Loading module...

Safe Browsing & Secure Work Habits | Top 10 Dev Training

GSA-06

Safe Browsing & Secure Work Habits

Identify malicious links and QR codes, understand public Wi-Fi risks, and practice secure habits that prevent shadow IT from creating vulnerabilities.

Audio overview (optional)

AI-generated summary. The Read tab has the full written content, which is the primary source and what the quiz is based on.

Transcript

Phishing emails, covered in module two, are the most common delivery mechanism for malicious links. But they're far from the only one. Malicious links arrive through text messages, Slack DMs, social media posts, search engine ads, and even legitimate websites that have been compromised. The destination is usually one of two things: a credential-harvesting page designed to look like a real login screen, or a site that delivers malware to your device.

So how do you evaluate a link before you click it?

On desktop, hover first. The actual destination URL appears in the bottom-left of your browser or in a tooltip. If the display text says "Sign in to Microsoft 365" but the URL points to "microsoft three six five dash verify dot sketchy dash domain dot com," don't click.

On mobile, long-press. Touch and hold the link to preview the URL without opening it.

Check the domain, not just the page. Attackers register domains that look almost right. Amazon with a zero instead of an O. "Microsoft dash support dot net," plausible but not real. "Your company dash H R dot com," close enough to pass a quick glance. Read the domain character by character when something feels off.

Watch for shortened URLs. Services like bit dot l y hide the actual destination. If a shortened URL arrives in a context where you weren't expecting one, don't click it.

And be aware that HTTPS is necessary but not sufficient. The padlock icon means the connection is encrypted, not that the site is legitimate. Attackers can and do obtain SSL certificates for phishing sites.

Now, QR code attacks. A QR code is just a link encoded as an image. The problem is, you can't read it with your eyes. Unlike a URL you can hover over, a QR code is completely opaque until after you've scanned it. That makes it a near-perfect delivery mechanism for phishing.

QR code phishing attacks jumped twenty five percent year over year in 2025. Research found that twenty six percent of all malicious links in phishing campaigns were delivered via QR code. They show up in fake "security update" emails where the attacker hopes email filters can't analyze the image. On physical surfaces, where an attacker places a sticker with a fake QR code over a legitimate one on a parking meter or restaurant menu. And in documents and presentations, pointing to credential-harvesting sites.

The defense is simple. Most phone cameras show a preview of the destination URL before navigating. Read that preview the same way you'd evaluate any link. Don't scan QR codes from unexpected sources. If an email uses a QR code instead of a normal link, that's a red flag. And if a QR code in a public place looks like a sticker placed over another sticker, don't scan it.

Next, public Wi-Fi and working outside the office.

Public networks are, by definition, shared with strangers. On an unsecured network, an attacker on the same network can potentially intercept your traffic. More sophisticated attacks involve setting up a fake network with a plausible name, like "Starbucks free wifi" or "Airport guest," that routes all your traffic through the attacker's device.

Use your company's VPN whenever you're on a network you don't control. Verify the exact network name with staff before connecting. Avoid accessing sensitive systems without a VPN connection. Your phone's hotspot is generally safer than public Wi-Fi because the connection isn't shared.

Then, device security basics. Your laptop and phone are the physical entry points to every system you have access to.

Lock your screen every time you step away, even for thirty seconds. On Mac, Control-Command-Q. On Windows, Windows key plus L. On your phone, set auto-lock to one minute or less.

Enable full-disk encryption. FileVault on Mac, BitLocker on Windows. Most modern operating systems have this built in, and your company likely requires it.

Keep software updated. OS updates, browser updates, and app updates frequently include security patches for vulnerabilities attackers are actively exploiting. Don't postpone them.

Don't install unapproved software. Every application you install is a potential attack vector.

Be cautious with USB devices. USB drops, where an attacker leaves a malicious drive somewhere hoping someone plugs it in, still work as attacks. Don't plug in drives you find.

Finally, shadow IT. Any software or cloud service employees use for work without IT's knowledge or approval. Research shows that roughly sixty five percent of SaaS applications in use at a typical company are unsanctioned. Every unapproved tool is a potential gap in your company's security.

