Knowledge without action is vulnerability. Build the habits and defenses that make phishing attacks fail — every time.
Think of your security like layers of armor. A single layer can be pierced. Multiple layers mean attackers must break through all of them.
Enable MFA on every account. Even if an attacker steals your password via phishing, they can't log in without the second factor. Use an authenticator app (Google Authenticator, Microsoft Authenticator) — SMS is better than nothing but can be intercepted via SIM-swapping.
Use a password manager (Bitwarden, 1Password) to generate and store unique, complex passwords for every site. Password managers also autofill only on legitimate domains — they won't fill in your credentials on a fake site, giving you a passive layer of phishing protection.
Keep browsers updated. Use extensions like uBlock Origin to block malicious ads. Bookmark important sites (bank, payroll, email) and always navigate from bookmarks — never from email links.
Never click links in unexpected emails. Navigate directly to the site instead. Report suspicious emails using your company's phishing report button. Never open attachments from unknown senders — especially .exe, .zip, .docm files.
Any request for money, credentials, or sensitive data — regardless of who it seems to be from — must be verified out-of-band (a separate communication channel). Call the person directly. Never use contact info from the suspicious message itself.
Don't panic. Speed matters — act fast and follow these steps:
Before clicking any link or providing any information, run through this checklist: