You’ll click it eventually: five free and idiot-proof security tricks saving my back
“Why would I ever click on that link, you idiot?” I’ve heard similar phrases and even said them to myself too many times. However, I’ve been fortunate to have a cushion of safety. So can you.
Let's be real. Sophisticated Russian or Chinese state hackers with advanced malware and months of surveillance aren’t after you. They wouldn’t waste expensive zero-day vulnerabilities to hijack your Instagram account or buy an Amazon gift card with your money.
What's more likely? Something unexpected will pop up online. You’ll find an advertisement with an incredible deal. A QR code with a tempting offer. A link in an email or SMS message offering a new job or investment opportunity. Or it will be scary and alert you that your computer is infected. And once in a while, you’ll click.
Even I did. I once received a work-related email from scammers pretending to be a PR consultant pitching a story. Journalists get hundreds of similar emails, they all look similar. Sometimes, when the phishing email is very well crafted, it can slip past your inner guards. What happened next?
“This site can’t be reached,” the browser shrugged. “ERR_CONNECTION_REFUSED”
Like in the Swiss cheese model, each layer of defense has holes in it. Even my awareness. But if you add additional layers, the chances of the attack succeeding decrease exponentially. I was safe because I had some cheese slices prepared in advance.
I assume you have some layers of protection, such as strong, unique passwords and multifactor authentication (MFA), or passkeys. If you don’t, start from here. This article focuses on what happens before the MFA has to protect you.
MFA might be one of the last slices of Swiss cheese trying to protect your accounts from hackers. But you don’t want to come close to that situation.
1. You can't click on a malicious link if you don’t get it – use an adblocker
Ad blockers aren’t just about improving the browsing experience – they're a critical security tool. Hackers often buy ads on Google, Meta, and other platforms to distribute malware. They impersonate brands and disguise malicious links so they’re indistinguishable from genuine ones. Until the advertising market can properly ensure security, it’s better not to expose yourself to risks. Malicious sites can contain scripts that adblockers can effectively block.
Scamming is a numbers game, and defending against it also works in a similar way. The fewer malicious links you get and see, the slimmer the chances something bad happens.
Therefore, uBlock Origin adblocker is essential to me. I even switched from Chrome to Firefox just to keep using it. If you don’t like this adblocker, for some reason, use an alternative that works for you. Try AdGuard, AdBlock Plus, or others.
Don't trust me? Trust the FBI.
“Use an adblocking extension when performing internet searches. Most internet browsers allow a user to add extensions, including extensions that block advertisements. These adblockers can be turned on and off within a browser to permit advertisements on certain websites while blocking advertisements on others,” said the FBI in 2022.
Still not convinced? The US Cybersecurity and Infrastructure Security Agency also recommends using ad blockers due to the following benefits:
- Reduces risk of malicious advertisements or redirects to malicious or phishing sites
- Enhances client-side performance and faster page loading
- Reduces risk of data collection by third parties
However, the adblocker cheese slice is not without its holes and is also quite small – it doesn’t cover all your digital life, which now expanded to smartphone phone apps, email, calls, etc.
While most email providers filter emails for spam, scammers often find their way around them. If you’re a Windows user, consider the Thunderbird email client and configure settings so all emails are displayed in plain text instead of HTML. While this significantly improves security, it will somewhat decrease the visual appeal of most newsletters.
On iOS, I didn’t find a mail client that allows disabling active links. Therefore, I stick to the default Mail app. However, I block all remote content. This will not protect against leaving active links, but it will be harder for spam senders and advertisers to track you and trick you into clicking something unwanted.
To enable this on your iPhone, go to Settings, then Apps, select Mail, and then head to Privacy Protection. Disable Protect Mail Activity and choose the Hide IP address and Block All Remote Content options instead.
Gmail also has an option under general settings to ask before displaying external images – select that to disable dynamic email.
Now, for scammer calls, to decrease those chances, I mostly use the Signal app for communications. I never get any spam or strange “invitations” here, but that can change.
I have turned off MMS functionality.
On Samsung phones, users have spam or fraud call filtering/blocking by default, provided by Hiya. I wanted to maintain this functionality on iOS, so I use the Hiya app’s basic functionality for free. Alternatively, there are other apps, such as Truecaller – you might want to check them out.
2. If you click it, you’re safe as long as it doesn’t load
Maybe you scanned a QR code or clicked on a shortened URL that slipped past your adblocker or email security. What’s your next line of defense?
