How to avoid phishing.

Someone just tried to phish me and it made me want to put together a little guide to help you catch this stuff before it ruins your day.

What is phishing?

Phishing is when someone sends you an email that looks legitimate; and tricks you into clicking a link that takes you to a malicious site. This site may be designed to look exactly like a Google sign-in page.

The fake Google Sign-in page that stole John Podesta's email. It looks identical to the actual Google Sign-in page.

The page above sure looks real, but it's actually a fake designed to steal your password.

How can I avoid being phished?

I think the best way to avoid phishing is to be very cautious of the links you click in your emails.

Here's the email I got this morning. Can you spot what's wrong with it?

A GoogleAlerts security email saying there's been suspicious activity and I need to click a link to verify my account.

The night before I had a really frustrating experience trying to sign up for a service using my email, so I wasn't entirely surprised when I saw this message. That's to the attacker's advantage. I had inadvertently conditioned myself to think this email was legitimate because it seemed to be in response to previous actions I took.

But before I click any email links, especially ones related to account security, I always want to check the sender's email address to verify they are who they say they are. This is the first line of defense.

Always check the email address of the sender.

Sometimes this can be tough because on mobile devices, the interface will hide away as much information as possible to give you maximum room to read your message. Usually you can click on or near the sender's name to reveal their full address.

A phishing email showing that the sender's email address is from gmail and not google.com

Looking at the sender, I can see that it's from a personal gmail address. In this case, it was literally somebody's name, so I've blurred it out. It's entirely possible that this person's inbox is compromised and they don't know it. They may have been a victim of this same phishing attack and now their gmail is being used to phish others.

The important thing to note is that when Google sends you a message, it always comes from a google.com address. You're never going to get a security email from a personal address like [email protected]

Note: After publishing this, a member of the Mozilla team pointed out on Twitter, that it is possible to send someone an email using a fake address. I'm digging into this a bit more to see if Gmail flags these kinds of emails.

A word on subdomains.

Here's a real example from Google security, note the address:

A real security email from Google with a google.com email address.

You may notice that the address isn't just @google.com, but instead it's @accounts.google.com. That's because an address can be split into multiple parts, the domain and any subdomains.

A diagram of the address maps.google.com. The word maps is underlined and annotated as a subdomain. The words google.com are underlined and annotated as a domain.

Usually there's only one domain associated with a business, e.g. google.com, amazon.com, facebook.com, etc.

But a company can (and often will) have multiple subdomains to handle different services. For example, maps.google.com. The "maps" bit is the subdomain, and it's attached to the domain "google.com". It's also possible to string together multiple subdomains, so you could end up with something like: foo.bar.baz.google.com.

Subdomains are unique to the domain, meaning I could create my own subdomain on this site and call it "google-com.robdodson.me".

The main thing you want to do is make sure the domain looks correct.

Let's look back at that fake sign-in page from before.

The fake Google Sign-in page that stole John Podesta's email. It looks identical to the actual Google Sign-in page.

The address is: myaccount.google.com-securitysettingpage.tk.

"myaccount.google" are actually the subdomains, and "com-securitysettingpage.tk" is the domain.

So if you've had prior contact with a service like Amazon.com or AirBnB or whatever, go back and look at the domain used in the email address from that previous correspondence. Does it look like the address you're seeing in this new email in your inbox? If not, consider reaching out on one of their support channels first to verify that the email is legitimate.

Other ways to protect yourself

After publishing this post, a user on Twitter pointed me to a new Chrome extension launched by my fellow Googlers called Password Alert. Password Alert works by storing a hashed version of your password. If it notices you've typed your password into a website which is not a recognized Google Sign-in page, it will send you an alert. If you've enabled 2-Step verification for your Google account (which I recommend you should!) then hopefully it will give you enough time to change your password before any bad actors try to use it.

If you want to learn more about this topic, or if you've received a suspicious email and you'd like to report it, you can do so over on the Google support pages. Good luck and stay safe out there!