Even the most sophisticated users have been taken in at least once by a phishing e-mail. Modern web technologies like HTML and CSS used in conjunction with e-mail are able to fool even the most vigilant among us, especially when we aren’t paying close attention. Extra care is necessary to avoid becoming a victim.
Practice click abstinence
If you want to be absolutely sure that link isn’t a scam, don’t click on it. Always type a URI directly into the browser of your choice. No cheating, you can’t cut and paste, you’ve got to type the URI yourself.
This helps in two ways: first, it makes you pay attention to the URI and any oddities that may be included (extra host names, odd-sounding domains, etc…) and second, if the proffered link is portrayed as being an official one, it will actually take you to the site you intended to visit rather than whatever lurks beneath hidden in the HTML. You’ll very quickly know whether or not you’ve been had when the site isn’t able to serve up that URI.
Use threaded conversations
A lot of phishing scams rely on the fact that we send a lot of e-mail. So much so we can’t remember every conversation we may have started or been involved in. The use of “RE” in the subject line is intended to exploit this reality and convince you this is a “safe” conversation.
E-mail clients use a lot more information than just the subject line and by using threaded conversations you’re more likely to identify messages that are really phishing scams posing as just another e-mail in a legitimate conversation. This is particularly useful for corporate users, but Gmail and other free systems have the means to present conversations in threads, as well.
Implement outbound secure gateways
If you’re a security professional in an organization looking to prevent phishing on corporate time, consider the use of outbound secure gateways for at least web usage. Most have URL and host filtering, maintain large and up-to-date databases of known “bad” sites and can assist users by preventing them from ever reaching a potentially dangerous site after ignoring the admonition not to click on unknown links.
Communicate openly with employees about such implementations; make sure they understand it’s not to prevent them from visiting Facebook (unless it is, of course) and that any “blocks” are for the good of not just the company but themselves, as well.
Once implemented, make certain to keep them up to date. A new phishing scam is born at least every day, so ensuring constant vigilance through scheduled updates or real-time integration is a must.