GlobalSign. How to Spot a Phishing Website
April 30, 2017 - 9 minutes read
Phishing isn’t an unfamiliar term in these parts. In a previous blog post, we tackled the many ways hackers use phishing emails to trick users into downloading malicious attachments or visit malicious websites. In 2016 alone, phishing attacks have increased by a staggering 400%, and this year, the trend is likely to progress. So today, we’ll continue the campaign to end phishing by tackling another mode of attack in the form of phishing websites.
Sending malicious emails is only one part of the phishing process. The aspiring phisher usually also builds a fake website with the intention of tricking victims into entering login credentials, banking information or both, which the phisher then has access to. Phishing has victimized millions of users over the years. To prove how effective it is, consider this curious case from back in 2013. A trio of hackers were arrested in the UK for attempting to phish almost £60 million from unsuspecting customers by crafting over 2,600 fake banking websites.
To help you avoid falling victim to these attacks, we’ve compiled some of the most common scenarios in which you could encounter phishing sites and also some tips for how to spot them so you can avoid handing over your info.
How Do Phishing Websites Reach You?
Scenario 1: Opening a phishing email
Let’s start with a scenario that you’re already familiar with. Nick is a proud earner. He worked very hard over the years to earn $1 million dollars for his retirement. Just a few months before his retirement party, Nick was receiving emails from his “bank”, telling him to update his banking information. He logged in to the “bank’s website” and changed his credentials. The very next day, he found out his savings were wiped clean, just like what happened to a woman from the UK in 2012.
Scenario 2: Clicking a suspicious ad
Ads serve as another medium to carry out phishing attacks. Mary, for instance, was searching for easy-bake recipes online. She typed “easy cake recipes” on Google and without examining the link, she clicked on a Google Ad that reads “Easy Cake Recipes Today”. The ad led her to a webpage asking for credit card details in exchange for recipes. Luckily, Mary was suspicious of the payment request, so she promptly closed the webpage. She dodged a bullet there because these fake Google Ads were being used to carry out phishing attacks back in 2014.
Scenario 3: Accessing a fake login page
Phishers will stop at nothing to steal information. Take the case of Sophia who is looking to update her passport, as an example. Sophia types the name of the passport agency she’s looking for into her search engine and clicked the first link she saw. Everything looked good to her since the login page had nothing weird about it. She typed in her login credentials and her passport information. After submitting, she wondered why she didn’t receive any response from the agency. She found out the next day that her accounts have been compromised, similar to Singaporean citizens last year who fell for phishing attacks that spoofed government login pages.
Scenario 4: Engaging in social media
Ron had a problem with his bank, and thinking he could get a faster response via Twitter, he tweeted his concern to the bank’s Twitter handle. Within a few hours, a “bank representative” replied by providing him a link to the “bank’s support page”. Ron was smart enough not to trust the “representative” because he knows not to trust unverified Twitter accounts. Ron just encountered, and fortunately avoided, one of the most popular types of phishing attacks on social media.
Tips for Spotting a Phishing Website
In case you haven’t figured out the pattern, all the scenarios were based on real-life phishing attacks and scams. Nick, Mary, Sophia and Ron may be fictional, but the threats they faced are very real. Here are some helpful tips to avoid getting phished by these harmful websites. Let’s divide our solutions into two.
Before Clicking
Always check and study the URL before you click it. Whenever someone sends you a link via email or social media, or in any platform for that matter, take time to study the URL before you click. You don’t have to be an expert in spotting a suspicious URL. You should also make sure to hover over any hyperlinked text before clicking.
Identify the source of the link. Did you know the person who sent you the link? If you have even a drop of doubt, don’t click the link.
After Clicking
Check and study the URL BEFORE logging any information. Let’s say you accidentally clicked a phishing link. You shouldn’t panic just yet. As mentioned above, study the URL of the webpage and look for the obvious red flags.
Scan the page for a Trust Seal. Most legitimate sites takes advantage of trust seals, small badges issued by third party companies that show how safe a site is (e.g. by showing a trust score, sales sites, or whether the site is encrypted with SSL/TLS). Pages that collects login or payment information should have a trust badge or a Secure Site Seal in order to assure visitors that the website is legitimate.
Check the address bar for the organization’s details. SSL/TLS Certificates play an essential role in web security by encrypting sessions and protecting information sent between browsers and web servers. Extended Validation (EV) SSL, the highest level of SSL, adds another important element by presenting the website operator’s verified identity, usually in a dedicated green address bar.
Check the website address isn’t a homograph. Some major browsers do not understand foreign languages such as the Cyrillic alphabet. A hacker can register a domain such as xn--pple-43d.com, which is the equivalent of apple.com and purchase an SSL for it. This is also known as script spoofing.
There is one way you can catch this type of attack. If you feel the link is suspicious, copy and paste it into another tab
It’s as simple as that. The true nature of the domain is revealed right away and you know that the website cannot be trusted. You can also spot these homographs by clicking through the certificate details to see which domain is covered by the certificate.
In the example above, you’d see the certificate was actually issued to https://www.xn--80ak6aa92e.com/’ and not ‘apple.com’.
Phishing attacks may see a rise in the coming years, but as long as you’re educated in preventing them, these cheap methods of stealing will claim fewer and fewer victims in the future. Your best defense against hackers is your extensive knowledge of their dirty tricks.
You can read the original article, here.
Powered by WPeMatico
