“Safe browsing” is mostly about slowing down for ten seconds in the moments where attackers rely on speed: a surprising link, a login prompt, a “your package is delayed” message, or a download button on a sketchy page. This guide focuses on the small checks that prevent most common scams.
- Verify the domain before logging in or downloading.
- Don’t trust urgency; verify via a known path.
- Download from official sources only.
- Keep browsers/extensions updated.
- Use unique passwords + MFA so one mistake isn’t catastrophic.
1) Verify the URL (domain) — not the page design
Fake sites look real. Logos, fonts, and layouts are easy to copy. The domain is the part that’s harder to fake. Before you sign in, check the address bar and confirm you’re on the real domain.
- Misspellings: micros0ft, paypaI (capital i)
- Extra words: secure-login-…, account-verify-…
- Weird subdomains: service.example.com.attacker-site.com
If you’re unsure, don’t click the link at all. Instead, open a new tab and type the site address manually or use a bookmark you already trust.
2) Treat urgency as a red flag
Phishing works by rushing you: “Your account will be locked,” “Suspicious activity,” “Payment failed,” “Final notice.” The safer move is to pause, then verify through a path you control.
- Use the official app or type the site URL yourself.
- Check notifications inside your account settings (not the email text).
- If it’s “support,” look up the support page independently.
3) Download safely: official sources only
Most malware infections come from downloads that looked legitimate: “codec updates,” “cracked software,” “free utilities,” or fake installers. When you need software, prefer the vendor’s official site or a trusted app store.
- Avoid random “download mirrors” and pop-up buttons.
- Be skeptical of files that prompt you to disable protections.
- Don’t run unexpected attachments (especially executables).
4) Keep browsers updated (and don’t overload extensions)
Browser updates fix known vulnerabilities and improve phishing and malware protections. Extensions can help, but each extension is also a trust decision.
- Enable automatic updates for your browser and OS.
- Remove extensions you don’t actively use.
- Prefer well-known extensions with clear permissions.
5) Protect logins so a mistake isn’t the end
Even careful people occasionally click the wrong thing. The goal is to make the damage limited. Unique passwords + MFA prevent a single compromised password from unlocking everything.
If you want a practical password checklist, read 5 habits that keep your passwords strong.
- Use a unique password for email first.
- Turn on MFA for email, banking, and social accounts.
- Review recovery options and remove old devices/numbers.
What to do if you clicked something suspicious
- Close the tab and don’t enter credentials.
- If you did enter a password, change it immediately on the real site.
- Enable MFA (or rotate backup codes if you already use it).
- Run a security scan and review recent logins if the service provides it.
For more about how Esrok approaches privacy and security, see Privacy and Security.