account was hacked.” Let’s be clear, hacking was a 90’s thriller movie cliché. If someone gains access to one of your accounts, they either guessed a very easy password or you gave it to them. No one’s “hacking” anything anymore.
Now, here are those tips I promised.
Trust no one!
That may sound extreme, but it's mostly true. If you ever receive an email asking for account details, login information, or just asking you to click a link, you can safely ignore and/or delete it. Unless you specifically went to a website and requested to reset a password or to receive some other account information by email, you can assume that any emails asking for these details are phishing. No company will ever send you a cold email asking for account information or telling you that you need to click a link to keep your account in good standing.
Just last week, a popular email platform called MailChimp was compromised, so people started receiving legitimate emails from actual companies trying to steal their information. This is why you can't be too careful. ANY cold email from ANY company asking for your information can safely be considered phishing.
The same goes for text messages. Unless you initiated a password reset or otherwise requested information, ignore any text regarding your accounts.
Click nothing!
No matter how serious an email or text message looks, don't click any links. If you really think an email is legitimate and you want to investigate further, don't click anything in the email. Instead, go to your browser and type in the website address directly. Log into your account and investigate from there. It's very easy for bad actors to spoof a website, so clicking a link in an email could take you to a fake site that looks legitimate. Then you enter your login credentials and boom...you've handed your password directly to a criminal. Your safest bet is to avoid clicking links and go to the website yourself.
Look for obvious clues!
Lots of phishing emails are composed by…let’s just say it…idiots. They’ll often make very obvious grammar and spelling mistakes. You can be pretty certain that the good people at Chase or Capital One know how to write an email without sounding like they never passed the 3rd grade. It’s also easy to tell when an email was written in a different language and run through a translation app. If it’s awkward, delete it.
You should also look at the sender’s email address. If it’s something plain like a Gmail or Yahoo account, or it came from a domain that doesn’t exactly match the company they’re representing, delete it.
Here are some more tips for spotting fraudulent emails.
Use multi-factor authentication!
Even dilligently avoiding phishing isn’t always enough to prevent a password from being compromised. That’s why most accounts offer the option of using 2-factor or multi-factor authentication, and you should always...ALWAYS...use it.
2-factor authentication usually involves sending a 6-digit authentication code to either an email address or a phone number. This is fine and it's better than nothing, but it's generally considered less safe because it's not too hard for bad actors to intercept texts or emails. That's why we now have multi-factor authentication, or MFA.
Multi-factor Authentication has two pillars: something you know (your password) and something you have (your authentication key, usually in an authentication app on your mobile device). There are a few authentication app options including Google Authenticator, Microsoft Authenticator, and even a new feature built directly into the Safari browser...but they all do the same thing.
These authentication apps keep your account login details associated with a 6-digit code that automatically changes every 30 seconds. So when you attempt to log into that particular account, you need to then open the authentication app on your device to pull up the current 6-digit code to authenticate the login. This is considered extremely secure because no one can get that code without having direct access to your device.
This adds a layer of complexity and inconvenience to your workflow, but it's worth it for the peace of mind it provides.
If you use Safari as your main browser, 9to5Mac has a great overview of how to use the built-in MFA codes and password manager here.
Speaking of password managers…
Use a password manager!
Not only are password managers great for not forgetting passwords, but they let you create very strong, complex passwords that can't easily be guessed. In fact, they offer automatic suggestions for incredibly complex passwords that would take a huge amount of effort to crack.
My favorite option is 1Password, but there are others that are similar. The idea is that you keep everything...all of your login usernames and passwords, credit card numbers, passport number, drivers license...everything!...in this application. It's fully encrypted and it's locked by a master password that you choose. That way, you only have to remember one password to access all of that information.
This may sound like a less secure option because there’s only one password between a thief and all of your data. But if you're not already using one of these apps, you’re probably using a much less secure method of remembering this information, like your phone’s Notes app or even a piece of paper. This is also why you'll want your one password to be relatively complex, with capital letters, numbers, and special characters.
Even if you use a dedicated password manager, I recommend also saving your logins in your browser. Most browsers will do this by default (when you log into a site for the first time, you’ll get a prompt asking if you’d like to save that login information for next time). The only downside to using both of these methods is that, if you need to reset a password, you’ll need to make sure to update it in both your password manager and your browser to avoid confusion later. It’s an extra step but I’m always a fan of redundancy when it comes to securing accounts.
These are just a few things you can do to keep your accounts and information secure. If you have any questions, let me know in the comments or book a support session!