Phishing attacks continue to prove one of the most successful and effective ways for cybercriminals to launch cyber attacks that defraud us and steal our personal information, including passwords, credentials and finiancial data.
Our growing reliance on the internet to conduct much of our day-to-day operations has provided fraudsters with the perfect environment to launch targeted phishing attacks.
Phishing emails are a sophisticated form of cyber attack that is increasingly more difficult to spot. A study conducted by Intel found that 97% of security experts fail at identifying phishing emails from genuine emails.
But it’s not just phishing emails that are used to trick recipients into clicking on links or divulging sensitive information. Another common tactic used by cybercriminals involves the creation of compromised phishing websites to trick victims into entering sensitive information.
Phishing attacks often include fake websites to dupe unsuspecting users into thinking they are on a legitimate site and compromising their security. The cybercriminals will spend a lot of time making the site seem as credible as possible and many sites will appear almost indistinguishable from the real thing.
Top Tips to Identify a Phishing Website
To determine if the site you are on is legitimate, or a well-crafted fake, you should take the following steps:
1. Check the URL
The first step in identifying a phishing attack is to hover your mouse over the URL and check the validity of the web address.
You should look for a padlock symbol in the address bar and check that the URL begins with a ‘https://’ or ‘shttp://’.The ‘S’ indicates the web address has been encrypted and secured with an SSL certificate. Without HTTPS, any data passed on the site is insecure and could be intercepted by cybercriminal third parties.
However, this system is not totally foolproof, and within the last year, there has been a notable increase in the number of phishing sites using SSL certificates. Users are advised to be extra cautious and look for further evidence that the site is secure.
You should also pay close attention to the spelling of a web address. To trick users into thinking they are on an official site, the fraudsters will stick as closely as they can to the real address and make small changes to the spelling. A web address that ends in a .co.uk might be changed to a .org, or the letter O could be substituted with the number 0. Ex: www.yah00.org. The web address may also contain extra characters and symbols which official addresses will not contain.
2. Assess the content within a site
A lot of hard work and thought will go into crafting an official website. The graphics will be sharp, the spelling and grammar will be on point, and the whole experience will feel polished. If you’re on a phishing website, despite the similarity of the branding, the whole experience will feel sub-standard and may indicate that you’ve strayed onto a phishing site.
Simple spelling mistakes, broken English, grammatical errors, or low-resolution images should act as a red flag that you are on a phishing site and should leave immediately.
Another area of the website that may indicate a phishing attack is the lack of a “contact us” section. Official websites will usually have a page dedicated to providing full contact details for their company. This would include, postal address, telephone number, email address, and social media channels. If none of these details are provided, this is an indication of a phishing site.
3. Check who owns the website
All domains will have to register their web address so it’s worth doing a WHOIS look-up to see who owns the website. This is a free service and will enable you to check who owns the website when it was created and will provide contact details for the site owner.
Suspicions should be raised if the website has been active for less than a year or if you think you’re on the website of a leading brand, but the web address is registered to an individual in another country. If this is the case, it is more likely a phishing attack.
4. Read online reviews
It’s always worth doing a bit of research on a company to check if they are reputable and they are who they say they are. There’s a good chance that if a site has defrauded people in the past, victims will go online to share their experience and warn other users to avoid the phishing site. If there are lots of negative customer reviews, it’s a good indication that it is a phishing attack.
5. Trusted payment methods
Legitimate websites will always take credit cards as a payment method or may use a portal such as PayPal for online transactions. If the only payment option provided on a website is through a bank transfer, then alarm bells should be ringing. Reputable sites will never ask consumers to pay using this method. This indicates that no bank has provided credit card facilities for the website and the most likely scenario is that you’re dealing with a fraudster.