How to prevent being phished?

Obviously, it’s impossible to prevent phishing attempts in general. However, here are some online security measures that can help you avoid scam.

Use ad blockers

Ad blockers are applications preventing that online advertisements are loaded into websites or apps. However, many of them also support filter lists with malicious websites to prevent you from accidentally visiting them. Really great ad blockers are uBlock Origin (browser addon) and Blokada (Android/iOS app).

Ask the sender separately whether he actually sent the message

This “trick” is so easy but yet so effective: Just ask the alleged sender via a different means of communication whether he actually sent the message. Received a weird SMS from your friend? Send him an e-mail. Got a suspicious e-mail from your bank? Find their phone number on their actual website and call them. Threatened to be arrested by the police? Go to the next police station and ask what’s wrong. (Conveniently, you can also report Presumption of Authority there.)

Keep your e-mail address and phone number private

Fraudsters can only send you phishing texts if they know your contact details. Keep them private and only use secondary e-mail addresses or phone numbers for online registrations etc.

Keep your software up-to-date

Hackers and scammers often make use of outdated software: For example, they misuse vulnerabilities to access foreign computers or they take advantage of the fact that blacklists of malicious websites are not updated and maintained. That’s why you should activate automatic updates wherever possible in order to receive security and bug fixes and the latest filter lists.

Disable Punycode

Many fraudsters register their own, legitimately-looking domains where they replace e.g. the Latin a by the the confusingly similar looking Cyrillic а. Disable the display of such special characters in your browser (c.f. this Hacker News article) or use the browser addon PunyCode Domain Detection in order to get notified when visiting domains with special characters.

Especially Western users know the internet almost only with Latin characters and have only heard of Cyrillic or Arabic script in school. In order to display e.g. Ukranian or Taiwanese URLs correctly too, modern browsers use the technology "Punycode" which also lets scammers disguise their malicious domains with special characters looking similar to Latin letters.

To avoid falling for actual phishing in the future, you should either completely disable Punycode in your browser or use the addon PunyCode Domain Detection which notifies you of URLs with Punycode.

In Firefox, you can disable Punycode by typing about:config into the address bar (also works on mobile phones) and looking for the setting “network.IDN_show_punycode” which you set to “true”.

Screenshot of a website whose address looks like apple.com — This Punycode demo page seems to have the address apple.com , but in reality it consists completely of Cyrillic letters: аррӏе.

Screenshot of the same page, this time clearly recognizable as not apple.com — When disabling Punycode in the browser, the address is displayed as xn--80ak6aa92e.com – definitly not apple.com.

“possible phishing attempt: the address bar shows apple.com but the real domain name is xn--80ak6aa92e.com” — The anti-Punycode addon warns about a possible phishing attempt.

Scammers use open-source investigation techniques to learn more about potential victims, for example by checking their social media profiles. That’s why you should always think about what you post online and whether it could be misused by fraudsters. Check whether you can limit the visibility of your posts to friends and family. Try locking your entire account so that only people you know can see it. Read more about the topic at NCSC.

Use multi-factor authentification

Surely, you have already heard the term “2FA”. It stands for “two-factor authentification” and means that you need more than just a password to log into online accounts, e.g. an “OTP” code, your fingerprint or a safety USB stick. Activate 2FA wherever possible to prevent others from accessing your accounts just by guessing your password. EFF tells you how to do it.

Use a password manager

Don’t use the same password for every website, don’t use easy-to-guess passwords, don’t write them down. But how to remember dozens of complicated text strings? Well, you don’t. Instead, use a password manager – a digital vault for all your different passwords. PhishWarn recommends KeePassXC.

Inform yourself regularly in the relevant media

In order to stay up to date on what new tricks the scammers have come up with and how you can protect yourself, you should regularly inform yourself about the topic in relevant media.