Friday, February 08, 2019

Stop phishing - Use the "Presumption of Guilt" principle

Let's get this straight so that you do not get phished:
  1. All emails, phone calls, regular mails, external links from a website and in general any form of interactive communication, without exception, are all guilty of illegally trying to invade your privacy and security, until you demonstrate the contrary.
  2. It is your responsibility not to click, take a call, place a call, and in general to avoid responding to any communication unless you have demonstrated such communication is not an illegal attempt to invade your privacy and security.
  3. If by mistake you click, speak, and in general interact through any channel you are responsible to not provide any information after such action. Stop communication immediately and instead initiate yourself the communication by visiting a well known website (instead of clicking, type its URL!), call a well known phone number, ask around for help.
  4. Be curious. Do your homework as you should do it with any news you receive. Right click and copy the link, paste it somewhere so that you can read it and determine where it would take you if you would click it. Google keywords from the email, the link, the sender. Lookup the phone number calling you. Search for complaints about the suspicious domain or email. Find out if the email or the email domain of the person contacting you is being reported to be part of criminal activities before. We live in a world full of scams, false news and hoaxes. Learn, which always means to look at the problem from more than one perspective.
Apply the "presumption of guilt" principle. In particular for emails, please learn (do not just read):
  1. Look at the details of the sender. The "from" in an email tells you if the person that sent it is known to you, not because of a name but because of the address. The address has an id (the identifier for the sender), an "at" sign (@) and a domain (usually the official website of the company)
  2. An email id that is not as clear as "john.doe", "jdoe", "johnd" is suspicious. Do not trust any stranger up front.
  3. The email domain part would be separated by "dots" (.). For example "" from You should ask yourself how that domain looks like? Is "" a place you know and trust?. Go to a browser and type that domain, do not copy and paste. Consider for example the letters "P/p" which in Cyrillic look exactly the same as in Latin script but they are different and therefore is not the same as https://www.рhilosoр The second URL is built with the Cyrillic "р". What you see is not actually what you get.
  4. If you trust the user id and the domain then ask yourself if you are expecting that email. The fact that you have seen a similar email before does not mean this one is legit as well. If you do not expect that email, assume it is evil. If in doubt, send a separate email to that user that you know to confirm or share details with the related business support team, ask the geek closer to you. Space is just part of the whole picture, time is as important.
  5. If something is not expected, immediately mark that email as spam, do not engage.
  6. Do look carefully into the URLs you navigate, compare them letter by letter with those you know are correct using tools like That is how you see that "" and "https://facebоо" are two very different URLs. The first is the one you use while the second uses Cyrillic characters. The list of confusable Unicode characters is huge. The possibilities to get phished are literally infinite.
  7. Beware of popups, specially that their URLs are real and not a simulation of an address bar. The URL should be visible in the address bar and should be editable by you. All modern browsers ensure that this URL is visible and this is why you are supposed to use a safe browser. And yet as mentioned above double check that it is actually the URL you are supposed to be visiting. This could make the last phishing exploit linked at the beginning of this blog post even smarter and harder to combat.
  8. Needless to say that you should maintain all your devices updated. Do not leave that patch for later. Apply it ASAP (do not procrastinate on protecting yourself).

No comments: