Q&A with Keeper’s CTO: What’s New In The Data Threat Environment

by , on

Keeper Q&A with Craig lurey

Keeper co-founder and CTO on the cold hard facts of data security today.

Craig Lurey is co-founder and chief technology officer at Keeper Security. It’s his job to insure that Keeper’s solutions stay a step ahead of the dangers in today’s hyper-dynamic threat environment. Here’s his take on just what is changing, and how Keeper intends to change as well.

Q: What is changing most profoundly in the threat environment?

A: The use of cloud-based services continues to grow dramatically, whether we know we are using them or not. For individuals it’s not just email, for example, but there is the IoT with things like Nest controllers, cars with hundreds of on-board computers, new AI services like Google Home and Amazon Echo – all interconnected and accessed by everyday devices. That makes all these devices targets, and the personal information on them vulnerable to attack.

Q: What about the traditional threats, like malware and viruses?

A: Malware, ransomware and viruses will continue as major threats for the near term. But as services move increasingly to the cloud, big firms like Google, Apple and Microsoft and the thousands of skilled security professionals they employ are doing a much better job of identifying and stopping such threats.

Q: How do the attackers burnish and refresh their skills in this changing world?

A: It’s actually quite interesting. Today there are researchers and students in universities and think tanks being trained in cyber security, identifying changing threat vectors. Then they publish their findings and initiate discussions and online chats to embellish their knowledge. Problem is, the hackers and bad guys are also there, getting all the latest information on the latest threats and weaknesses in defenses! And there are plenty of weaknesses.

Q: What is it about cloud services that can be risky?

A: Remember that cloud services are all about software, and all software – it doesn’t matter who wrote it – has bugs. These bugs have the potential to become vulnerabilities. With many cloud services, who knows what measures were taken in the development process to insure security? Who even asks? Consider Cloudflare, which powers some five and a half million websites. It recently disclosed that a software bug gave hackers the ability to access sensitive data in real-time, including passwords, cookies and tokens to authenticate users. Most likely users of cloud services powered by Cloudflare never even heard of the company but nonetheless could have been victimized by the vulnerability presented by the software bug.

Q: What do these many changes in the threat environment mean for passwords and their management?

A: It is more critical than ever before for individuals as well as businesses to focus on the password. For example when it comes to exploiting weaknesses in cloud services, hackers choose the paths of least resistance. For the most part they aren’t going to sit there and try to decrypt SSL traffic. The easiest attack vector for them is the password. They know individuals use the same ones over and over for different services. So they will attack through some random shopping site, for example, and use various widely available tools to break simple passwords. They aren’t going to target Facebook or Google.

Q: What do businesses need in this regard?

A: They need visibility into password usage throughout their organization. They need to know how individuals are managing passwords, if they are being managed at all. Are they being rotated? Where are they controlled? It all comes down to the same issue, and it is access and who has access.

Q: What is Keeper doing to stay ahead of this dynamic threat environment?

A: We go to extreme lengths to protect our customer’s data, so much so that we don’t have access to it. We are a true zero knowledge product. That means we don’t access or decrypt anyone’s data. So if a hacker happened to get the data stored in a Keeper vault, it would be useless. A zero knowledge environment is the extreme end of data protection. Any encryption or decryption is done solely by the users on their own devices. We are after all protecting our customer’s single most valuable piece of information, namely their passwords.

Q: Without giving away secrets, what can customers expect in the future from Keeper?

A: We are building out a series of products that protect users’ data and their identity, and we’ll be doing that not just with passwords but with other kinds of information as well. In essence we are going to bring our zero knowledge architecture to other product platforms.

Q: Anything else?

A: Yes. The field of DevOps is very rapidly emerging, creating a new category of engineers that not only develop software but also then deploy and manage it through its lifecycle. Our customers will see a migration from pure password management to more privileged access where we still manage the password but also the access to DevOps processes as well. In DevOps the engineers deal with all sorts of functions like access to systems, servers, and cloud services as well as to physical devices. So while we at Keeper are building out and improving upon solutions for business users in marketing, sales, HR and so on, we’ll also focus more in IT teams who are often inundated with securing all these access points. Today there are simply no great solutions out there for them.

Q: Has the near total blurring of the lines between personal and business use of many devices presented particular challenges for organizations, and for Keeper for that matter?

