Best Practices

Phishing Attacks – Helpful Ways to Identify and Avoid Them

Phishing is one of the most common types of cyberattacks that can seriously impact both individuals and organizations. These kinds of attacks can take place almost anywhere online; text, websites, and social media, but are most commonly seen in the form of email.

The SlashNext State of Phishing Report for 2022, released in October, found that there was a 61% increase in the rate of phishing attacks in just the first 6 months of the year compared to last year’s data. Not only have the rates of phishing attacks increased, there was a 50% increase in attacks on mobile devices, with scams and credential theft at the top of the list of payloads.

With all of this in mind, it is perhaps more important than ever to stay vigilant against phishing attacks. Read on to learn more about this type of attack and helpful ways to identify and avoid them.

What is phishing and how does it work?

Phishing is a type of social engineering attack, or an attack that involves psychological manipulation, to steal your personal information or install malicious software on your devices. To accomplish this, cybercriminals will disguise themselves as a legitimate source, such as a well-known company or financial institution, to deliver realistic messages and trick you into giving up your personal information.

Cybercriminals behind these attacks will go to great lengths to make their scams appear legitimate, using the logos and branding of trustworthy sources to disguise themselves. Not only will they create emails under the source’s branding, but they will often create spoofed websites, which are fake websites designed to look legitimate, to accompany them.

The goal of these emails is often to get you to click on a link and enter your personal credentials into the fake website that it leads to. Once that happens, your information will be sent to the attacker behind the scam.

How can I identify a phishing email?

Although it can sometimes be difficult, there are several ways that you can identify a phishing email.

According to fightcybercrime.org, the best ways to identify a phishing email include:

  • Check the sender’s email address. If it is not from a legitimate company, do not open it.
  • Check the URL by hovering over the link.
  • If you are on a desktop computer or laptop, hover over the link with your mouse. You will find the full address of the link either near the link itself or somewhere on the edges of your browser window, depending on what web browser you are using.
  • If you are using your smartphone or tablet, hold your finger down on the link until a window pops up showing the full address of the link. Tap away from the window to close the preview.
  • Be aware of a sense of urgency or threats. For example, phrases such as “you must act now” or “your account will be closed” may be indicators of a phishing attempt.
  • Be cautious of messages that ask for personal information such as your social security number, bank account information, or credit card number.
  • Check for grammatical errors or misspellings.
  • If you are unsure about the message, don’t hesitate to contact the company directly to inquire about it. Don’t use the contact information provided in the email or text message. Look up the company’s contact information on their website or elsewhere.
What can I do if I click on the link or provide my personal information?

If you clicked on a phishing email link or provided your information, first take a deep breath and know that it can happen to anyone.

  • Go to the legitimate website, reset the password on your compromised account and enable two-factor authentication right away. If you are using that password for other accounts, change those too.
  • Forward the suspected phishing email to reportphishing@apwg.org, where the Anti-Phishing Working Group will collect, analyze and share information to prevent future fraud.
  • Mark it as spam.
  • Run a full system scan using antivirus software to check if your device was infected when you clicked the link. If you find viruses, follow these steps on your device. If you still can’t remove the virus, contact a reputable computer repair shop in your area.
Tips & Tricks to Identify a Phishing Email
  • Check the sender’s email address. If it is not from a legitimate company, do not open it.
  • Check the URL by hovering over the link.
    • If you are on a desktop computer or laptop, hover over the link with your mouse. You will find the full address of the link either near the link itself or somewhere on the edges of your browser window, depending on what web browser you are using.
    • If you are using your smartphone or tablet, hold your finger down on the link until a window pops up showing the full address of the link. Tap away from the window to close the preview.
  • Be aware of a sense of urgency or threats. For example, phrases such as “you must act now” or “your account will be closed” may be indicators of a phishing attempt.
  • Be cautious of messages that ask for personal information such as your social security number, bank account information, or credit card number.
  • Check for grammatical errors or misspellings.
  • If you are unsure about the message, don’t hesitate to contact the company directly to inquire about it. Don’t use the contact information provided in the email or text message. Look up the company’s contact information on their website or elsewhere.

