Phishing and Authentication Protecting Against Phishing: Recognizing Fake Login Pages Summary Phishing attacks, particularly those using fake authentication pages, represent one of the most common and effective methods for compromising organizational and personal accounts. These attacks have become increasingly sophisticated, with fake Google, Microsoft, and other login pages that look nearly identical to legitimate ones. This guide provides practical strategies for recognizing and avoiding phishing attacks, with special focus on credential-stealing pages. What is Phishing? Phishing is a cybersecurity attack where attackers impersonate trusted entities to trick you into revealing sensitive information like passwords, credit card numbers, or other personal data. The most dangerous phishing attacks use fake login pages that capture your credentials when you try to sign in. How Phishing Works Impersonation : Attackers impersonate familiar brands and services Urgency : Messages create false sense of emergency ("Your account will be suspended!") Visual similarity : Fake pages look nearly identical to real ones Human error : Even security-aware people can be fooled under pressure or distraction Sophistication : Modern phishing uses AI-generated content and perfect grammar Common Phishing Scenarios Email-Based Attacks: "Verify your account" messages with login links "Suspicious activity detected" security alerts Shared document notifications requiring sign-in Password expiration warnings Invoice or payment requests Text Message (SMS) Phishing: Package delivery notifications Banking alerts about "suspicious activity" Two-factor authentication code requests Account verification messages Voice Call (Vishing): "Technical support" calls about computer problems Bank fraud department calls IRS or government agency impersonation Recognizing Fake Authentication Pages Critical Warning Signs 1. URL / Domain Name Examination (Most Important) The URL (or domain name) is your most reliable indicator. ALWAYS check before entering credentials: Red Flags: Wrong domain : google-login.com instead of google.com Misspellings : g00gle.com , micros0ft.com , paypa1.com Extra words : google-verify-account.com , login-microsoft.net Suspicious TLDs : .tk , .ml , .ga , .cf (free domains often used by scammers) Subdomains : google.com.phishing-site.com (note: the actual domain is phishing-site.com ) Legitimate URLs: Google: accounts.google.com or *.google.com Microsoft: login.microsoftonline.com or login.microsoft.com Dropbox: www.dropbox.com/login Apple: appleid.apple.com Important : HTTPS (the padlock in your browser) doesn't guarantee safety—phishing sites can have SSL certificates too! 2. How You Arrived at the Page Suspicious: Clicked a link in an unexpected email Followed a link from text message Redirected from social media or messaging app Pop-up window asking for login QR code from untrusted source Safer: You manually typed the URL Bookmark you created yourself Official app on your device 3. Visual and Behavioral Red Flags Poor design : Blurry logos, misaligned elements, wrong fonts Unusual behavior : Page opens in new window instead of redirecting Missing features : No language selector, missing "forgot password" links Pre-filled information : Your email or username already entered Immediate errors : "Wrong password" on first attempt (capturing your real password) Multiple login prompts : Asked to sign in repeatedly Download prompts : Legitimate login pages don't ask you to download files Practical Protection Strategies Before Entering Credentials: The 3-Check Method 1. STOP - Don't automatically trust Pause before entering any password Question why you're being asked to log in Were you expecting this request? 2. CHECK - Verify the URL carefully Look at the entire URL, especially the main domain Watch for subtle misspellings Verify it matches the service you're accessing 3. NAVIGATE - When in doubt, go direct Close the suspicious page Open a new browser tab Type the URL manually or use your bookmark Access the service directly, not through the link Password Manager as Defense Why This Works: Password managers auto-fill credentials ONLY on legitimate sites they recognize. If your password manager doesn't offer to fill in your credentials, that's a warning sign. Best Practice: Use 1Password, Bitwarden, or similar reputable password manager Let it generate and store unique passwords for each site If it doesn't auto-fill, manually verify the URL before proceeding Multi-Factor Authentication (2FA) Critical