Data leaves the perimeter when you paste customer data into an unapproved tool. Access control breaks down because unapproved tools don't integrate with your company's SSO. Compliance evidence disappears because SOC 2 auditors expect data handled through approved channels.

The fix is simple. Ask before you adopt. If you find a tool that would help your work, bring it to IT or your manager first. There may already be an approved alternative, or IT may be able to evaluate the tool quickly. The convenience gap between an approved tool and a shiny new one is almost never worth the security gap.

Quiz & Certification

Training content is freely available. Sign in and get a training credit to take quizzes, track progress, and generate compliance reports.

Attestation not yet available

Complete and pass every module quiz in this course to unlock the final attestation. Once all modules are done, this tab will open for signing.

Module 6: Safe Browsing & Secure Work Habits

General Security Awareness Training
Estimated Time: 15 minutes

Learning Objectives

By the end of this module, you will be able to:

Recognize malicious links, fake websites, and QR code attacks before they compromise your device or credentials
Explain why public Wi-Fi is risky and what precautions to take when working outside the office
Describe the security basics every employee should follow for their devices, including screen locking, updates, and encryption
Define shadow IT and explain why unapproved tools create compliance and security risks
Apply a consistent set of daily habits that reduce your personal attack surface

Malicious Links and Fake Websites

Phishing emails (covered in depth in Module 2) are the most common delivery mechanism for malicious links, but they're far from the only one. Malicious links can arrive through text messages, Slack DMs, social media posts, search engine ads, and even legitimate websites that have been compromised. The destination is usually one of two things: a credential-harvesting page designed to look like a real login screen, or a site that delivers malware to your device.

How to Evaluate a Link Before You Click

On desktop, hover first. Before clicking any link, hover your mouse over it. The actual destination URL will appear in the bottom-left corner of your browser or in a tooltip. If the display text says "Sign in to Microsoft 365" but the URL points to something like microsoft365-verify.sketchy-domain.com, don't click.

On mobile, long-press. Touch and hold the link to preview the URL without opening it. Mobile browsers make this harder than desktop browsers, which is exactly why attackers increasingly target mobile users.

Check the domain, not just the page. Attackers register domains that look almost right: amaz0n.com (zero instead of 'o'), microsoft-support.net (plausible but not real), or yourcompany-hr.com (close enough to pass a quick glance). Read the domain carefully, character by character, when something feels off.

Be skeptical of shortened URLs. Services like bit.ly and t.ly hide the actual destination. If you receive a shortened URL in a context where you weren't expecting one, don't click it. Ask the sender for the full link, or use a URL preview service to check the destination.

Watch for HTTPS, but don't rely on it. The padlock icon means the connection is encrypted, not that the site is legitimate. Attackers can and do obtain SSL certificates for phishing sites. HTTPS is necessary but not sufficient.

QR Code Attacks (Quishing)

Module 2 introduced quishing as a phishing variant. This section goes deeper into the mechanics, because QR code attacks exploit a specific gap in how most people think about security: we've been trained to evaluate links, but QR codes bypass that habit entirely.

A QR code is just a link encoded as an image. When you scan it, your phone opens the encoded URL in your browser. The problem is that you can't read a QR code with your eyes. Unlike a URL you can hover over and inspect, a QR code is completely opaque until after you've scanned it. This makes it a near-perfect delivery mechanism for phishing sites.

Where malicious QR codes show up:

In emails and PDFs. A fake "security update" or "MFA enrollment" email contains a QR code instead of a clickable link. Because email security filters can analyze URLs but struggle to decode images, the malicious payload slips through.
On physical surfaces. Attackers place stickers with fake QR codes over legitimate ones on parking meters, restaurant menus, event posters, and shared office spaces. You scan what you think is a legitimate code, and you're sent to a phishing page instead.
In documents and presentations. A shared document includes a QR code for "easy mobile access" to a resource. The code points to a credential-harvesting site.

QR code phishing attacks jumped 25% year over year in 2025, and research found that 26% of all malicious links in phishing campaigns were delivered via QR code. The FBI issued a formal warning about quishing targeting both consumers and organizations.

How to protect yourself:

Preview the URL before opening it. Most phone cameras and QR scanning apps show a preview of the destination URL before navigating to it. Read that URL the same way you'd evaluate any link: check the domain, look for misspellings, and verify it matches what you'd expect.
Don't scan QR codes from unexpected sources. If an email contains a QR code instead of a normal link, that's a red flag. Legitimate services don't typically force you to switch to your phone to complete an action.
Be cautious with physical QR codes. If a QR code on a parking meter, flyer, or public sign looks like it was placed over another code (a sticker on top of a sticker), don't scan it. Report it if possible.
When in doubt, navigate manually. Instead of scanning a QR code to reach a login page, open your browser and type the URL directly. It takes a few extra seconds but eliminates the risk entirely.

Public Wi-Fi and Working Outside the Office

Working from coffee shops, airports, hotels, and co-working spaces is a normal part of modern work. But the networks in these locations come with risks that your office network doesn't.

Why Public Wi-Fi Is Risky

Public Wi-Fi networks are, by definition, shared with strangers. On an unsecured network (one that doesn't require a password, or one where everyone uses the same password), an attacker on the same network can potentially intercept your traffic, see which sites you're visiting, and in some cases capture data you're transmitting. More sophisticated attacks involve setting up a fake Wi-Fi network with a plausible name ("Starbucks_Free_WiFi" or "Airport_Guest") that routes all your traffic through the attacker's device.

How to Work Safely on Public Networks

Use your company's VPN. A virtual private network encrypts all traffic between your device and your company's network, making it unreadable to anyone on the local Wi-Fi. If your company provides a VPN, use it whenever you're on a network you don't control. If your company doesn't provide one, ask IT whether they recommend one.

Verify the network name. Before connecting, confirm the exact network name with staff at the location. Attackers create networks with names that are close to but not identical to the legitimate one ("Hotel_Lobby" vs. "Hotel_Lobby_Free").

Avoid accessing sensitive systems without a VPN. If you can't connect to a VPN, avoid logging into financial accounts, customer data systems, or internal tools. Email and general browsing on HTTPS sites carry lower risk but are not risk-free.

Use your phone's hotspot as an alternative. Tethering to your phone's cellular connection is generally safer than using public Wi-Fi because the connection isn't shared with strangers. If you need to do sensitive work and don't have a VPN, a hotspot is a reasonable fallback.

Forget the network when you're done. Remove public networks from your saved connections so your device doesn't automatically reconnect the next time you're in range.

Device Security Basics

Your laptop, phone, and tablet are the physical entry points to every system and account you have access to. Losing a device or leaving it unsecured, even briefly, can be as damaging as having your password stolen.

Lock your screen. Every time. When you step away from your computer, even for 30 seconds, lock it. On Mac: Ctrl+Command+Q. On Windows: Windows+L. On your phone, set auto-lock to the shortest interval you can tolerate (one minute or less). An unlocked device in a coffee shop, a conference room, or even your own office is an open invitation.

Enable full-disk encryption. This ensures that if your device is lost or stolen, the data on it can't be read without your password. Most modern operating systems have this built in (FileVault on Mac, BitLocker on Windows). Your company likely requires it. If you're not sure whether it's enabled, ask IT.

Keep software updated. Operating system updates, browser updates, and app updates frequently include security patches for vulnerabilities that attackers are actively exploiting. Delaying updates doesn't just mean missing new features. It means running software with known holes. Enable automatic updates wherever possible.

Don't install unapproved software. Every application you install is an application that could contain malware, exfiltrate data, or create a vulnerability. Stick to software approved by your company. If you need something that isn't on the approved list, go through the request process rather than installing it on your own.

Be cautious with USB devices. USB drives are a known malware delivery vector. Don't plug in USB drives you find in parking lots, conference rooms, or anywhere else. If you receive a USB drive from a vendor or at an event, hand it to IT for scanning before plugging it into your work machine.

Shadow IT: The Unapproved Tool Problem

Shadow IT refers to any software, cloud service, or hardware that employees use for work without the knowledge or approval of the IT and security teams. It's not usually malicious. It's usually someone trying to get work done faster by signing up for a tool that seems helpful, without realizing the security implications.