A: Users just expect to intermingle personal and business use, especially on their own devices but even those provided by the employer. We encourage our business users to deploy the Keeper data vault to their business users under a business account. But we strongly advocate for using a separate personal vault on the same device for all personal data. We made multi-account switching really easy and completely seamless. So the business has control only over the business data in the business vault. The individual has complete control over what’s in the personal vault.

Why Keeper Supports the FIDO Alliance

by , on

Why Keeper Supports the FIDO Alliance
IT security experts will tell you that 80% to 90% of breaches could be prevented if organizations enforced stronger password controls. But IT administrators will tell you that convincing people to use strong passwords is a lost cause. No matter how much you educate, cajole and frighten them, a frustratingly large number of people will still safeguard their critical information with “123456.”

That’s why Keeper has joined the FIDO (Fast IDentity Online) Alliance. The FIDO Alliance is working to create technical specifications for an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords. It’s trying to bridge a seemingly contradictory set of objectives. “FIDO is strengthening the authentication process while at the same time making it easier to users,” said Andrew Shikiar, senior director of marketing at the Alliance. “Our goal is to make it easier for enterprises and service providers to move beyond the password.”

FIDO has a unique approach to authentication that uses public key cryptography to create secure authentication credentials that are stored on and never leave the user’s device. Local authentication is important because it both protects user privacy and reduces reliance on passwords stored on third-party servers, which creates an additional vulnerability point. The FIDO Alliance’s approach is in line philosophically with Keeper’s zero-knowledge architecture.

The use of centralized password databases has been behind the damage of some of the world’s largest security breaches. For example, the two attacks on Yahoo collectively exposed more than one billion user accounts to compromise. Cyber criminals can purchase these lists and use them for “credential stuffing,” or testing the login information on other websites. “The success rate for credential stuffing is as high as two percent, which is staggeringly large,” Shikiar said. “FIDO’s approach to strong authentication can take this threat vector away entirely.”

If two percent doesn’t sound like a lot, consider that running one million usernames and passwords through the authentication process of a bank or stock-trading site at a two-percent success rate translates into 20,000 successful accesses.

The FIDO Alliance is promoting two sets of specifications: Universal Authentication Framework (UAF) and Universal Second Factor (U2F). UAF is most typically implemented in mobile apps. No passwords are involved. Users register their device to an online service by selecting a local authentication mechanism such as a fingerprint, PIN or face/voice recognition, at the service provider’s discretion. From there, users simply repeat the local authentication action whenever they log in.

U2F uses a password complemented by a second factor through a FIDO Security Key such as a USB token — proving that the user is in possession of their device. The use of a second factor enables the service to simplify passwords without compromising security.

The FIDO Client-to-Authenticator Protocol, which is currently in review, provides for the use of smartphones or even wearables as a primary authentication device. Coupled with W3C’s Web Authentication efforts (which will bring native FIDO support to leading web browsers), CTAP will expand FIDO’s reach to a much larger number of users as part of the FIDO 2 project.

In the five years of its existence, the FIDO Alliance has rung up a lot of successes, enlisting more than 250 members ranging from IT organizations to mobile app developers, government organizations, platform providers and financial institutions. Facebook rolled out FIDO authentication in January, extending it to 1.7 billion additional users. Google has been a member since 2014.

Keeper believes in the value of standards as a way to continually move the industry forward. The more organizations that sign on to the FIDO Alliance, the faster the industry can solve the password problem and tackle the next set of challenges. We are proud to be part of that effort.

Keeper Announces Microsoft Edge Extension

by , on

Keeper announces Microsoft Edge Extension
Hey Windows 10 customers! You’ll be happy to hear that Keeper now has a Microsoft Edge extension. This latest extension will provide you fast and secure access to the Keeper vault right within your browser.

Now you will be able to utilize Microsoft Edge to quickly and securely login to your favorite online destinations. The extension and Keeper icons appear on the screen as you browse to manage logins, enter passwords and secure your data. The new design also allows the utilization of KeeperFill™ to autofill passwords without navigating away from the current page.

We are so excited to provide millions of Windows 10 users a simple way to manage their passwords from the browser of their choice. The Keeper and Microsoft teams have worked closely together to deliver a “native” feel to the browser that integrates perfectly with your browsing experience.

Microsoft Edge is the faster, safer browser designed for Windows 10. Not only will this latest Keeper extension make your devices and online activity more secure but will also save you time.

To download the extension, please visit https://www.microsoft.com/en-us/store/p/keeper-password-manager-digital-vault/9n0mnnslfz1t#.

We look forward to delivering more awesome updates for Windows 10 users in the future. Thank you for your support!