As we continue into 2023, it’s guaranteed that cybercriminals will continue to launch more and more phishing campaigns with the hopes of stealing personal information from unsuspecting victims. Remember to always be cautious online and when in doubt, always do your research!

Information retrieved from fightcybercrime.org. For more details on phishing attacks, visit: https://fightcybercrime.org/scams/hacked-devices-accounts/phishing/

2023-01-09T11:34:22-05:00January 9, 2023|
Read More

Password Tips to Help Keep Your Information Secure

Passwords are an essential part of protecting your personal information from cybercriminals. We all know that passwords can be a source of endless frustration in the digital world, and you’ve probably asked yourself, “do I really need to set a different password for each of my accounts?” Well, the short answer is yes.

Imagine that you are the ruler of a village, and your enemies are making their way to attack. Would you employ a single guard to protect every building and person across the land? No! You would send out an army of guards, each with a specific post to protect to increase your chances of a successful defense.

Your passwords work in the same way. Each of your online accounts needs its own unique password to ensure that your personal information is protected from potential attacks. If you reuse the same password for every account, all your personal information is at risk in an instant if that password is exposed by a cybercriminal seeking to infiltrate your accounts. Using an individual unique password for each account helps ensure that even if one password is exposed, your other accounts will remain protected.

In honor of World Password Day today, consider the following suggestions to help ensure that your passwords are successfully protecting your personal and confidential data from prying eyes.

Tips for Good Password Hygiene

Passwords vs Passphrases

Passphrases are a form of a password that is composed of a sentence or a combination of words. Often, passphrases can be more secure than normal passwords because they are longer yet easier to remember, reducing the likelihood that you will reuse the same password across multiple accounts for convenience.  

In contrast to passwords, passphrases are often created by using random words or phrases that are significant to the user but would hold no meaning to any other person. An easy way to create a passphrase that is simple to remember, yet secure enough to protect your account, is to select three to four words that are relevant and significant to you.  

It’s recommended not to use common greetings that can be easily guessed by others, such as “LiveLaughLove,” and instead use a phrase or words that would mean nothing to someone other than yourself. For example, on my desk I currently have a flag, mug, coffee, and a book, so an appropriate passphrase for me could be “FlagMugCoffeeBook”.  

While it may seem counterintuitive to use a series of random words for a credential, phrases like these are more memorable and far more secure than a password, which typically seeks security through a mix of numbers, special characters, and upper and lowercase letters. 

According to an article from Impact Networking, “the benefit of passphrases is that they make it easier for a user to generate entropy and a lack of order—and thus more security—while still creating a memorable credential. Generating entropy through randomized characters can be difficult, but this also makes it more difficult to launch a cyberattack against you.” 

Password Managers

So, now that you have created strong and unique passphrases for each of your individual accounts, how are you supposed to remember them? 

This is perhaps one of the main reasons why so many people commonly reuse passwords across multiple accounts. The truth is, unless you’re a robot or have a supernatural photographic memory, it’s probably going to be impossible to remember all your passwords without keeping track of them somewhere, and that’s okay! 

Luckily for us non-robots, there are plenty of password managers out there that can help you keep track of your credentials for all your accounts in a safe and secure way. 

Malwarebytes Labs defines a password manager as “a software application designed to store and manage online credentials. It also generates passwords. Usually, these passwords are stored in an encrypted database and locked behind a master password.” 

This means that once you enter your account usernames and credentials into the secure vault, the only password you need to remember is that master password, and the password manager will do the rest for you! 

For a list of the top-rated free password managers available in 2022, visit: https://www.pcworld.com/article/394076/best-free-password-managers.html. 

