Learning Hub
.locker's Tips for Preventing Phishing

.locker's Tips for Preventing Phishing

The Anti-Phishing Working Group observed close to one million phishing attacks in the fourth quarter of 2024 alone. These attacks impersonated over 300 unique brands in over 100,000 separate campaigns, like the highway toll violation texts that have been prolific in the United States. Whether it’s a suspicious email, a deceptive text message, or a phone call that just doesn’t feel right, cybercriminals are constantly finding new ways to trick people into giving up sensitive information. This blog will help you recognize the signs of phishing across the most common channels, email, phone, and chat, and give you practical tips to protect your digital identity. Knowing what to look for is the first step in staying safe online.

Auditing Unsolicited Contacts

Think about this situation. Your fiat-to-crypto exchange calls you because they’re having trouble connecting to your bank account, and without that connection, your account will be locked. They need to confirm your bank account number and your address. What would you do? If you’re somebody that would provide that information right away to resolve the problem, you are putting yourself at risk.

Remember that it’s extremely unlikely that a reputable provider would make an unsolicited and direct contact, especially if through social media or a third party chat application. Be suspicious if a domain registrar or a digital wallet provider is reaching out to you to resolve a problem on one of these channels, especially if it involves account security or payment information. Usually, if your payment method is expired or if your account has suspicious activity, you will receive an automated alert via email or an in-account notification. Support will not engage with you personally and proactively unless you initiate the contact first. 

A softer version of the security or payment scare tactic is to use an enticing offer instead. Cybercriminals will try to lure you in with a coupon, a discount, or even a free product. Unfortunately, the offer is usually fake and the real goal is to steal your personal information. An example of this would be your domain registrar sending you an email offering a free year of domain renewal, and all you need to do to redeem the offer is to login to your account. Sounds great, right? That’s exactly the point. Scammers want you to click the link and share your login credentials so they can use that information to take control of your domain. 

When you receive an unsolicited contact:

  • Be wary, especially if they include a generalized greeting, such as “Dear Customer…”
  • Don’t fall for scare tactics or offers that are too good to be true
  • Only engage with support in official channels, like encrypted chat on the provider’s website
  • Never discuss login or payment information on social media or in third-party chat applications
  • Always verify links before inputting your username and password

Spotting Phishing Emails

Before clicking on anything in an email, check the sender’s email address. The sender’s email address will be your first hint at whether you are being targeted by a phishing attempt. Cybercriminals are experts at spoofing brands, but they aren’t perfect. They hope that you won’t spot the small differences that separate a spam email from the real thing.

Check the sender’s name and domain name. An email from Amazon should come from Amazon.com and not “Amaz0n.com” or “AmazonCustomerService@gmail.com.” If you purchase a product from Apple.com, you should expect communications to come from an Apple.com domain name too. Most reputable companies use branded email addresses to help ensure the message’s credibility; they don’t use generic email addresses that end in “gmail.com” or “yahoo.com.”

If an email from a supposed trusted entity ends up in your spam folder, take a closer look. It is possible for verified contacts to land in spam, but could also be a sign that the email isn’t legitimate. Most email clients have safeguards in place to prevent phishing, like automatically dropping these emails into spam or by labeling them as suspicious. Despite this, it’s entirely possible for a malicious message to slip through.

When you receive an email, double check that:

  • The sender’s address doesn’t have any typos or misspellings
  • The sender’s email domain name is exactly the same as you would expect, like the Amazon and Apple examples from above
  • The email doesn’t have any sender or content warnings from your email client
  • The email isn’t spam. Emails that end up in the spam folder should always be considered suspicious right off the bat, even if they ultimately end up being real

Intercepting Suspicious Phone Calls

It can be more difficult to intercept a suspicious phone call, but there are warning signs you can rely on. Just like email clients, phone carriers are getting better at suppressing malicious calls, but cybercriminals have simply changed their methods to get around these measures. An example of this is location spoofing. An incoming phone call will appear to be local on caller ID, but in reality it is coming from somewhere entirely different. The hope that a local address will convince you to pick up the call. As mentioned before, unsolicited phone contacts are very rare, especially for internet-based providers. It’s even rarer that a provider would be calling from a city a few miles away. If someone is asking for personal information over the phone, hang up and verify the contact directly with your provider.

Another defense strategy is to check the caller’s phone number very closely. Often scammers will use a phone number that is one digit off from a trusted entity’s number. If you look up the number on a search engine, be sure that the phone number calling you is exactly the same as the one displayed on their website.

If you get an unsolicited call claiming to be from an entity you trust:

  • Be suspicious if the call is coming from a local city or town. This is a known tactic to convince you to pick up the call
  • Verify the calling phone number on the entity’s official website
  • Do not share any personal information, like credit card numbers or passwords. Scare tactics and enticing offers are used over the phone, too

Identifying Suspicious URLs and Domain Names

Shortened URLs and text links are useful marketing tools, but they can also be used to mask the true location of a link. This can make it very difficult to spot which URLs are safe to visit. The first step to protect yourself is to investigate both the domain name and the full URL of a link without clicking it. You can either hover over the link to expose more information about the URL, or you can copy and paste the URL into a notepad application for further inspection. Either way, you will be looking for misspellings, unrecognizable domain extensions, and imitation domain names like the Amazon and Apple examples from above. Malicious links can lead to fake websites used to collect account information, or to unintentional downloads of malicious files.

Before you click on a link, be sure to:

  • View the full URL without visiting the website
  • Check the URL and domain name for misspellings, typos, and other imitations of real brands

Want to practice spotting phishing attempts? Visit .locker’s quiz in the Help Center.

Back to User Guides
Registrars
Get .lockerContactPrivacy PolicyTerms of Service
About Us
The Team
Learn More
Help CenterBlogX