How to Prevent Phishing Attacks: Never Share Your Password.

Phishing is one of the most common attacks on the Internet, but it is also very easy not to fall for phishing. Here are some easy steps how to prevent a phishing attack from being successful. Most importantly: Never share your password.

Phishing has been around for more than 20 years, but sometimes people still fall for phishing attacks. Criminals use phishing mails to gain access to your online accounts, which could enable them to steal your money or install malware on your computer. Most recent attacks like the WannaCry ransomeware attack originally started with a phishing attack, usually via mail.

Why are mail accounts targeted with phishing?

Your mail account holds a lot of sensitive information: You register on most sites like Amazon, PayPal, eBay etc. with your mail address, and important institutions like banks send you information via mail. This makes your mail account the number one target for two reasons.

  1. Many people receive phishing mails that are spoofed in such a way that they look like they are coming from Facebook, Google, or their bank, etc. asking them to enter their login information after clicking a link provided.

  2. Phishing attacks also target your mailbox directly, trying to gain access to your mailbox login. This is even more dangerous because when attackers have access to your mailbox, they can ask for a simple password-reset for all online accounts linked to your mail address, and just like that they can access and abuse these accounts.

How Tutanota protects you from phishing

That's why our secure mail service Tutanota does everything possible to protect you from phishing attacks.

Tutanota uses spam filtering that detects most phishing mails so that you do not have to be concerned about them. However, there are always spam mails - also phishing mails - that slip through.

In Tutanota your mailbox is fully encrypted; we have absolutely no access to your encrypted data. Only your password can decrypt the data. For that reason, we would never ask you for your mailbox password.

There is no password-reset to safeguard your Tutanota account.

Criminals often abuse the password-reset function to gain access to your online accounts. So to protect your encrypted mailbox to the maximum there is no password-reset function in Tutanota. If you can't ask for a password-reset, no criminal impersonating you can either. Please remember to write down your password somewhere safe.

In addition, we do not recycle mail addresses so that you can be absolutely sure that a phishing mail like the one shown here runs into a dead end.

Phishing targeted at Tutanota

We've recently been informed by some users that they have received phishing mails, looking like this:

This mail shows everything that's fishy about phishing, and will help you to easily detect phishing mails:

  1. The sender's mail address is wrong. When you are logged in in the browser the header in your Tutanota mailbox shows you sender's name and sender's mail address so that you can easily spot when a mail is coming from a wrong sender. In the app the sender's email address isn't shown automatically, but you can easily check it by tapping on the sender's name.

  2. Tutanota is one of the few mail services that warns you when the 'technical sender' differs from the 'from sender' so that you can spot spoofed mails easily.

  3. The content of the mail looks fishy as well: The attackers pretend that there is a time urgency, they ask to enter login credentials following a link provided. Never fall for such mails, that's how a typical phishing mail looks like.

Our main tip to prevent phishing attacks is very easy: Never share your Tutanota password. Not even with us.

Tips on how to prevent phishing

  1. Check the sender's mail address.

  2. If asked to enter login credentials via a link provided, the alarm bells must ring.

  3. Check the link carefully: If the attackers try to steal your Tutanota login, the link provided will look similar, but not right. Instead of, the attackers might use

Official Tutanota sending domain:

When we started to build Tutanota, we knew that for a mail service it is of crucial importance that no one can impersonate us or members of our team. However, everybody can register for any Tutanota mail address.

To solve this dilemma we have been using our company domain rather than Tutanota domains for official mail addresses from the start. Our company, which is behind Tutanota, is called the Tutao GmbH. If you receive an email from the Tutanota team, the mail address will always end in

If it looks wrong, it probably is wrong

Whenever you receive a mail that looks fishy, it is very likely that it is a phishing mail. When in doubt, just ask. You can find us easily on Twitter, Facebook, Google+ or Instagram, and, of course, via email.

If you receive a potential phishing mail from a Tutanota domain, please forward it to

Free your data from mass spying!

and get your encrypted mailbox for free now.

Bernd develops and designs Tutanota, always with its security in mind. In our digital age all-round surveillance has become alarmingly easy. I write code to protect our data from today's Orwellian threats.

Posted on: 2017-05-18