Why Google chose to pre-integrate Keeper SSO Connect into G Suite

by , on

Why Google chose to pre-integrate Keeper SSO Connect into G Suite

We were thrilled last month when Google selected Keeper SSO Connect, our SAML 2.0 service, as one of just nine third-party apps to be included in the search giant’s pre-integrated SSO Apps Catalog. In an earlier post we told you why Keeper and SSO go so well together. Now we’d like to share the reasons why the Keeper solution is unique enough to earn Google’s endorsement.

Even if you’ve never heard of the term SSO (single sign-on), you’ve undoubtedly used it. Whenever you land on a login page that offers you the option of signing in with Facebook, Google, Twitter or other popular social networks as an alternative to creating an account, you’ve seen SSO at work. One example is Fitbit’s login page.

SSO is one of those rare win-win propositions that not only enhances security but also improves the user experience. When used with protocols such as Kerberos and the security assertion markup language (SAML), SSO takes care of most of the complexity of authentication and user identity management in the background.

And SSO isn’t just for public websites; it is also used extensively behind corporate firewalls. For example, companies may use it to make it easier for their employees to log in to multiple corporate accounts, such as email, financial applications, collaboration software and CRM. By deploying SSO, enterprises can greatly reduce the need for people to have to maintain passwords for each application they use. That means fewer helpdesk calls, fewer resets and less risk of compromise due to password theft. Companies can also monitor user SSO activity both to see how applications are being used and also to look for signs of compromise.

One of the most rewarding aspects of the Google endorsement is that Keeper has only been in this market for about six months. Late last year we were approached by one of our customers that wanted to use SSO internally to permit users to authenticate to their Keeper vault. We had a solution ready early in the new year, and it’s been a hit with customers.

There are two big differences between the Keeper SSO solution and most others. One is our ability to store rich information in the vault, including files, sensitive data and access credentials to restricted systems. Our shared password storage capability is useful to enterprise customers because not all applications support SSO. Keeper gives them the flexibility to keep a shared vault of passwords to non-SSO applications in a single, secure place so users can log into whatever systems they need. In another recent blog post we told you about how much some users value encrypted file storage.

The second big Keeper difference is our zero-knowledge security architecture. The customer maintains full control over encryption and decryption of their data. We have no access to the encryption keys, master passwords or records stored within the Keeper vault. This capability has become particularly important to customers in the wake of the OneLogin breach late last month. In that incident, the credentials of potentially millions of individual users were compromised because the encryption keys were kept on a central server. A breach of that kind could never happen with Keeper because we don’t store any sensitive information. That capability lies solely within the hands of the user.

With its decision to include SSO Connect in its third party apps catalog, Google is making it that much easier for customers to implement SSO and SAML. Our own integration is even more extensive. SSO Connect also works with Microsoft’s Active Directory Federation Services and Azure cloud, F5’s BIG-IP Access Policy Manager, Okta’s Identity Cloud, Centrify identity and access management solutions, OneLogin, Ping Identity and the open-source Central Authentication Service.

Latest Keeper Release Incorporates FIDO U2F Security Keys

by , on

As a part of Keeper’s core offering, FIDO U2F and YubiKey support will now be available to our individual users and enterprise accounts. With our mission to make the internet secure for everyone we are thrilled to partner with these world class companies to deliver the highest level of security to our customers. The feature is immediately available to all Keeper customers and provides the added protection and security of hardware 2FA for their critical accounts.

FIDO U2F Security Keys are small USB and NFC hardware 2FA devices that can instantly be added to secure Keeper accounts. Once a device is registered, when prompted for the second factor during login to Keeper, a user simply has to touch the device to authenticate and gain access. The YubiKey supports multiple authentication protocols and can protect access to a wide range of consumer and enterprise applications. A single YubiKey can perform authentication to FIDO U2F supported services (Facebook, Google, Dropbox, GitHub, Salesforce, etc.), password managers such as Keeper, Windows login including Windows Hello, remote access, IAM, VPN and much more. The YubiKey works on Microsoft Windows, Mac, Linux, and on major browsers without the need for extra software or drivers.

Latest Keeper Release Incorporates FIDO U2F Security Keys

Keeper will be demoing and giving away YubiKeys at the Gartner Security & Risk Management Summit, June 12-15 in National Harbor, MD. If you are attending this summit please stop by our booth at #601 to learn more.

Why Keeper and SSO Are Better Together

by , on

Why Keeper and SSO Are Better Together

SSO (Single sign-on) products provide a digital handshake which allow users to sign in to 3rd party SAML-compatible cloud services, without the need to enter a password. In addition to providing this capability, some SSO identity providers also provide a basic level of password management for websites that do not use SAML. In some cases the password management features inside SSO products are not providing a zero-knowledge solution. This is why we created Keeper SSO Connect.

Keeper SSO Connect is an encryption key management application that runs on-premise. It can be installed on a physical appliance (server) or virtual machine (VM). Keeper SSO Connect supercharges the capabilities of SSO Identity Providers with a powerful password management solution. Keeper provides full zero-knowledge encryption and storage of user-generated passwords and private information.

Keeper, as a zero-knowledge security provider, has no ability to decrypt user records, files, or data stored within the Keeper Vault.

Keeper SSO Connect is not vulnerable to the attack that recently affected OneLogin for one simple reason: the keys necessary to decrypt user records are never made available to Keeper, either through our standard Vault product or through Keeper SSO Connect.

Authorization and encryption keys are derived on the device separately from the user’s master password. Neither the master password nor the encryption key is ever transmitted or stored in Keeper’s vault or cloud storage – the encryption key and master password remains in the client’s control and possession in both Keeper’s standard products and Keeper SSO Connect.

Even if the encrypted data stored in Keeper’s vault were be obtained by a hacker or obtained by a third party, the hacker would need the user’s master password and/or encryption key to decrypt the data – and these are not stored anywhere in Keeper’s vault or databases.

Keeper SSO Connect integrates with leading SSO solutions like Azure ADFS, F5 BIG-IP APM, Okta, Ping Identity and Centrify.

Sign up for a free trial and demo today.

Keeper Users Tell Why They Love Secure File Storage

by , on

Keeper Users Tell Why They Love Secure File Storage
One of the distinctive features of the Keeper password manager is Secure File Storage, but we find many customers aren’t aware that it’s even available.

Secure File Storage gives you 10GB of space on the Family Plan and 1TB on the Business Plan to store anything you like. The files, photos and videos you keep there are protected by the same 256-bit AES encryption and optional two-factor authentication as your passwords.

People find all kinds of uses for secure file storage. J.C. Rausch, a video network engineer at Metro Systems keeps nearly 300 documents in Keeper Secure File Storage. “I store multiple documents in there ranging from car insurance and renter’s insurance to medical information and lab reports,” he told us. “I also keep important notes that I’ve written to myself. Even though I have backup on my PC, I use Keeper as an encrypted secondary backup.”

J.C. has been using Keeper for over 5 years on his desktop computer and iPhone. “I probably tried four or five different apps, and Keeper seemed to be the easiest and simplest to use. It’s never let me down,” he said.

He didn’t use secure file storage at first, opting instead for one of those internet file-sharing services. But as we’ve seen in recent headlines, even they are susceptible to hackers. “As far as I know, Keeper has never been hacked, and others have,” he said. J.C. still uses public filesharing services for non-sensitive documents, but “for anything I don’t want others to see, I use Secure File Storage,” he said. And with 10GB of storage, “I have so much space available that I plan on going through a lot of my documents and uploading them,” he added.

Happy Guadalupe doesn’t use secure file storage for documents, but he’s founded equally an useful application that relates to his job in team admin support at the Coca-Cola Company.
Happy (whose real name is Eduardo, but he’s been “Happy” as long as he can remember) first came across Keeper because he was looking for a way to get his passwords out of a paper notebook and into something more secure. “I was becoming afraid, because that book had become my life,” he said. “Keeper came along and it was love at first sight.”

Keeper has particular value for Happy at work because Coca-Cola’s security settings don’t permit employees on the internal network to save passwords on any sites they visit. “Keeper is a blessing,” he said. “I call it my second brain.”

As an admin, he frequently makes travel reservations for others, and that’s where secure photo storage comes in handy. Experts will tell you that sending personally identifiable information in email is playing with fire, but in Happy’s field of work he frequently needs to exchange credit card information with hotels and travel services. That’s why he files away photos of all his credit cards next to the card numbers in Keeper. When making a hotel reservation, “I can send the photo of the card without sending the number in text,” he said. “After I send it, I immediately delete the message.” So far, most vendors have been perfectly OK with that arrangement.

Which makes Happy, um, happy.

Keeper Secure File Storage is $9.99 per year and included in the $59.99 per year Family Plan for up to five users.

