Problem solve Get help with specific problems with your technologies, process and projects.

How to avoid phishing hooks: A checklist for your end users

Checklist of basic recommendations to share with your end users to teach them how to avoid phishing schemes.

Phishing attacks are on the rise and becoming increasingly sophisticated and complex. According to a 2004 Gartner Inc. study, phishing attacks have tricked at least 1.8 million consumers into revealing sensitive information. On average, victims lose $1200 when their bank account is compromised via a phishing attack.

So, how do you stop these attacks? Educating your users is the first step. Here is a checklist of basic recommendations to share with your end users to teach them how to avoid phishing schemes.

    How to avoid phishing hooks            
              If you receive an unsolicited or unexpected email, pop-up message or instant message requesting personal or financial information, do not reply or click on the link in the message. Legitimate companies will never ask for your personal or financial information via email or instant messenger. If you are concerned about your
account(s), contact the organization in the email using a telephone number you know is genuine, or by opening a new browser session and typing in the company's correct Web address. Do not cut and paste the link that came in the email message.
              Regularly update and patch your Web browser(s). Recent browser vulnerabilities have been used as part of phishing attacks.              
              Never email personal or financial information. If you have to enter your information into an organization's Web site, make sure the site is secure. Check for a lock symbol in the browser bar or make sure the URL starts with "https." Unfortunately, phishers have found ways to duplicate such security indicators and therefore it's best to minimize online transactions as much as possible.              
              Install a Web browser tool bar to help protect you from known phishing Web sites. For example, EarthLink's ScamBlocker ( is a free browser toolbar that alerts a user when they visit a fraudulent Web page.              
              Install SpoofStick (, a browser extension that helps users detect spoofed Web sites. SpoofStick makes it easy to spot a spoofed Web site by prominently displaying the site's URL.              
              Use antivirus software on your workstation and regularly update it. Some phishing emails contain malicious software that can harm your computer or track your activities on the Internet without your knowledge. Antivirus software will prevent this type of software from being installed on your computer.              
              Send all phishing emails you receive to the following groups:
  • Anti-Phishing Working Group (
  • Federal Trade Commission (
  • The "abuse" email address at the company that is being spoofed (e.g.,
These groups use the information they collect on phishing attacks to shut down phishing Web sites and take legal action against phishers.

Phishing attacks are likely to become even more convincing and dangerous. Follow the above steps and you'll avoid getting hooked by an attack.

About the author
Steven Weil, CISSP, CISA, CBCP is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, Washington. Mr. Weil specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning, security assessments, and information security management. He can be reached at

This was last published in June 2005

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.