# Phishing and Authentication # Protecting Against Phishing: Recognizing Fake Login Pages ## Summary Phishing attacks, particularly those using fake authentication pages, represent one of the most common and effective methods for compromising organizational and personal accounts. These attacks have become increasingly sophisticated, with fake Google, Microsoft, and other login pages that look nearly identical to legitimate ones. This guide provides practical strategies for recognizing and avoiding phishing attacks, with special focus on credential-stealing pages. ## What is Phishing? Phishing is a cybersecurity attack where attackers impersonate trusted entities to trick you into revealing sensitive information like passwords, credit card numbers, or other personal data. The most dangerous phishing attacks use fake login pages that capture your credentials when you try to sign in. ## How Phishing Works - **Impersonation**: Attackers impersonate familiar brands and services - **Urgency**: Messages create false sense of emergency ("Your account will be suspended!") - **Visual similarity**: Fake pages look nearly identical to real ones - **Human error**: Even security-aware people can be fooled under pressure or distraction - **Sophistication**: Modern phishing uses AI-generated content and perfect grammar ## Common Phishing Scenarios **Email-Based Attacks:** - "Verify your account" messages with login links - "Suspicious activity detected" security alerts - Shared document notifications requiring sign-in - Password expiration warnings - Invoice or payment requests **Text Message (SMS) Phishing:** - Package delivery notifications - Banking alerts about "suspicious activity" - Two-factor authentication code requests - Account verification messages **Voice Call (Vishing):** - "Technical support" calls about computer problems - Bank fraud department calls - IRS or government agency impersonation --- ## Recognizing Fake Authentication Pages ### Critical Warning Signs **1. URL / Domain Name Examination (Most Important)** The URL (or domain name) is your most reliable indicator. ALWAYS check before entering credentials: **Red Flags:** - **Wrong domain**: `google-login.com` instead of `google.com` - **Misspellings**: `g00gle.com`, `micros0ft.com`, `paypa1.com` - **Extra words**: `google-verify-account.com`, `login-microsoft.net` - **Suspicious TLDs**: `.tk`, `.ml`, `.ga`, `.cf` (free domains often used by scammers) - **Subdomains**: `google.com.phishing-site.com` (note: the actual domain is `phishing-site.com`) **Legitimate URLs:** - Google: `accounts.google.com` or `*.google.com` - Microsoft: `login.microsoftonline.com` or `login.microsoft.com` - Dropbox: `www.dropbox.com/login` - Apple: `appleid.apple.com` **Important**: HTTPS (the padlock in your browser) doesn't guarantee safety—phishing sites can have SSL certificates too! **2. How You Arrived at the Page** **Suspicious:** - Clicked a link in an unexpected email - Followed a link from text message - Redirected from social media or messaging app - Pop-up window asking for login - QR code from untrusted source **Safer:** - You manually typed the URL - Bookmark you created yourself - Official app on your device **3. Visual and Behavioral Red Flags** - **Poor design**: Blurry logos, misaligned elements, wrong fonts - **Unusual behavior**: Page opens in new window instead of redirecting - **Missing features**: No language selector, missing "forgot password" links - **Pre-filled information**: Your email or username already entered - **Immediate errors**: "Wrong password" on first attempt (capturing your real password) - **Multiple login prompts**: Asked to sign in repeatedly - **Download prompts**: Legitimate login pages don't ask you to download files --- ## Practical Protection Strategies ### Before Entering Credentials: The 3-Check Method **1. STOP - Don't automatically trust** - Pause before entering any password - Question why you're being asked to log in - Were you expecting this request? **2. CHECK - Verify the URL carefully** - Look at the entire URL, especially the main domain - Watch for subtle misspellings - Verify it matches the service you're accessing **3. NAVIGATE - When in doubt, go direct** - Close the suspicious page - Open a new browser tab - Type the URL manually or use your bookmark - Access the service directly, not through the link ### Password Manager as Defense **Why This Works:**Password managers auto-fill credentials ONLY on legitimate sites they recognize. If your password manager doesn't offer to fill in your credentials, that's a warning sign. **Best Practice:** - Use 1Password, Bitwarden, or similar reputable password manager - Let it generate and store unique passwords for each site - If it doesn't auto-fill, manually verify the URL before proceeding ### Multi-Factor Authentication (2FA) **Critical Protection:**Even if attackers get your password through phishing, 2FA provides a second barrier. **Important Limitation:**Advanced phishing attacks can capture 2FA codes in real-time. That's why URL verification remains critical. **Best 2FA Methods:** 1. **Hardware security keys** (YubiKey, Titan) - most secure, can't be phished 2. **Passkeys** (tied to your browser or machine) - act like hardware keys, use machine passwords or biometrics for login 3. **Authenticator apps** (Authy, Google Authenticator) - very secure 4. **SMS codes** - better than nothing, but vulnerable to SIM swapping attacks ### Google/Microsoft-Specific Protections **Google Advanced Protection Program:** - Requires physical security keys - Prevents OAuth token phishing - Recommended for high-risk individuals (public figures, activists, journalists) - More info: g.co/advancedprotection **Microsoft Security Defaults:** - Enforces MFA for all users - Blocks legacy authentication - Available for Microsoft 365 organizations --- ## Common Phishing Scenarios and How to Handle Them ### Scenario 1: "Someone shared a Google Doc with you" **The Attack:**Email appears to be from Google Drive, with link to view shared document. Clicking leads to fake Google login page. **How to Spot:** - Check sender email address (is it actually someone you know?) - Hover over link before clicking—does it go to `drive.google.com`? - Were you expecting a document from this person? **Safe Response:** - Don't click the link in the email - Log into Google Drive directly - Check your "Shared with me" folder - Or contact the sender through a different channel to verify ### Scenario 2: "Unusual sign-in activity detected" **The Attack:**Email claiming suspicious activity on your account, urging immediate password change via provided link. **How to Spot:** - Generic greeting ("Dear User" instead of your name) - Urgent language creating panic - Link goes to non-official domain - Grammar or spelling errors (less common now with AI) **Safe Response:** - Don't click any links in the email - Open a new browser tab and log in directly to the service - Check account activity through official channels - If concerned, contact support through official website ### Scenario 3: "Verify your email to prevent account suspension" **The Attack:**Threatening message that account will be closed unless you "verify" by logging in through provided link. **How to Spot:** - Legitimate services rarely threaten immediate suspension - Creates false urgency - Link doesn't match service's official domain **Safe Response:** - Ignore the threat—it's designed to cause panic - Log in directly through official channels to verify account status - Check service's official support channels if concerned ### Scenario 4: QR Code Phishing ("Quishing") **The Attack:**Email or physical document contains QR code that supposedly leads to login page or verification process. QR code actually goes to phishing site. **How to Spot:** - Unexpected QR codes in emails - QR codes for "urgent" account actions - QR codes in unsolicited physical mail **Safe Response:** - Don't scan QR codes from untrusted sources - If you scan it, examine the URL carefully before visiting - Better: navigate to the service directly instead --- ## Email Security Practices ### Verifying Email Authenticity **Check the Full Email Address:** - Click on sender name to see complete address - `noreply@google.com` is legitimate - `noreply@google-secure-login.com` is not **Look for Inconsistencies:** - Display name says "Google" but address is `admin@gmail.com` - Official company communications rarely come from free email services **Verify Email Headers (Advanced):**Email headers show routing information that's harder to fake: - In Gmail: Click three dots → "Show original" - Look for "SPF," "DKIM," and "DMARC" authentication passes ### Email Link Hygiene **Before Clicking Any Link:** 1. **Hover** over the link to see the actual URL (don't click yet!) 2. **Read** the entire URL carefully 3. **Compare** to known legitimate URLs 4. **When in doubt**, type the URL manually instead **Link Disguising Techniques to Watch For:** - Display text: "google.com" but actual link: "evil-site.com" - URL shorteners (bit.ly, tinyurl) hiding the real destination - Misleading subdomains: `microsoft.com.phishing.com` --- ## Resources and Tools **Browser Extensions (Warning Tools):** - uBlock Origin (blocks malicious sites) - HTTPS Everywhere (forces encrypted connections) - Password manager extensions (won't auto-fill on fake sites) **Website Safety Checkers:** - Google Safe Browsing: [transparencyreport.google.com/safe-browsing/search](https://transparencyreport.google.com/safe-browsing/search) - VirusTotal: [virustotal.com](https://virustotal.com) (analyze suspicious URLs) **Account Security Checkups:** - Google: [myaccount.google.com/security-checkup](https://myaccount.google.com/security-checkup) - Microsoft: [account.microsoft.com/security](https://account.microsoft.com/security) - Apple: [appleid.apple.com/account/manage](https://appleid.apple.com/account/manage) - Facebook: [facebook.com/settings?tab=security](https://facebook.com/settings?tab=security) # Safer Authentication: Password Usage Training Framework
**Audience:** Nonprofit/advocacy staff, mixed tech levels **Format:** In-person or virtual, 8–25 participants **Duration:** 90 min (or two 45-min sessions) **Facilitator needs:** 1Password account + browser extension ready; basic 2FA familiarity **Materials:** Slide deck + participant handout (provided)**Participants will be able to:** • Explain why passwords alone don’t protect accounts • Set up and use 1Password for daily work • Enable 2FA on their highest-priority accounts • Identify their top 5 accounts and concrete next steps • Describe what passkeys are and where to enable them
**Session Flow**
**\# / Time****Module****Key Content + Notes**
**1** 10 min**Why This Matters**Opening hook: show of hands on password reuse -- normalize it Core problem: credential reuse & phishing, not sophisticated hacking Key stat: compromised credentials in ~40% of breaches (Verizon DBIR 2024)
**2** 25 min**Password Managers: 1Password**Concepts: master password, Secret Key, Emergency Kit, vaults (5 min) Live demo: interface tour, save & generate, autofill, 2FA setup, shared vaults (15 min) Q&A (5 min): prep answer for “What if 1Password gets hacked?” Have extension installed before the session. Autofill demo doubles as phishing protection explainer.
**3** 20 min**Two-Factor Authentication**2FA method ranking: hardware key → authenticator app → 1Password TOTP → SMS Priority order: email → financial → cloud storage → CRM → social media Worksheet: participants identify their top 5 accounts (5 min)
**4** 10 min**Introduction to Passkeys**What passkeys are, why they’re better (no password to steal, phishing-resistant) Where they work today: Google, Apple, Microsoft, GitHub, PayPal
**5** 25 min**Action Plan + Wrap-Up**Walk through 3-column plan: This Week / Next 30 Days / Ongoing Individual reflection: one commitment in next 48 hours (write it down) Three takeaways, resources, Q&A
**Facilitation Principles**
**Lead with care, not fear:** capability over anxiety; overwhelm creates paralysis **Normalize the starting point:** reused passwords are the norm, not a failure **Prioritize action:** better to leave having done one thing than understood everything**Don’t let perfect block good:** SMS 2FA beats no 2FA; progress over perfection **Right-size to the group:** tailor examples to their platforms; pair early adopters with neighbors **Optional extension (30 min):** hands-on 1Password install for groups under 15 with a co-facilitator
# Google Workspace Under Login Attack: What to Do *A one-page playbook for small and mid-size organizations* Failed logins are normal background noise on the internet. The real question is whether any are succeeding, and whether your accounts are protected if one does. **Step 1: Check if anything got in** Sign in to [admin.google.com](https://admin.google.com) and go to Reporting > Audit and investigation > Login audit log. Filter for successful logins in the last 30 days. Look for logins from countries no one works in, unfamiliar IP addresses, or dormant accounts. If you find a suspicious successful login, suspend the account, reset the password, sign out all sessions, and check the user's Gmail for new forwarding rules or filters. **Step 2: Audit your 2FA coverage** Go to Reporting > User reports > Security. This shows you who has 2-Step Authentication (2FA) turned on and who does not. Immediately add 2FA to all accounts without it. **Step 3: Close the biggest gaps, in order** - **Enforce 2-Step Authentication for everyone.** This single change does more than everything else combined. Set a deadline 2 to 4 weeks out, communicate it clearly, and help the few people who need help enrolling. Path: Security > Authentication > 2-Step Verification. - **Disable app-specific passwords.** These bypass 2FA. Once legacy protocols are off, almost nothing legitimate needs them. Path: Security > Authentication > Less secure apps and app passwords. - **Give admins hardware security keys.** SMS and authenticator codes can still be phished. Hardware keys (YubiKey, Titan) cannot. Budget about $50 per admin for two keys, primary and backup. - **Review which outside apps have access to your data.** Path: Security > Access and data control > API controls. Revoke anything unfamiliar or unused for 90+ days. **Step 4: Turn on alerts so you find out faster next time** Path: Security > Alert center > Settings. Enable alerts for suspicious logins, leaked passwords, and changed email settings. Route them to an inbox or channel someone actually reads. **If you do only one thing: enforce 2-Step Verification for everyone.