Password Tips

  • Refrain from reusing passwords on multiple sites and applications.
  • Add multi-factor authentication whenever possible for an added layer of security.
  • Update your passwords regularly.
  • Don’t text or email your passwords to anyone.
  • Do not create passwords based on your personal information or details, such as birthdays, names of family members, Social Security or phone numbers, etc.
  • See if any of your passwords have been exposed by entering your email address at https://haveibeenpwned.com/
2022-10-27T09:57:58-04:00May 4, 2022|
Read More

5 Cybersecurity Resolutions To Make in 2022

The past two years have witnessed a massive spike in cybercrime as the world turned to technology for work, school, grocery shopping, connecting, and practically everything else during the global pandemic. This sudden shift left many individuals and businesses scrambling to find a sense of normalcy in our new digitally dependent world; in response, cybercriminals quickly took advantage with mass phishing campaigns, new ransomware variants, and other sophisticated attacks designed to target unsuspecting and vulnerable victims.

As we enter a new year, it is important for each of us to understand our responsibility in preventing cyberattacks. Cybersecurity can undoubtedly be challenging, but it doesn’t have to be! If you are looking to start 2022 off with a clean digital slate, consider the following cybersecurity “resolutions” that you can implement now to begin the journey of being more cyber-secure.

5 Cybersecurity Resolutions for the New Year

1. Clean up your password lists


Passwords are the thing that protect your personal information from outside attacks. Imagine that you are the ruler of a village, and your enemies are making their way to attack. Would you employ a single guard to protect every building and person across the land? No! You would send out an army of guards, each with a specific post to protect to increase your chances of a successful defense.

Your passwords work in the same way. Each of your online accounts needs its own unique password to ensure that your personal information is protected from potential attacks. If you reuse the same password for every account, all your personal information is at risk in an instant if that password is exposed by a cybercriminal seeking to infiltrate your accounts. Using an individual unique password for each account helps ensure that even if one password is exposed, your other accounts will remain protected.

2. Don’t believe everything you see


The spread of misinformation and disinformation has increased drastically in the past two years as attackers take advantage of the COVID-19 pandemic, political news, and other widely-debated topics to create tension and chaos among the public. Misinformation and disinformation are often referred to as “fake news”, and although both words refer to types of wrong or false information, only disinformation is wrong on purpose and is deliberately intended to deceive. Unfortunately, as the world remains in the midst of the pandemic and the U.S. faces another election around the corner, it’s likely that 2022 will see yet another influx of misinformation and disinformation being spread across social media and beyond. 

As we navigate through the upcoming year, think twice before you share. Just because it’s online does not mean that it’s true; often, people will knowingly create sensational content just to get you to click. One of the best ways to avoid becoming a misinformation and disinformation superspreader is to consider the 5 Ws when faced with new information.  

Ask yourself: 

  • Who is posting this information? Are they a reliable source? If not, can you find other credible sources to back up the information? 
  • What does the information look like? Are there facts or additional sources or is it simply someone’s opinion?  
  • Why are they sharing this information? Is the purpose to make you think or feel a certain way? 
  • When was this information released? 
  • Where did the source of information come from? Is it a credible source who is close to the issue in other ways?

3. Remain vigilant against phishing attacks


Phishing is one of the most common cyberattacks that can seriously impact both individuals and organizations. The COVID-19 pandemic and other global topics have given cybercriminals more fuel to target victims in their schemes, taking advantage of these hot topics to craft relevant messages and trick people into clicking on malicious links. Phishing attacks are most often delivered via email, text, or carefully crafted websites, but these messages can also be delivered on social media through the persona of a fake profile.

One thing many phishing attacks have in common is a sense of urgency, pressuring you into taking immediate action to avoid consequences. Other warning signs of phishing attacks may include poor grammar, mismatched URLs, generic greetings, urgent language, or requests for personal or financial information. When in doubt, always navigate directly to the website in question to confirm that the claim is legitimate before clicking on any links or sharing any personal information.

4. Don’t overshare on social media


While social media may seem relatively harmless aside from the common troll, oversharing can put you at a greater risk of becoming victim to an attack. Seemingly harmless details in your profile, posts, and photos can give cybercriminals the information they need to commit identity fraud, theft, and other targeted attacks.