Protection: Even if attackers get your password through phishing, 2FA provides a second barrier. Important Limitation: Advanced phishing attacks can capture 2FA codes in real-time. That's why URL verification remains critical. Best 2FA Methods: Hardware security keys (YubiKey, Titan) - most secure, can't be phished Passkeys (tied to your browser or machine) - act like hardware keys, use machine passwords or biometrics for login Authenticator apps (Authy, Google Authenticator) - very secure SMS codes - better than nothing, but vulnerable to SIM swapping attacks Google/Microsoft-Specific Protections Google Advanced Protection Program: Requires physical security keys Prevents OAuth token phishing Recommended for high-risk individuals (public figures, activists, journalists) More info: g.co/advancedprotection Microsoft Security Defaults: Enforces MFA for all users Blocks legacy authentication Available for Microsoft 365 organizations Common Phishing Scenarios and How to Handle Them Scenario 1: "Someone shared a Google Doc with you" The Attack: Email appears to be from Google Drive, with link to view shared document. Clicking leads to fake Google login page. How to Spot: Check sender email address (is it actually someone you know?) Hover over link before clicking—does it go to drive.google.com ? Were you expecting a document from this person? Safe Response: Don't click the link in the email Log into Google Drive directly Check your "Shared with me" folder Or contact the sender through a different channel to verify Scenario 2: "Unusual sign-in activity detected" The Attack: Email claiming suspicious activity on your account, urging immediate password change via provided link. How to Spot: Generic greeting ("Dear User" instead of your name) Urgent language creating panic Link goes to non-official domain Grammar or spelling errors (less common now with AI) Safe Response: Don't click any links in the email Open a new browser tab and log in directly to the service Check account activity through official channels If concerned, contact support through official website Scenario 3: "Verify your email to prevent account suspension" The Attack: Threatening message that account will be closed unless you "verify" by logging in through provided link. How to Spot: Legitimate services rarely threaten immediate suspension Creates false urgency Link doesn't match service's official domain Safe Response: Ignore the threat—it's designed to cause panic Log in directly through official channels to verify account status Check service's official support channels if concerned Scenario 4: QR Code Phishing ("Quishing") The Attack: Email or physical document contains QR code that supposedly leads to login page or verification process. QR code actually goes to phishing site. How to Spot: Unexpected QR codes in emails QR codes for "urgent" account actions QR codes in unsolicited physical mail Safe Response: Don't scan QR codes from untrusted sources If you scan it, examine the URL carefully before visiting Better: navigate to the service directly instead Email Security Practices Verifying Email Authenticity Check the Full Email Address: Click on sender name to see complete address noreply@google.com is legitimate noreply@google-secure-login.com is not Look for Inconsistencies: Display name says "Google" but address is admin@gmail.com Official company communications rarely come from free email services Verify Email Headers (Advanced): Email headers show routing information that's harder to fake: In Gmail: Click three dots → "Show original" Look for "SPF," "DKIM," and "DMARC" authentication passes Email Link Hygiene Before Clicking Any Link: Hover over the link to see the actual URL (don't click yet!) Read the entire URL carefully Compare to known legitimate URLs When in doubt , type the URL manually instead Link Disguising Techniques to Watch For: Display text: "google.com" but actual link: "evil-site.com" URL shorteners (bit.ly, tinyurl) hiding the real destination Misleading subdomains: microsoft.com.phishing.com Resources and Tools Browser Extensions (Warning Tools): uBlock Origin (blocks malicious sites) HTTPS Everywhere (forces encrypted connections) Password manager extensions (won't auto-fill on fake sites) Website Safety Checkers: Google Safe Browsing: transparencyreport.google.com/safe-browsing/search VirusTotal: virustotal.com (analyze suspicious URLs) Account Security Checkups: Google: myaccount.google.com/security-checkup Microsoft: account.microsoft.com/security Apple: appleid.apple.com/account/manage Facebook: facebook.com/settings?tab=security Safer Authentication: Password Usage Training Framework Audience: Nonprofit/advocacy staff, mixed tech levels Format: In-person or virtual, 8–25 participants Duration: 90 min (or two 45-min sessions) Facilitator needs: 1Password account + browser extension ready; basic 2FA familiarity Materials: Slide deck + participant handout (provided) Participants will be able to: • Explain why passwords alone don’t protect accounts • Set up and use 1Password for daily work • Enable 2FA on their highest-priority accounts • Identify their top 5 accounts and concrete next steps • Describe what passkeys are and where to enable them Session Flow #  /  Time Module Key Content + Notes 1 10 min Why This Matters Opening hook: show of hands on password reuse -- normalize it Core problem: credential reuse & phishing, not sophisticated hacking Key stat: compromised credentials in ~40% of breaches (Verizon DBIR 2024) 2 25 min Password Managers: 1Password Concepts: master password, Secret Key, Emergency Kit, vaults (5 min) Live demo: interface tour, save & generate, autofill, 2FA setup, shared vaults (15 min) Q&A (5 min): prep answer for “What if 1Password gets hacked?” Have extension installed before the session. Autofill demo doubles as phishing protection explainer. 3 20 min Two-Factor Authentication 2FA method ranking: hardware key → authenticator app → 1Password TOTP → SMS Priority order: email → financial → cloud storage → CRM → social media Worksheet: participants identify their top 5 accounts (5 min) 4 10 min Introduction to Passkeys What passkeys are, why they’re better (no password to steal, phishing-resistant) Where they work today: Google, Apple, Microsoft, GitHub, PayPal 5 25 min Action Plan + Wrap-Up Walk through 3-column plan: This Week / Next 30 Days / Ongoing Individual reflection: one commitment in next 48 hours (write it down) Three takeaways, resources, Q&A Facilitation Principles Lead with care, not fear: capability over anxiety; overwhelm creates paralysis Normalize the starting point: reused passwords are the norm, not a failure Prioritize action: better to leave having done one thing than understood everything Don’t let perfect block good: SMS 2FA beats no 2FA; progress over perfection Right-size to the group: tailor examples to their platforms; pair early adopters with neighbors Optional extension (30 min): hands-on 1Password install for groups under 15 with a co-facilitator Google Workspace Under Login Attack: What to Do A one-page playbook for small and mid-size organizations Failed logins are normal background noise on the internet. The real question is whether any are succeeding, and whether your accounts are protected if one does. Step 1: Check if anything got in Sign in to admin.google.com and go to Reporting > Audit and investigation > Login audit log. Filter for successful logins in the last 30 days. Look for logins from countries no one works in, unfamiliar IP addresses, or dormant accounts. If you find a suspicious successful login, suspend the account, reset the password, sign out all sessions, and check the user's Gmail for new forwarding rules or filters. Step 2: Audit your 2FA coverage Go to Reporting > User reports > Security. This shows you who has 2-Step Authentication (2FA) turned on and who does not. Immediately add 2FA to all accounts without it. Step 3: Close the biggest gaps, in order Enforce 2-Step Authentication for everyone. This single change does more than everything else combined. Set a deadline 2 to 4 weeks out, communicate it clearly, and help the few people who need help enrolling. Path: Security > Authentication > 2-Step Verification. Disable app-specific passwords. These bypass 2FA. Once legacy protocols are off, almost nothing legitimate needs them. Path: Security > Authentication > Less secure apps and app passwords. Give admins hardware security keys. SMS and authenticator codes can still be phished. Hardware keys (YubiKey, Titan) cannot. Budget about $50 per admin for two keys, primary and backup. Review which outside apps have access to your data. Path: Security > Access and data control > API controls. Revoke anything unfamiliar or unused for 90+ days. Step 4: Turn on alerts so you find out faster next time Path: Security > Alert center > Settings. Enable alerts for suspicious logins, leaked passwords, and changed email settings. Route them to an inbox or channel someone actually reads. If you do only one thing: enforce 2-Step Verification for everyone. It is the single highest-impact change you can make.