Phishing is one of the most common forms of a cyber attack. What makes it so dangerous is not its technological component. It is rather its focus on manipulating a user. Phishing is based on tricking the user into willingly revealing confidential data or performing a certain action, usually by mimicking a credible organization.
Classical phishing attacks often come in the form of an email containing a file with malware or a link that leads to a phishing page. But they can also pop-up while you’re surfing the internet or using legitimate websites. So how do you spot a phishing attempt, if its sole purpose is to blend in with its environment and convince you that certain request is coming from a safe place?
As phishing attacks become more sophisticated, typical quick checks no longer do the job. Yet, they are a good way to do the initial vetting, so we’ll run through all of the ways to spot phishing sites.
1. Examine the connection type
This one is easy and quick. All you have to do is click on the URL in the address bar and check whether the site has an “HTTP” or “HTTPS” tag. The “https” tag is what you should be aiming for if you’re on a page that requires to enter any confidential information.
The secret of HTTPS lies in Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Both of these encrypt the connection between the server and browser by scrambling data and using a special key that decrypts the information for the end-user.
2. Run a quick check on SSL certificate
HTTPS tag doesn’t necessarily mean that the website is safe. You also have to check whether the SSL certificate has been issued by a legitimate provider. Invalid SSL certificates coming from obscure providers could either be fake or vulnerable to cyber-attacks.
You can check the validity and issuer of SSL certificate by clicking on the padlock icon in the address bar. This will show you whether the certificate is valid and the name of the issuer.
However, keep in mind that scammers who go a long way to appear legitimate are capable of forging permits and tax forms required by certificate providers. On top of that, there is software that can enable them to get their hands on free SSL certificates.
3. Examine the URL
Phishing sites have domain names that appear as they belong to a legitimate organization. However, there may be an extra letter or symbol if you take a second look. On top of that, if you double click on the actual URL in the address bar, you can see the entire address. Does it look weird?
The usual address looks like this:
https:// (security protocol) www (subdomain) brand name (domain) com (domain extension)
However, this form isn’t mandatory – for example, instead of the usual “www”, you are free to put your pet’s name as a subdomain, as long as it’s not registered by another entity. Instead of www.paypal.com, a phishing site could have an address such as “www.paypals.com” or “my paypal.biz.” This won’t be immediately visible and can trick many people that they are visiting a legitimate page.
While there is no rule of thumb, some domain extensions are more common among phishing and spam websites. They include: .biz, info, science, stream, .men, party, and top. Domain extensions like com, org, io, gov, edu, etc. are more reliable, but they don’t necessarily mean the website is safe. How?
Four out of five phishing sites are actually “parked” on compromised domains. There are a number of ways domains can be hijacked, such as purchasing a domain immediately after its expiration.
However, when scammers register domains, they still have to give their information, such as the name of their organization, website, email, etc. More often, they leave out information or enter equally murky names and addresses. This can prove to be too much work for manual inspection.
In those cases, the best way to spot a phishing site’s domain is to use a tool that will analyze the website’s domain reputation. There are API tools that can perform a complete domain infrastructure check along with a malware scan.
Reliability score can be based on combined factors which include domain configuration, the website content, the domain’s SSL certificates, email server configuration, IP addresses, presence in malware data feeds, etc.
The problem with suspected phishing websites is that it often takes time for them to make it to the database, usually after the cyber attack occurs. Sophisticated scoring tools have a way to deal with newly registered domains by scanning background information, any left out data, and compare this picture to other phishing sites.
4. Inspect website content
If a single webpage you landed on seems suspicious, a good way to identify a phishing site is to simply take a look at the entire website.
Some of the red flags include low-resolution photos, bad grammar, empty pages, excessive advertising, and clickbait headlines.
Whether you’re visiting a banking site, online store, or a lifestyle magazine, if the website is legitimate, it will be easy to find contact information, address, privacy or returns policy, trust seals from clients and partners, etc.
Some well-executed phishing sites may have all of these elements in place. On top of that, sometimes it may become overwhelming to inspect website content manually. Just like with URLs and domains, there are tools that can help you with spotting phishing sites both individually and in bulk.
Tools that specialize in website categorization enable you to screen website content by performing real-time analysis on three levels. These tools examine website response during the crawling session, then extract information and keywords and analyze them based on natural language processing. Finally, this information is authenticated by human supervisors.
With this kind of analysis, you have the ability to genuinely understand the purpose behind a certain website.
As phishing becomes more sophisticated, simple one-click checks can no longer protect you from cyber-attacks. Scammers understand that there is a growing awareness among users about the dangers of phishing attacks. The conversation about the confidentiality and security of people’s private information has moved to the forefront of digital discourse.
This is why it is important to fight phishing with equally sophisticated thinking and tools. Whether you’re a private user or you head an organization that seeks to protect its business, the right choice of security tools is of utmost importance for your online safety.