First line of defence against phishing: labels

I got the idea for writing about my “first line of defence” against phishing emails from this post by the team of ProtonMail.

As required by the Impressumspflicht of the Telemediengesetz, my website provides clear contact information, including a reachable email address. Unfortunately, this also allows certain individuals to automatically scrape my full name and email address and use this to try and phish me. For example, someone used whois or a similar site to find out that my domain is registered with Hetzner. They then sent me an urgent message, that my registration will expire unless I act very soon.

For some reason, this got me and I clicked the link to log in, most likely because Who else would know where my domain is registered? Also, I had bought it just recently, so I was still quite new to this whole “owning a domain” thing. While the site loaded, I luckily had enough time to think about this. Why would Hetzner notify me on my publicly available address? Of course, they would not, so I closed the tab.

I got away this time, but the experience convinced me: Something must warn me to be careful with all emails I receive to publicly available addresses.

So, I set up a rule that attaches a red label, with emoji and a short warning: ⚠️ Public email!

It actually seems to work. There were several emails I have received and every time I halted and thought about its legitimacy.