** *It is the single highest-impact change you can make.* # Protecting Your Email Domain from Phishing and Scams ## A Step-by-Step Guide to SPF, DKIM, and DMARC ### What Is This? Every day, criminals send emails pretending to be from organizations like yours. They use your organization's name and email domain to trick your staff, donors, and community members into clicking malicious links or handing over sensitive information. This is called **email spoofing**, and it's one of the most common ways phishing attacks succeed. The good news: there are three email security tools — SPF, DKIM, and DMARC — that work together to make it much harder for attackers to impersonate your organization. Enabling these tools tells the world's email systems: *"Only emails that come from us are really from us."* > **What This Protects Against** > > Criminals sending emails that appear to come from your domain (e.g., yourname@yourorg.org) to trick staff, donors, or community members. These tools also protect your organization's reputation — if your domain is used to send spam, it can get blacklisted, meaning your legitimate emails stop being delivered. --- ## The Three Tools Explained (In Plain English) You don't need to understand the technical details — that's your IT provider's job. But here's a simple way to think about each one:
ProtocolWhat It DoesWho Sets It Up
**SPF**Verifies which mail servers can send email from your domainYour IT provider or domain registrar
**DKIM**Adds a digital signature to emails so recipients know they're genuineYour IT provider or email platform (Google/Microsoft)
**DMARC**Tells email providers what to do with messages that fail SPF or DKIM checksYour IT provider or domain registrar
### SPF — The Guest List Think of SPF like a guest list at the door of your event. It tells email providers around the world: "Here is the list of mail servers allowed to send email on behalf of our organization." If an email arrives claiming to be from you, but it's not on the list, the receiving server knows something is wrong and can reject or flag it. ### DKIM — The Wax Seal DKIM works like a wax seal on an old-fashioned letter. When your organization sends an email, DKIM adds an invisible digital signature. The receiving email server checks that seal to confirm the message genuinely came from you and wasn't tampered with along the way. ### DMARC — The Instructions DMARC is the set of instructions you give to the email world that says: "If an email claims to be from us but fails the SPF or DKIM checks, here's what to do with it — quarantine it, reject it, or just let us know." DMARC also sends you regular reports so you can see if anyone is attempting to misuse your domain. > **Important Note** > > Setting up these tools requires access to your organization's domain settings (DNS records). This is typically managed by your IT provider or whoever hosts your domain. We strongly recommend working with your IT provider to implement these. The steps below are provided so you understand what to ask for — or to follow along if you're doing this yourself. --- ## Step-by-Step Setup: Google Workspace (Gmail) If your organization uses Google Workspace (formerly G Suite) for email, follow these steps. You'll need to be a Google Workspace Admin to complete them. ### Step 1: Set Up SPF SPF for Google Workspace is a single record you add to your domain's DNS settings. 1. Log in to your domain registrar (e.g., GoDaddy, Namecheap, Google Domains, Squarespace). If you're not sure who your registrar is, ask your IT provider. 2. Find the DNS settings. This is usually labeled "DNS Management," "Advanced DNS," or "Manage Domain." 3. Look for existing TXT records. If you already have a record starting with "v=spf1" you'll need to edit it rather than add a new one (having two SPF records breaks things). 4. Add or update the TXT record with this value exactly: ``` v=spf1 include:_spf.google.com ~all ``` 5. Save the record. DNS changes can take up to 48 hours to take effect, though usually it's much faster. > **What the record means** > > The "~all" at the end means "soft fail" — emails from unlisted servers are flagged but not immediately rejected. This is the safest starting point. Your IT provider can later change it to "-all" (hard fail) once everything is confirmed working. ### Step 2: Set Up DKIM Google Workspace generates your DKIM key for you. You just need to activate it and add it to your DNS. 1. Go to your Google Workspace Admin Console at [admin.google.com](https://admin.google.com). 2. Navigate to: **Apps → Google Workspace → Gmail → Authenticate email.** 3. Select your domain from the dropdown. 4. Click "Generate New Record." Leave the default settings as they are and click Generate. 5. Google will display a TXT record value. Copy this entire value — it will be a long string of letters and numbers. 6. Go back to your domain registrar's DNS settings and add a new TXT record: - **Name/Host:** `google._domainkey` (followed by your domain) - **Value:** Paste the long string Google gave you 7. Save the record, then return to the Google Admin Console and click "Start Authentication." > **Not seeing the option?** > > The DKIM setup wizard is only available to Google Workspace admins. If you don't see it, confirm that you're logged in with your admin account, not your regular staff account. ### Step 3: Set Up DMARC DMARC is added as a TXT record in your DNS settings, just like SPF and DKIM. We recommend starting in "monitor only" mode before enforcing rejections. 1. Go back to your domain registrar's DNS settings. 2. Add a new TXT record: - **Name/Host:** `_dmarc` - **Value:** `v=DMARC1; p=none; rua=mailto:it@yourorg.org` Replace `it@yourorg.org` with a real email address where you'd like to receive DMARC reports. This can be your IT provider's address. 3. Save the record. 4. After a few weeks of reviewing reports, your IT provider can update "p=none" to "p=quarantine" (suspicious emails go to spam) and eventually "p=reject" (suspicious emails are blocked entirely). --- ## Step-by-Step Setup: Microsoft 365 (Outlook) If your organization uses Microsoft 365 for email, the process is similar. You'll need to be a Microsoft 365 Global Admin and have access to your domain registrar. ### Step 1: Set Up SPF Microsoft 365 uses a different SPF value than Google Workspace. 1. Log in to your domain registrar and navigate to your DNS settings. 2. Look for any existing TXT record starting with "v=spf1." If one exists, edit it. Do not add a second SPF record. 3. Add or update the TXT record with this value: ``` v=spf1 include:spf.protection.outlook.com ~all ``` 4. Save the record and allow up to 48 hours for it to take effect. ### Step 2: Set Up DKIM Microsoft 365 also generates your DKIM keys for you through the Defender portal. 1. Log in to the Microsoft 365 Defender portal at [security.microsoft.com](https://security.microsoft.com). 2. In the left navigation, go to: **Email & Collaboration → Policies & Rules → Threat Policies → Email Authentication Settings.** 3. Select the **DKIM** tab. 4. Choose your domain and click "Enable." 5. Microsoft will display two CNAME records you need to add to your DNS. Copy both values exactly. 6. Go to your domain registrar's DNS settings and add both CNAME records as provided. 7. Return to the Defender portal and verify the status shows "Enabled." This may take up to 72 hours. ### Step 3: Set Up DMARC DMARC setup is identical regardless of whether you use Google Workspace or Microsoft 365. 1. Go to your domain registrar's DNS settings. 2. Add a new TXT record: - **Name/Host:** `_dmarc` - **Value:** `v=DMARC1; p=none; rua=mailto:it@yourorg.org` Replace `it@yourorg.org` with a real email address where you'd like to receive DMARC reports. 3. Save the record. 4. After 4–6 weeks, review the DMARC reports with your IT provider and tighten the policy to "p=quarantine" and then "p=reject." --- ## How to Verify It's Working Once your IT provider has set everything up, you can verify the settings are active using a free tool called MXToolbox. No technical knowledge required. 1. Go to [mxtoolbox.com](https://mxtoolbox.com) in your web browser. 2. In the search bar, type your organization's domain name (e.g., yourorg.org) and select "SPF Record Lookup" from the dropdown. A green result means it's working. 3. Repeat the search selecting "DKIM Lookup" — you will need to enter your domain and the selector (for Google it's "google"; for Microsoft it's "selector1"). 4. Finally, select "DMARC Lookup" and enter your domain. A valid policy will be displayed. > **See something red or an error?** > > Don't panic — just share the screenshot with your IT provider. It will help them quickly identify what needs to be fixed. --- ## What to Do Next Here is a simple checklist to share with your IT provider: - [ ] Ask your IT provider to confirm whether SPF, DKIM, and DMARC are already set up for your domain. - [ ] If not, share this guide with them and ask them to set all three up. - [ ] Request that DMARC start in monitoring mode (p=none) and that they review the reports after 4–6 weeks. - [ ] Once monitoring confirms no legitimate email is being blocked, ask them to update DMARC to p=quarantine, then eventually p=reject. - [ ] Verify everything is working using MXToolbox ([mxtoolbox.com](https://mxtoolbox.com)). > **Remember: Technology Is Just One Layer** > > SPF, DKIM, and DMARC significantly reduce the risk of your domain being spoofed, but they don't make your organization immune to phishing. Attackers can still send phishing emails from other domains that look convincing. Staff training, simulated phishing tests, and a culture of "when in doubt, report it" remain just as important.