Some Frightening Stats About Accounts and Passwords

by , on


A recent report by Varonis Systems caught our attention because it illustrates how easily some basic security practices can be overlooked in the crush of day-to-day work.

Varonis released an analysis of more than 235 million folders it examined on file servers at 80 client sites. It found that more than 48 million of them – that’s 20% – were open to “global access groups,” meaning that, in effect, anyone in the organization could read them.

The report also said that the typical company has hundreds of openly accessible files that contain sensitive information.

But what really caught our eye was the data about user accounts and passwords. The audit found 448,000 accounts that were unused but still enabled, an average of 5,500 accounts per site. Typically, these accounts are set up for short-term use or belonged to people who have left the company but who still have active logins. The auditors also found half a million user accounts that had non-expiring passwords, meaning that attackers would have unlimited time to crack them and indefinite access thereafter.

Neither of these findings is surprising; busy administrators can easily overlook details like cleaning out old accounts or plan to get them later and never follow through. Some people also request exemption from the password expiration policy for the sake of convenience. If their title has a “VP” in it, that request is likely to be granted.

But both of these oversights are recipes for disaster. Take unused accounts. It isn’t hard for an attacker to guess which accounts may be dormant at any given company. Simply search LinkedIn for people who recently changed companies, then try common variants of their login names: bsmith@yourcompany.com, billsmith@yourcompany.com, etc. Searching on those email addresses may also turn up a hit.

An attacker can then try to log in using commonly used passwords. Given that 17 percent of people use the password “123456”, it won’t be long before one of those guesses yields a hit. Once inside, the crook has access to anything that user could see which, according to this report at least, is probably a lot.

Non-expiring passwords are just a bad practice. About the only time they make sense is when the account has no privileges, such as a Wi-Fi login at a hotel. Otherwise, users should be limited to no more than five login attempts before they’re locked out and have to call an administrator. The argument against password expiration is that the policy encourages people to write down their passwords, which increases the possibility of theft. Our advice is simple: use a password manager.


What is the Value of Stolen Digital Data?

by , on


By Darren Guccione, Co-founder and CEO of Keeper Security

By now most everyone is aware that failing to properly password-protect access to sensitive digital materials can have severe consequences. The damage of having one’s identity stolen or having personal financial or health records purloined can take months or years to repair.

But just what is the value of stolen data on the digital black market today? How is this data passed from hackers who steal it to fraudsters who can make your life miserable?

The answer to the first question of the value of stolen data is, surprisingly, “not as much as you might think,” as we’ll see. That’s good news and bad news. The good news, for fraudsters, is that they can get more stolen data for less money. The bad news, for victims of data theft, is that more fraudsters have access to more stolen data at ever-cheaper prices. And the reason there is so much stolen data available is that hackers simply do not have a difficult time stealing it.

Where is stolen data sold?

But first, it’s important to understand how and where your stolen data is resold. It happens in a part of the World Wide Web called the dark web. Accessed only by using special software that hides the identity of visitors, the dark web is a vast marketplace for anything and everything illegal. Much of it looks very familiar, like any other e-commerce site. Sellers often have ratings given by previous buyers. You can even purchase software to set up your own hacking business. Payments to sellers are arranged using bitcoin, a digital currency that all but assures buyers and sellers remain anonymous.

Once you are in this illicit emporium and you have some bitcoin digital currency, buying stolen identities or access to bank accounts is easy. Let’s take stolen credit cards, for example. As when buying anything else online, buyers specify the type of card (Amex, Visa, etc.); the CVV’s or three-digit code on the backs of cards; whether you want associated login and password information; names; expiration dates; credit score; Social Security numbers; mother’s maiden name; credit limits; date of birth; specific geographies of usage; and so on. The cost per card varies with the information the buyer wants. Click “buy now,” download your stolen goods, and off you go.

What does stolen data cost to buy?

How much do these cards cost on the dark web? The variations are wide, and also fluctuate depending upon the supply of stolen cards. So if there were a major hack resulting in the compromise of 10 million cards, the price could plummet if the hackers flood the market. But generally speaking (and these figures are derived from a number of publicly available sources), the cost of stolen credit card data is roughly $13-$21, or the bitcoin equivalent thereof. These prices tend to be higher for stolen European Union, Canadian and Australian credit cards. Buyers pay the most for cards with so-called “fullzinfo” or just plain “fullz” – meaning the stolen record has a very complete set of information about the cardholder.