Filter the internet traffic. You don’t want ‘any water’ at home, you want it delivered clean. The same applies to web browsing.
Known malicious websites? No thanks. Mistyped URLs? It shouldn’t load. Newly registered webpage without history? They’re likely malicious – why would I need those? Free, dubious websites on popular platforms or parked domains that no one is using? Block those too. And also, block millions of domains on curated blocklists that deliver ads, trackers, malicious or unwanted content.
Private DNS is an amazing service that saved me from loading malicious websites many times already. It's much more convenient than setting up your own DNS sinkhole (Pi-Hole).
There are few to choose from, but I am a fan of NextDNS, because it’s straightforward and free for up to 300,000 queries per month, which is more than enough for me.
I created a profile, enabled most filters and settings, followed setup guides for all my devices, and voila. It covers all devices, apps, and internet traffic, so this slice of cheese is much wider. This tool will filter out most malicious traffic. If you click on a malicious link, it will not load in most cases. I even used the tool to track what my apps are doing while I sleep.
It might require some time to adjust. If you choose too strict settings, some pages might not load or work properly. Some filters will block adult, gambling sites, and game servers, and if you need to access a particular one, you might need to add it to Allowlist or review which blocklists are relevant to you.
Read more about the private DNS services here.
3. If you click it and the URL loads, then what?
Most cybersecurity hygiene recommendations cover this stage of an attack. Keeping software up to date will protect you from exploitation of known vulnerabilities. You might consider reducing your account privileges just to ensure that you need to enter an administrator password whenever an app needs to be installed.
Antivirus and other endpoint protection software (the free Windows Defender is also a good choice) is another cheese slice that might prevent malware from running. Sticking to official apps and deleting the ones you no longer use will also reduce the potential attack surface.
Here’s one trick I use every day – instead of an app, I choose a web service. Whenever I need to check X (Twitter), Facebook, YouTube, or any service, I access it from the web browser. Not only do you require fewer apps this way, but the browser adds an additional layer of cheese known as ‘browser isolation,’ which limits what the web services can access on your machine.
You get fewer notifications, which have also been abused to deliver malicious content. The exception is legitimate banking apps, which might provide even better security features.
4. If the malware runs, you better have that MFA in place
If malware infiltrates your device, the game changes. You should assume that attackers have exfiltrated information from your system, and it is no longer about prevention but damage control.
Encryption, backups, and MFA are your best friends in such cases, but they all need to be prepared in advance.
Hackers might have obtained your email address and system information, but they still won’t be able to access your accounts if the credentials are encrypted and multi-factor authentication (MFA) is enabled.
Passkeys are the new underutilized type of phishing-resistant MFA that is very hard for attackers to bypass, as they rely on hardware encryption. Whenever I am offered the option to set them up, I always choose passkeys over other authentication methods. For accounts where passkeys are not available, I stick to authenticator apps as a solid fallback.
5. Last line of defense is your bank
I never came close to this, but even in case attackers would find a way to access my payment card information and bank account, I have one last security strategy.
I never keep a lot of money in accounts tied to any payment/credit card. CDs (Certificates of Deposit) and savings accounts without a link to a card offer an additional barrier for attackers to overcome – they can’t simply transfer or spend it. They would need to terminate the deposit before transferring money to another account, which is an additional step. Strict daily and monthly limits will prevent stealing all the money in one swoop.
For payment security, I rely on virtual one-time cards where possible. Many fintechs offer similar services. Any potentially compromised cards are therefore limited in value.
Sure, human error remains the biggest vulnerability. No bank or tool can fully protect someone who willingly buys gift cards for scammers or sends money to romance or investment fraud. It’s also important to have someone to talk to before making important decisions.
Additional layers of defense are never 100% effective, but they create barriers and can stop many attacks before they cause harm. Maybe the malicious call will get blocked, the URL won’t load, the malware won’t be able to exploit a vulnerable app or access the command and control center, or the attacker won’t bypass your MFA.
These are just my personal preferences. Have you developed a better strategy to protect yourself? Share it with me and others in the comments.
Comments
Second, you incorrectly state that there are no email providers accessible in the iOS operating system that disables images and links. This is incorrect. Boomer that I am I use AOL. It does precisely these things.
You are going to say that only Boomers use AOL. This is the same class of people who frequently fall victim to email scams, browser hijackers and ‘security’ alerts from boiler room scammers.
Your email address will not be published. Required fields are markedmarked