{"id":52857,"date":"2025-01-14T10:12:17","date_gmt":"2025-01-14T15:12:17","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=52857"},"modified":"2025-02-10T04:26:24","modified_gmt":"2025-02-10T09:26:24","slug":"safe-email-login-tips","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/safe-email-login-tips\/52857\/","title":{"rendered":"Passwords 101: don’t enter your passwords just anywhere they’re asked for"},"content":{"rendered":"

Whenever you\u2019re asked to log in to an online service, verify your identity, or download a document through a link, you\u2019re usually required to enter your username and password. This is so common that most of us do it automatically without thinking twice. However, scammers can trick you into giving them passwords for your email, government service websites, banking services, or social networks by mimicking the service\u2019s login form on their own (third-party) website. Don\u2019t fall for it: only the email service itself can ask to verify your email password \u2014 no one else! The same applies to government services, banks, and social networks.<\/p>\n

To avoid becoming a victim of fraud, every time you enter a password, take a moment to check where exactly you\u2019re logging in, and what window is asking for your credentials. Three main scenarios are possible here \u2014 two are safe, one is fraudulent. Here they are.<\/p>\n

Safe scenarios for entering passwords<\/h2>\n
    \n
  1. Logging into your email, social network, or online service through the official website.<\/strong> This is the simplest scenario, but you need to make sure you are indeed on the legitimate site \u2014 with no errors in the URL. If you\u2019re accessing the online service by clicking a link in an email or from search results, carefully check the browser\u2019s address bar before entering your password. Make sure that both the service name and the site address are correct and match each other.<\/li>\n<\/ol>\n

    Why is it so important to take an extra second to check? Creating phishing copies of legitimate sites is a favorite trick of scammers. A phishing site\u2019s address may be almost identical to the original, differing in just a letter or two<\/a> (for example, the \u201ci\u201d letter might be replaced with an \u201cI\u201d), or use a different domain zone.<\/p>\n

    It\u2019s also rather simple to create a link that appears to lead to a site but actually takes you somewhere else. Check it out for yourself: this link seems to lead to our blog kaspersky.com\/blog<\/a> but actually redirects you to our other blog \u2014 securelist.com.<\/p>\n

    The image below shows examples of legitimate login pages for various services where you can safely enter your username and password.<\/p>\n

    \"Examples<\/a>

    Examples of legitimate login pages for various services. Entering your credentials here is safe<\/p><\/div>\n

      \n
    1. Logging in to a site using an auxiliary service.<\/strong> This is a convenient way to log in without creating additional passwords, commonly used for file storage services, collaboration tools, and so on. Auxiliary services are typically large email providers, social networks, or government service sites. The login button may say something like \u201cContinue with Google\u201d, \u201cContinue with Facebook\u201d, \u201cContinue with Apple\u201d, etc.<\/li>\n<\/ol>\n

      When you click the button, another window opens belonging to the auxiliary service<\/strong> (Google, Facebook, Apple, etc.). It works like this: the external service verifies your identity and confirms this to the site you\u2019re logging in to. It\u2019s crucial to check the addresses in both windows<\/strong>: make sure that the pop-up window asking for your password really belongs to the auxiliary service you expected (Google, Facebook, Apple, etc.), and the main window really belongs to the legitimate site you\u2019re trying to log in to. In many cases, the pop-up window also indicates which site you\u2019ll be logging in to. This auxiliary service mechanism allows you to enter the desired site without it ever seeing your password. Password verification takes place on the side of the auxiliary service (Google, Facebook, Apple, etc.). IT specialists call this login method single sign-on<\/a> (SSO).<\/p>\n

      \"Example<\/a>

      Example of SSO login to eBay through an auxiliary service (Google) that verifies your password. Entering your credentials here is also safe<\/p><\/div>\n

      Fraudulent scenario: password theft<\/h2>\n

      You receive an email or message with a login link, click it, and end up on a site that very closely resembles<\/em> a legitimate email, social network, file-sharing, or e-signature service. The site asks you to log in to your account to prove your identity. To this end, you\u2019re prompted to enter your email and password for your email, government services site, banking service, or social network directly on this site<\/strong>.<\/p>\n

      In this scenario, either there\u2019s no pop-up window from a legitimate service (such as the one in the previous case), or the additional window also belongs to some third-party site. This is a scam designed to steal your<\/p>\n

      \"Look<\/a>

      Look at the address bar: this is definitely not Netflix! Don\u2019t enter your credentials here!<\/p><\/div>\n

      account password! Remember, a third-party site can\u2019t verify your password \u2014 it simply doesn\u2019t know it, and passwords are never shared between sites.<\/p>\n

      How to protect yourself from password theft<\/h2>\n
        \n
      1. Carefully check the address of the site requesting your password.<\/li>\n
      2. Only enter a password for a service on the official website of that service \u2014 nowhere else.<\/li>\n
      3. Sometimes a separate window appears for entering a password. Make sure this window is a regular browser window<\/a> where you can see the address bar and verify the address.<\/li>\n
      4. Scammers can create lookalike sites with addresses that are hard to distinguish from real ones<\/a>. To avoid falling into such a trap, use reliable anti-phishing protection on all devices and platforms. We recommend Kaspersky Premium<\/a>, the winner of an anti-phishing test<\/a> in 2024.<\/li>\n
      5. An advanced protection method is to use a password manager<\/a><\/strong>\u00a0for all your accounts. It verifies the actual page address, and will never enter your credentials on an unfamiliar site \u2014 no matter how convincing it looks.<\/li>\n<\/ol>\n\n","protected":false},"excerpt":{"rendered":"

        How to avoid giving away your password to scammers when logging in to third-party sites or viewing “encrypted” or “confidential” documents.<\/p>\n","protected":false},"author":2722,"featured_media":52858,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[9],"tags":[19,187,76,768,131,812],"class_list":{"0":"post-52857","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-tips","8":"tag-email","9":"tag-passwords","10":"tag-phishing","11":"tag-surveillance","12":"tag-tips","13":"tag-tracking"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/safe-email-login-tips\/52857\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/safe-email-login-tips\/28437\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/safe-email-login-tips\/23696\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/safe-email-login-tips\/12225\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/safe-email-login-tips\/28570\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/safe-email-login-tips\/27898\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/safe-email-login-tips\/30694\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/safe-email-login-tips\/29401\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/safe-email-login-tips\/38884\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/safe-email-login-tips\/13088\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/safe-email-login-tips\/22507\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/safe-email-login-tips\/31875\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/safe-email-login-tips\/28698\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/safe-email-login-tips\/34527\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/safe-email-login-tips\/34153\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/email\/","name":"email"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52857","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=52857"}],"version-history":[{"count":7,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52857\/revisions"}],"predecessor-version":[{"id":52868,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52857\/revisions\/52868"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/52858"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=52857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=52857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=52857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}