How to
Ryan Harnedy
May 2016

105 Phishing Prevention Tips to Keep Your Users Off the Hook

Photo by Alan Bishop

They say the classics never go out of style. The Dodge Charger, the little black dress, phishing attacks...wait, phishing attacks?

Yep, even though it’s one of the older cyber threats, the profitability of ransomware and whaling has caused a rise in phishing attacks, especially phishing attacks against corporate email accounts.

A recent study by the Ponemon Institute showed that phishing can cost an average 10,000-person company $4 million USD annually. Even more troubling a recent experiment by JPMorgan showed that 1 in 5 employees will click on a phishing email.

With attackers directing the majority of their focus on targeting users, that means a stronger emphasis on user security awareness training and education has the potential to drastically reduce your risk. To help you educate your users on how to avoid phishing attacks we’ve compiled a list of 105 tips on how to stay off the hooks.

We’ve split them up into four categories: tips for your end users, tips for your IT team, tips to avoid spear-phishing, and tips to avoid whaling attacks.

Anti-Phishing Tips to Share with Your End Users


Image by Neil Tackaberry

10 Tips for Spotting a Phishing Email (TechRepublic) 

Let's kick things off with a list of tell-tale signs your users should learn to recognize to avoid falling for a phishing scam.TechRepublic encourages us all to watch out for mismatched URLs, odd requests, and offers that seem too good to be true.

10 Ways for Users to Protect Themselves from Phishing Scams (Kaspersky) 

One thing I really like about this Kaspersky post is that it shows just how official a phishing email can look, even down to the typeface and signature. Be sure to check the links of any email you’re not sure about.

10 Additional Tips for Phishing Prevention (BizTech magazine) 

This list by BizTech magazine features one of my favorite tips: “If you’re not sure about a site and it prompts you for a password use a fake one. A legit site won’t accept your fake password, but a phishing site will.”

7 Essential Tips to Prevent Phishing Scams (Norton) 

Every tip on this list from Norton is worth following but one of the more insightful (and often skipped over) recommendations is to watch out for generic requests, if someone is asking for general financial or corporate information chances are you’re being phished.

Tips to Help You Protect Your Organization from Phishing Scams


Photo by Julian Svoboda

7 Tips for Mitigating Phishing and Business Email Attacks (Dark Reading) 

This list is geared more towards the enterprise, so it has a lot of good advice for fighting phishing on a corporate level. They do a great job of highlighting the importance of having a response plan, both for attempted and successful phishing attacks.

Phishing Scams: 5 Best Practices to Keep Your Company Safe (Fuse Technology Group) 

Fuse Technology Group very wisely recommends making strong and unique passwords for all important logins. Don’t let a single breach give hackers access to all of your accounts. 

8 Ways to Prevent Phishing Scams (IdentityTheftKiller) 

This list by IdentityTheftKiller hits on one the best ways to keep employees from getting phished — make it company policy that no one should email confidential information, even if it looks like a request from someone you know (or the CEO). If someone really needs that kind of information they should understand and appreciate you taking an extra step to make sure it doesn’t fall into the wrong hands. 

Anti-Spear Phishing Tips


Photo by Florida Fish and Wildlife

A highly targeted version of phishing, "spear phishing" attacks go well above and beyond the typical spam message. Using information they uncover about their targets online, criminals personalize their emails and make them appear as convincing as possible. This can include information pulled from victims’ social media accounts, or from a simple Google search.

One Example of Just How Good Spear Phishing Attacks Have Become (Barkly)

Many of us may still think of phishing as easy-to-spot spam messages from Nigerian princes.The truth is phishing has evolved to become much more advanced and effective. Take this real-life spear phishing email that was sent to our CEO, for example. 

11 Tips to Stop Spear Phishing (CSO Online) 

This list contains a lot of great tips, but the one about regular pen testing is one that corporate IT departments should really take to heart.

5 Ways to Keep Your Users Safe From Spear Phishing (Barkly) 

A great article by one of the handsomest security experts around right now. Okay, okay, I wrote this one. But I really do stand by my “Check Twice, Click Once” policy.

5 Things to Be Aware of to Avoid Getting Spear Phished (CSO)

This post at CSO features five more solid pieces of advice, including a good reminder to be wary of all attachments and make it standard practice to avoid sending sensitive information through email as much as possible.

5 Tips to Keep Spear Phishers Out of Your Inbox (Mashable) 

Mashable’s list is geared towards a less tech-savvy user, but it makes a great case for avoiding clicking on suspicious links and pushing for better endpoint protection (perhaps something like behavior-based endpoint detection?).

Anti-Whaling Tips


Photo by Jeff Jenkins

Whaling is a specific variant of spear phishing that targets executives at a company, often asking for sensitive corporate information such as W-2s, wire transfer information, or corporate financial data. The FBI estimates that whaling attacks have caused over $2 billion in losses.

6 Tips to Prevent ‘Whaling’ Cyber Attacks (FinTech24) 

A great point made in this list is that phishing attacks can pose an even greater threat to companies that let users bring their own device. As the line between personal and corporate technology blurs, users — especially executives with priveleged access and credentials — must be even more more guarded with any device that can connect to critical business data.

Don't Get Harpooned by a Whaling Attacks (NJ Cybersecurity)

This article from the New Jersey cybersecurity office has ten great anti-whaling tips, including some around monitoring your social media and online prescence to limit how well cybercriminals can impersonate you or your executives in a whaling attack. 

How to Stop Your Executives From Being Harpooned (InfoWorld) 

This article by InfoWorld has five excellent tips on how to avoid whaling attacks on your company's executives. All five of them are great but my favorite tip on this list is the one advocating for IT teams to do their own penetration testing and social engineering.

One Last Thing...

If you’re looking for a way to keep phishing from ruining your day, download our new Phishing Field Guide. It's packed with examples of phishing emails and tips for training your users to avoid taking the bait.

Ryan Harnedy

Ryan Harnedy

Ryan writes about how to make cybersecurity make sense to end users and keep employees safe from ransomware, malware, and phishing attacks. He enjoys decoding buzzwords and sharing security tips that users might actually follow.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.