Phishing isn’t an unfamiliar term in these parts. In a previous blog post, we tackled the many ways hackers use phishing emails to trick users into downloading malicious attachments or visit malicious websites. In 2016 alone, phishing attacks have increased by a staggering 400%, and this year, the trend is likely to progress. So today, we’ll continue the campaign to end phishing by tackling another mode of attack in the form of phishing websites.
Sending malicious emails is only one part of the phishing process. The aspiring phisher usually also builds a fake website with the intention of tricking victims into entering login credentials, banking information or both, which the phisher then has access to. Phishing has victimized millions of users over the years. To prove how effective it is, consider this curious case from back in 2013. A trio of hackers were arrested in the UK for attempting to phish almost £60 million from unsuspecting customers by crafting over 2,600 fake banking websites.
To help you avoid falling victim to these attacks, we’ve compiled some of the most common scenarios in which you could encounter phishing sites and also some tips for how to spot them so you can avoid handing over your info.
How Do Phishing Websites Reach You?
Scenario 1: Opening a phishing email – Nick’s Email Debacle
Let’s start with a scenario that you’re already familiar with. Nick is a proud earner. He worked very hard over the years to earn $1 million dollars for his retirement. Just a few months before his retirement party, Nick was receiving emails from his “bank”, telling him to update his banking information. He logged in to the “bank’s website” and changed his credentials. The very next day, he found out his savings were wiped clean, just like what happened to a woman from the UK in 2012.
Scenario 2: Clicking a suspicious ad – Mary’s Ad Dilemma
Ads serve as another medium to carry out phishing attacks. Mary, for instance, was searching for easy-bake recipes online. She typed “easy cake recipes” on Google and without examining the link, she clicked on a Google Ad that reads “Easy Cake Recipes Today”. The ad led her to a webpage asking for credit card details in exchange for recipes. Luckily, Mary was suspicious of the payment request, so she promptly closed the webpage. She dodged a bullet there because these fake Google Ads were being used to carry out phishing attacks back in 2014.
Scenario 3: Accessing a fake login page – Sophia’s Government Fiasco
Phishers will stop at nothing to steal information. Take the case of Sophia who is looking to update her passport, as an example. Sophia types the name of the passport agency she’s looking for into her search engine and clicked the first link she saw. Everything looked good to her since the login page had nothing weird about it. She typed in her login credentials and her passport information. After submitting, she wondered why she didn’t receive any response from the agency. She found out the next day that her accounts have been compromised, similar to Singaporean citizens last year who fell for phishing attacks that spoofed government login pages.
Scenario 4: Engaging in social media – Ron’s Twitter Trouble
Ron had a problem with his bank, and thinking he could get a faster response via Twitter, he tweeted his concern to the bank’s Twitter handle. Within a few hours, a “bank representative” replied by providing him a link to the “bank’s support page”. Ron was smart enough not to trust the “representative” because he knows not to trust unverified Twitter accounts. Ron just encountered, and fortunately avoided, one of the most popular types of phishing attacks on social media.
Tips for Spotting a Phishing Website
In case you haven’t figured out the pattern, all the scenarios were based on real-life phishing attacks and scams. Nick, Mary, Sophia and Ron may be fictional, but the threats they faced are very real. Here are some helpful tips to avoid getting phished by these harmful websites. Let’s divide our solutions into two.
Always check and study the URL before you click it. Whenever someone sends you a link via email or social media, or in any platform for that matter, take time to study the URL before you click. You don’t have to be an expert in spotting a suspicious URL. Just look for some red flags on the link. Fake links generally imitate established websites, often by adding unnecessary words and domains.
You should also make sure to hover over any hyperlinked text before clicking. In the example below, which we reviewed in detail in our previous post, you can see that the URL linked to from the text “click here”, is “http://globalsign.uk.virus-control.com/b4df29/?login_id=1817...”. There are a couple elements that should make you wary of clicking – 1. globalsign.uk isn’t a legitimate GlobalSign domain, 2. the domain contains the extra string “virus-control”, and 3. the long string of characters at the end of the URL.
Taken from a GlobalSign simulated phishing email created as part of our internal phishing training.
Identify the source of the link. Did you know the person who sent you the link? If you have even a drop of doubt, don’t click the link. In the previous example, Ron was able to assess the fake representative instead of clicking the fake link that was sent to him. Phishers will generate fake personalities from the least obvious (e.g. a generic “Trusted Bank Authority”) to the most convincing ones (e.g. John Smith at J.P. Morgan Chase & Co.), so be sure to study the people you’re transacting with and make sure they are legitimate.
Check and study the URL BEFORE logging any information. Let’s say you accidentally clicked a phishing link. You shouldn’t panic just yet. As mentioned above, study the URL of the webpage and look for the obvious red flags. Fake webpages usually display lots of meaningless characters in the address bar or include extra strings of text.
Look at the example below from the Gmail scam that was making the rounds earlier this year. You can see that while it contains the string “accounts.google.com” so it looks legitimate, the extra text before the address should raise a red flag that it is actually a phishing or malicious site.
Scan the page for a Trust Seal. Most legitimate sites takes advantage of trust seals, small badges issued by third party companies that show how safe a site is (e.g. by showing a trust score, sales sites, or whether the site is encrypted with SSL/TLS). Pages that collects login or payment information should have a trust badge or a Secure Site Seal in order to assure visitors that the website is legitimate. Scan the page for any indicators of a trust seal and make sure the provider of the seal is a renowned online security provider. These seals are often interactive too, so it can be helpful to click on the seal for additional information about the site.
Check the address bar for the organization’s details. SSL/TLS Certificates play an essential role in web security by encrypting sessions and protecting information sent between browsers and web servers. Extended Validation (EV) SSL, the highest level of SSL, adds another important element by presenting the website operator’s verified identity front and center in the browser interface, usually in a dedicated green address bar.
This way you can immediately see if the site is legitimately operated by the company it’s claiming and isn’t a phishing or imposter site. The majority of leading brands, those most often targeted by phishing, have adopted EV SSL, so looking for the company name in the URL can be an easy way for you to verify the site you’re on. As the number and sophistication of phishing attacks continues to increase, I hope to see even more companies adopt EV as a way to differentiate their sites from malicious imposters.
Check the website address isn’t a homograph. Some major browsers do not understand foreign languages such as the Cyrillic alphabet. A hacker can register a domain such as xn--pple-43d.com, which is the equivalent of apple.com and purchase an SSL for it. This is also known as script spoofing. There are nearly 11 glyphs in the Cyrillic alphabet that look exactly like their Latin counterparts. Other alphabets that have similar glyphs to Latin in modern fonts are; Greek, Armenian, Hebrew and Chinese. With enough combinations you can create a spoof domain and secure it so that it is almost impossible to tell the real from the fake.
I said almost impossible! There is one way you can catch this type of attack. If you feel the link is suspicious, copy and paste it into another tab…
It’s as simple as that. The true nature of the domain is revealed right away and you know that the website cannot be trusted.
You can also spot these homographs by clicking through the certificate details to see which domain is covered by the certificate. In the example above, you’d see the certificate was actually issued to ‘https://www.xn--80ak6aa92e.com/’ and not ‘apple.com'.
Phishing attacks may see a rise in the coming years, but as long as you’re educated in preventing them, these cheap methods of stealing will claim fewer and fewer victims in the future. Your best defense against hackers is your extensive knowledge of their dirty tricks and I hope this post has helped build your mental arsenal.