While Okyo Garde has you covered when it comes to phishing protection, it’s good to understand how these attacks work and how to avoid them in the first place.

Phishing messages are lures designed to trick you into taking an action, such as opening a document, clicking a link, downloading a program/file, or replying to a message. By convincing you to take that action, the attacker may be able to steal your credentials or other personal information or infect your device with malware.

Phishing can come in the form of email messages, text messages, ads, pop-ups, social media, or app content.


Phishing is all about impersonation, posing as brands you trust and people you know.


Phishing almost always uses a sense of urgency in the message to get you to act without thinking.

For example:

  • An email that appears to come from a co-worker asking you to review a time sensitive document

  • A text message appearing to come from your bank, saying there is a problem with your account or payment

  • An Amazon receipt for something you didn't buy, with an attachment or link to view it

  • A fake security alert saying one of your accounts has been accessed, locked, or compromised

  • An audio file attached to an email, appearing to be an important voicemail you need to listen to

Phishing scams will also use current global events as “themes” to make the message seem more relevant and real. For example, during tax season, there may be an increase in phishing around “problems with your tax return” or “urgent message from the IRS.” During the beginning of the Covid19 pandemic, there was a surge of phishing related emails to “deals” on masks and hand sanitizer and fake CDC alerts about “outbreaks in your area.”

Look for clues

Some phishing can be spotted based on:

  • Spelling and grammar mistakes or language that seems “off”

  • Distorted brand logos

  • Distorted address or subject lines

  • Links to websites/URLs that do not match the actual domain of the impersonated company

  • Sender address is not from the email domain of the person or company (ex: Email that purports to be your bank but the sender address is a gmail address.)

Other phishing scams are very convincing, targeted, and difficult to catch. There may be no spelling mistakes, and the links and sender addresses may be disguised to look exactly like the correct domains and websites. In this case, you can still spot phishing by asking yourself:

  • Is this message asking me to act urgently?

  • Was I expecting a message from this person or company?

  • Am I being asked to give up sensitive information or enter log-in credentials?

Independently verify

Rather than taking the action prompted by the message, use another method to independently verify whether the message was actually from the person or company it’s purporting to be.

For example, if an email appears to be from a coworker, contact that person via another means (call or text) to verify if they sent the email. If a text message appears to be from your bank, don’t click the link on your phone. Open a new browser window and log-in to your bank account from the website you know and trust. Or, call your bank (but don't reply to the text).

Before you click on any links in email or on the web, hover your cursor over the link without clicking it to see the URL where the link really goes.

Enable multi factor authentication on accounts

In addition to having your devices protected through Okyo Garde, any sensitive accounts should be configured to use two-factor authentication. Since phishing is often trying to trick you to expose your login credentials, you can add extra security to your accounts by turning on multi factor authentication (also called “two-factor authentication”). Most online services like bank accounts, email accounts, cloud file sharing, and social media have this as an optional account setting that you can enable via your account profile or security settings in the account.

When enabled, multifactor authentication requires at least 2 pieces of information to be entered in order to log-in and access the account:

1.) something you know (like a password or answer to a security question)

2.) something you have (like a one-time unique code generated each time you log-in)

With this enabled, even if you fall for phishing and accidentally expose your password to an attacker, they will not be able to log-in to your account without the second authentication, the one-time code.

Did this answer your question?