Phishing continues to prove one of the most successful and effective ways for cybercriminals to defraud us and steal our personal and financial information.
Our growing reliance on the internet to conduct much of our day to day business has provided fraudsters with the perfect environment to launch targeted phishing attacks.
The phishing attacks taking place today are sophisticated and increasingly more difficult to spot. A study conducted by Intel found that 97% of security experts fail at identifying phishing emails from genuine emails.
But it’s not just malicious emails that are used to trick people into clicking on links or divulging sensitive information. Another common tactic used by criminals involves the creation of fake websites to trick victims into entering sensitive information.
Phishing websites are created to dupe unsuspecting users into thinking they are on a legitimate site. The criminals will spend a lot of time making the site seem as credible as possible and many sites will appear almost indistinguishable from the real thing.
Top Tips to identify a phishing website
To determine if the site you are on is legitimate, or a well-crafted fake, you should take the following steps:
1. Check the URL
The first step is to hover your mouse over the URL and check the validity of the web address. You should look for a padlock symbol in the address bar and check that the URL begins with a ‘https://’ or ‘shttp://’.The ‘S’ indicates the web address has been encrypted and secured with an SSL certificate. Without HTTPS, any data passed on the site is insecure and could be intercepted by criminal third parties. However, this system is not totally foolproof, and within the last year, there has been a notable increase in the number of phishing sites using SSL certificates. Users are advised to be extra cautious and look for further evidence that the site is secure.
You should also pay close attention to the spelling of a web address. To trick users into thinking they are on an official site, the fraudsters will stick as closely as they can to the real address and make small changes to the spelling. A web address that ends in a .co.uk might be changed to a .org, or the letter O could be substituted with the number 0. Ex: www.yah00.org. The web address may also contain extra characters and symbols which official addresses will not contain.
2. Assess the content within a site
A lot of hard work and thought will go into the crafting of an official website. The graphics will be sharp, the spelling and grammar will be on point, and the whole experience will feel polished. If you’re on a phishing website, despite the similarity of the branding, the whole experience will feel sub-standard and may indicate that you’ve strayed onto a fake site.
Simple spelling mistakes, broken English, grammatical errors or low-resolution images should act as a red flag that you are on a phishing site and should leave immediately.
Another area of the website that may indicate a phishing site is the lack of a “contact us” section. Official websites will usually have a page dedicated to providing full contact details for their company. This would include: postal address, telephone number, email address and social media channels. If none of these details are provided you should treat the site as highly suspicious.
3. Check who owns the website
All domains will have to register their web address so it’s worth doing a WHOIS look up to see who owns the website. This is a free service and will enable you to check who owns the website when it was created and will provide contact details for the site owner.
Suspicions should be raised If the website has been active for less than a year or if you think you’re on the website of a leading brand, but the web address is registered to an individual in another country.
4. Read online reviews
It’s always worth doing a bit of research on a company to check if they are reputable and they are who they say they are. There’s a good chance that if a site has defrauded people in the past, victims will go online to share their experience and warn other users to avoid the site. If there are lots of negative customer reviews, it’s a good indication that you should stay well clear of the site in question.
5. Trusted payment methods
Legitimate websites will always take credit cards as a payment method or may use a portal such as PayPal for online transactions. If the only payment option provided on a website is through a bank transfer, then alarm bells should be ringing. Reputable sites will never ask consumers to pay using this method. This indicates that no bank has provided credit card facilities for the website and the most likely scenario is that you’re dealing with a fraudster.
MetaPhish has been specifically designed to protect businesses from phishing and ransomware attacks and provides the first line of defence in combatting cyber-crime. Get in touch for further information on how we can help your business.