A Pop-Up Says "You must update $PLUGIN"

There are a few people who I provide tech support to who are becoming increasingly vigilant when it comes to potential phishing attacks. They have been told to "never click links in emails" or "ignore popups that want you to install software". But these are only half truths.

It is completely fine for an email, a phone call, or even a random pop-up to drive you to action. Your bank emails to say you need to change your password? A video site throws a pop-up that you need to update Flash to use it?

These are safe to respond to, but you MUST be the one who initiates the actual actions you have been requested to take, and without the assistance of whatever it was that prompted you to do so.

For example 1, do not click on the link in the suspicious email from your bank. Instead, manually browse to your bank and login yourself.

For example 2, do not go to the linked download page for Flash/whatever. Instead, search for the plugin update and apply it yourself.

In either case, if the message was a fake then you have not fallen into the trap that they laid out for you, and neither action is actually harmful to you (ignoring that Flash/Java are full of holes).

The same can be extended to other media. If someone calls claiming to be your bank and starts asking your private information, hang up, and call them back at a listed number. If they were legitimate you only lose a few minutes, but gain assurance that they are who they claim to be.