But as detailed in a groundbreaking report by McAfee on the market for stolen digital information, credit and debit cards are not necessarily the usual target of hackers and fraudsters today. Increasingly the targets are the password-protected online payment service accounts. Unlike with credit cards where the cost per card is determined by the different factors the buyer selects, the cost of this stolen data is related largely to the balances in the online accounts.

As you might expect, the price for bank login credentials is another matter. They can be had for as little as $100 for access to accounts with $2,000 or less. Or they can cost upwards of $1,000 for access to accounts with $15,000 or more.

A strong market for stolen health information

Both credit card and bank access data have a shelf life, which ends abruptly once the victims discover they’ve been hacked. But there is another record of digital identity that has more permanent information, and that is any kind of personal health information or PHI, including the very valuable electronic medical records or EMR. These contain highly sensitive information about an individual’s health history. And as such, they can be used to blackmail individuals; to publicly humiliate certain people; to undertake massive insurance fraud with fake claims; and to create many other forms of chaos and harm to victims.

Like other stolen digital data, the cost of such health records is subject to the same supply-demand dynamics as any other traded goods. According to Michael Ash, associate partner of Security Strategy Risk & Compliance at IBM, a stolen EMR can fetch up to $350 on the dark web.

However, due to a large number of such records having been stolen recently and then dumped onto the dark web for sale, prices have dropped, according to recent research. Also, law enforcement authorities have stepped up efforts to locate and apprehend both buyers and sellers of this highly personal health information, which has spooked some buyers. Thus recently, some EMR have been purchased for as little as $100 apiece. But as mentioned, this is a highly dynamic market in which prices of stolen digital data will vary over time, often wildly.

In any case, the incentives for stealing this data and then selling it to the highest bidders will remain in place for the foreseeable future. Perhaps the single best defense for individuals seeking to protect these assets remains high quality, virtually bullet-proof passwords, and the right password “hygiene” that ensures passwords are changed often. In this regard, it is wise to consider a free password manager to take all the guesswork out of password management, so you can stop the hackers cold.

5 Ways to Protect Yourself from a Phishing Attack

by , on


With news of the Gmail phishing attack still fresh in our memory, this is a good time to review some basic precautions you can take to avoid becoming a phishing victim.

Phishing attacks have been on the rise recently because, to put it bluntly, they work. The Anti-Phishing Working Group recorded 1.22 million phishing attacks in 2016, a 65% increase over the previous year. Phishing is the most common way attackers deliver ransomware, which is the fastest-growing form of malware.

Even though phishing has been around for a long time, it’s still amazingly effective. Some attacks have been found to record click-through rates of 30% or more (marketers would kill for that!). As the Gmail attack showed, phishers are becoming sneakier and more effective.

Most phishing attacks take the form of emails disguised to look like they come from trusted sources. The subject line usually carries an urgent message intended to drive immediate action, such as notice that an account has been compromised or that a service is about to be suspended. The attacker’s goal is to alarm the recipient and prompt immediate action – usually downloading an attachment or clicking on a link – without thinking about what they’re doing. That one click can trigger a malware infection.

Here are five steps to keeping yourself safe.

  1. Beware of poor spelling or grammar. Many phishing attacks originate outside the U.S. from people whose first language isn’t English. Legitimate organizations attend to details like grammar, spelling and usage. If the email contains these errors, it’s probably a scam.
  2. Never respond to requests for information. Reputable organizations will never ask you to send passwords, credit card numbers or other personally identifiable information by email. Never.
  3. Check the email address. There are two parts to the “From” part of an email: the user name (or alias) and the email address. The alias can be anything the sender wants it to be, but you can’t disguise an email address. Phishers always change the alias to look legitimate, like “PayPal Customer Service.” But if the email address in that example isn’t PayPal.com, the message is a fake. Always check before clicking.
  4. Don’t click unless you’re sure. A favorite tactic of phishers is to entice their victims to click on a link that purports to send them to a login or payment page. The page is disguised to look legitimate, but it’s a false front intended to capture information. Before clicking any link, hover your mouse pointer over it first. The address will show up at the bottom of your browser or email client screen. If it looks suspicious, get out of there. Beware of addresses that are doctored to look legitimate, such as “Googlecom.es.”
  5. Use a password manager. One of the little-known benefits of a password manager is that it protects you from phishing scams. That’s because it won’t work on a login page where the URL doesn’t match the URL entered when the record was created. So even if the phisher tricks you into clicking on a link, the password manager gives you an extra layer of protection. Think of it as phishing insurance.