We’ve all seen posts on social media with captions like, “So happy to get out of town for the week! #livinglife” accompanied by pictures of fruity cocktails, family selfies, and away-from-home adventures. While we may see these posts and feel a little jealous, cybercriminals and thieves see them as a sign that your home is unoccupied and vulnerable for a week, potentially giving them the opportunity to target and theft your home.

Criminals are known to monitor social media to track victims and gather information about their daily routines. One of the dangers of oversharing on social media is that strangers not only know when you’re away on vacation; they can also get to know your daily schedule and when you’re going to be away. Whether you’re on vacation sharing live stories of your adventures or simply posting updates from your daily routine, oversharing this personal information can put you at serious risk of being targeted both on and off-screen.

Aside from monitoring the information that you post, be sure to check your social media profile settings to ensure that your personal information, posts, and photos are only viewable by people you know. Additionally, refrain from accepting friend requests from people you don’t know in real life; it’s possible that a cybercriminal is behind the screen with a fake profile.

5. Regularly update your software


How many times have you clicked “remind me later” when prompted to update your device software? We’ve all been there – procrastinating the 20-minute delay in our days until we are fed up with the constant reminders and finally give in.

While sometimes a nuisance, regularly updating your software is one of the best ways to protect your devices from a cyberattack. Not only do software updates fix bugs and improve overall function, but they also fix security weaknesses that make your device vulnerable, adding an added layer of security against prying eyes even when you aren’t near your device.

2022-10-27T10:06:30-04:00January 13, 2022|
Read More

Staying Secure on Mobile Devices

Cell phones have come a long way in the past two decades. From the first PDA to flip-phones, technological progress seemed to be slow and steady until the market was disrupted in 2007. Once smart phones were on the scene, everything about mobile devices rapidly changed. Nowadays, mobile devices are at an all-time high for popularity and functionality. Unfortunately, this meteoric rise in capabilities and access has led to a corresponding increase in cybersecurity risks and threats. With a tool as broadly used as cell phones, almost the entire population is at risk.

Cybercriminals have been targeting mobile devices at an unprecedented rate. Threat actors have exploited the fact that the extensive capabilities associated with mobile devices equate to personal computers. Threats that were once relegated to enterprise workstations now plague the mobile ecosystem, causing great financial loss each year. With cybersecurity, knowledge is power. We hope that this blog can expose readers to the threats and preventative measures in mobile device usage.

In order to better understand ways to protect oneself from these risks, we need to take a look at some of the threats that face the everyday mobile device user.

Malware for Mobile Devices

Most mobile devices contain application stores with a “closed ecosystem.” This method of obtaining new software allows certification teams to verify the integrity of applications before allowing users to download. In theory, this process would prevent all but the most subtle malware from infecting non-jailbroken devices. The reality is that this process is overwhelmed by the sheer quantity of applications, updates, and re-releases on the respective application stores. This ecosystem is closed only in the sense that profits must be shared with the providing host. Malware can and will make its way onto application stores.

Unsecured Wi-Fi and Mobile Access

Wi-Fi is rarely as safe as most people believe, especially in regard to mobile devices. By constantly being “on the move”, mobile devices are faced with a unique challenge of interacting with a huge array of mobile hotspots and wireless access points. Disregarding the more advanced risks associated with poorly configured wireless access, a major threat to all mobile users is the risk of a “Man in the Middle Attack.” This attack is essentially somebody spoofing the access point that you intended to connect to and reading (and potentially editing) all unencrypted traffic that is being sent or received on your device.

Phishing Attacks

Phishing attacks have reached a critical mass for severity. At a certain point, an attack method becomes so successful and easy to execute that other, more advanced attacks begin to fall out of favor. Phishing is extra relevant to mobile devices due to the “on the go” nature of mobile device usage. Our assumption is that the average person is less careful when clicking links on mobile since they believe that their phones are immune to viruses. While a large portion of malware in emails might not affect the mobile devices, there are still countless other risks associated with phishing that apply to mobile devices.

Spyware and Mobile Botnets

Spyware is a form of malware that monitors activity on a device and reports back to a centralized location. Spyware is extremely common on less-than-reputable mobile applications due to the fact that it can go unnoticed while delivering constant data to cybercriminals. This data can then be used to do things such as form malicious advertisement campaigns, take over accounts, or perform corporate espionage. This similar type of attack can actually infect your device with software that allows attackers to perform their attacks using your mobile device resources, generally called a mobile botnet.

Stolen Devices

The most obvious “attack” of all – simply stealing a mobile device – presents a massive cybersecurity threat. Many users find PINs and Passwords inconvenient and cumbersome, allowing attackers to gain easy access to a device that they have stolen. All sorts of data and nefarious actions can be taken with stolen mobile devices.

Now that we have looked at some of the most common attacks, what can we do to protect against these threats?

Watch What You Download

When downloading applications from sanctioned sources, be sure to check reviews and version update notes. Excessive permissions are also a cause for concern – if your timer application requires access to core system files, there may be a problem. Try to download apps that are “popular,” with a high number of downloads and positive reviews. This will not help against all spyware and malware, but it should reduce the risk. Never use jailbroken devices or unofficial application sources unless you are extremely familiar with the risks and willing to do extra research and invest into security software. Mobile Anti-Virus is gaining popularity – these tools can help provide an additional layer of defense but should never be a replacement for common sense.

Use Familiar Networks

Traveling with a mobile device is a given. Be sure to triple-check all connections that you are trusting with your device – wireless access point spoofing attacks often impersonate popular connection locations such as airports or hotels. If you notice something strange about the signal quality, naming convention, or even number of available networks then it is best to ask a staff member what the proper network is for connectivity. When utilizing public Wi-Fi, never type any credentials into websites or applications that are not encrypted.

Use Passwords, PINS, and Multi-Factor Authentication

We understand the fact that passwords, PINs, and MFA can be a nuisance. But the amount of time spent recovering from a successful attack or stolen device can greatly outweigh the entire sum of extra time spent entering a PIN on your device. Keeping devices locked can greatly reduce the risks associated with a stolen device. Equally important is keeping your accounts secured with Multi-Factor Authentication. Your phone will generally be your “second factor,” so keep it safe.

Keep Your Phone Up to Date

Patches, patches, patches. Keeping a device patch can generally feel like an endless battle with slow downloads and inconvenient restarts. However, the reason patches are deployed is generally to fix bugs that can lead to massive security risks. Keeping a device updated reduces the chances of falling victim to an attack by a staggering amount. Check your app stores and system settings for updates on a regular basis to stay ahead of the attackers.

Learn How to Detect Phishing

Awareness is the best prevention. Phishing will likely be the most drastic threat faced by most mobile device users. When a company or personal email receives a phishing attack, there are a few signs that you can look for in order to reduce your chances of falling victim. Check that you are familiar with the contact and sender – if the address doesn’t look right, it probably isn’t right. Look for typos or grammar mistakes within the emails as these are very common in phishing. Most importantly – never click a link or reply to an email without taking the time to verify the details surrounding the email. Security awareness training is available through a huge variety of sources – look into phishing awareness to help prevent yourself from falling victim to this extremely common attack.

Mobile devices are powerful tools that have enabled drastically improved productivity within organizations. With proper usage and dedicated cybersecurity awareness, these devices can be a safe and efficient tool. Practice proper cybersecurity hygiene and avoid taking shortcuts when utilizing your phone.


We are pleased to share this guest post from Scarlett Cybersecurity, a Florida-based leading cybersecurity provider whose mission is to simplify cybersecurity for organizations of all sizes. To learn more about Scarlett Cybersecurity, visit www.scarlettcybersecurity.com.

2022-10-27T11:06:04-04:00September 13, 2021|
Read More
Copyright 2021 The Florida Center for Cybersecurity