Why Shadow IT Matters

The numbers are striking. Research consistently shows that roughly 65% of SaaS applications in use at a typical company are unsanctioned, meaning IT doesn't know they exist. The average enterprise has hundreds of cloud services in active use, and IT is aware of a fraction of them.

Each unapproved tool represents a potential gap in your company's security and compliance posture:

Data leaves the perimeter. When you paste customer data into an unapproved tool, that data is now stored on a server your security team can't monitor, audit, or protect. If that tool is breached, your company may not even know its data was involved.

Access control breaks down. Unapproved tools don't integrate with your company's SSO or identity management systems. That means no centralized access logging, no automatic deprovisioning when someone leaves, and no visibility into who has access to what.

Compliance evidence disappears. SOC 2 auditors expect to see that data is handled through approved, controlled channels. Shadow IT creates gaps in the evidence chain that are difficult to explain during an audit.

Common Shadow IT Examples

Signing up for a project management tool (Trello, Notion, Monday) with your work email without going through IT
Using a personal Google Drive or Dropbox account to share work files because it's "easier"
Installing a browser extension that has access to your browsing data or page content
Using an unapproved AI tool to summarize documents, generate content, or analyze data (Module 8 covers AI-specific risks in depth)
Connecting a personal device to the corporate network or storing work data on a personal phone without MDM enrollment

What to Do Instead

Ask before you adopt. If you find a tool that would help your work, bring it to IT or your manager before signing up. There may already be an approved alternative, or IT may be able to evaluate and approve the tool quickly.

Use approved tools for their intended purpose. Your company chose specific tools for communication, file sharing, project management, and other functions. Use them, even if they feel slightly less convenient than an alternative. The convenience gap is almost never worth the security gap.

Don't use personal accounts for work data. Your personal email, personal cloud storage, and personal messaging apps are not subject to your company's security controls. Work data should stay on work systems.

Building Daily Habits

Security isn't a single decision. It's a set of habits you practice every day. The good news is that most of the habits that matter are simple and fast. Here's the shortlist:

Lock your screen every time you step away, no matter how briefly.
Hover before you click on any link. On mobile, long-press to preview.
Preview QR codes before opening the destination URL.
Use the VPN on any network you don't control.
Keep your software updated and don't postpone restarts for security patches.
Use approved tools for work data. If you need something new, ask first.
Report anything suspicious. A weird link, an unexpected QR code, a tool you notice your team is using without IT's knowledge. Reporting isn't tattling. It's contributing to the company's security posture.

None of these habits require technical expertise. All of them reduce the likelihood that your account, your device, or your data becomes the starting point for an incident.

Key Takeaways

Evaluate links before clicking. Hover on desktop, long-press on mobile. Check the actual domain, not just the display text. Shortened URLs and HTTPS alone are not guarantees of safety.
QR codes are opaque by design. Always preview the destination URL before opening it. Be especially cautious with QR codes in emails, PDFs, and on physical surfaces where stickers could be placed over legitimate codes.
Public Wi-Fi is shared with strangers. Use a VPN, verify network names, and avoid sensitive work without encrypted connections. Your phone's hotspot is a safer alternative.
Your device is a physical key to everything. Lock your screen, enable encryption, keep software updated, and don't install unapproved applications.
Shadow IT undermines security and compliance. Roughly 65% of SaaS apps at the average company are unknown to IT. Every unapproved tool is a gap in your security perimeter. Ask before you adopt.

Next up: Module 7, Vendor & Third-Party Risk, where we'll cover how the apps and services you connect to your work accounts create supply chain risk, and how to evaluate tools before adopting them.

Module Version: 1.0
Last Updated: March 2026
Framework References: NIST Cybersecurity Framework 2.0 (Protect, Identify), SOC 2 Trust Services Criteria (CC 6.1, CC 6.6, CC 6.8)
Data Sources: FBI Internet Crime Complaint Center (IC3) 2025, Hoxhunt 2025 Phishing Trends Report, Keepnet Labs 2025 QR Code Phishing Statistics, IBM/Ponemon Cost of a Data Breach Report 2025