Phishing scams are elaborate schemes designed to steal personal information over the internet. As the play on the word ‘fishing’ suggests, fraudsters use various techniques to get their victims to swallow the bait, hook, line and sinker. The early phishing emails were fairly easy to spot. The writers lacked basic English skills, spelling mistakes were common and the schemes were obvious fake prize notices or unlikely invitations to register for a free vacation. In the present, things get more complicated. Hackers have created elaborate websites, sometimes called ‘spoofed sites’, which are hard to distinguish from the real thing.
A Carbon Copy of the Original
Phishing websites mimic legitimate companies down to the layout, logo and URL. The web address of a phishing site is frequently based on common misspellings of the original company’s name (‘PayePal’ instead of ‘PayPal’ for example) or the insertion of a character that is visually similar (‘1’ instead of ‘l’, or ‘rn’ instead of ‘m’). These changes are hard to spot, so it’s easy to end up clicking on a spoofed site by mistake, or even because you mistyped the URL into the address bar.
Phishing emails are a common way to direct traffic to a spoofed site. These emails appear to come from legitimate companies, especially banks or large online retailers like Amazon.co.uk. They warn about unusual activity or purchases you didn’t make, inviting you to click on a link to fix the situation. Once you do, an authentic looking sign-in page will appear. However, if you enter your password and personal details you’ll give hackers complete access to your account, allowing them to steal money and/or personal data.
At ReputationDefender, we offer privacy services that can help catch phishing scams and protect your data. Phishing websites and emails are designed to appear correct enough that victims click automatically, without taking the time to analyse the details. Some are so well-done they’ve been known to fool security experts, at least for a few minutes. However, there is almost always a way to tell the difference if you look closely enough.
Here are some things to check for:
· HTTP vs HTTPS — Most companies use https at the beginning of a sign in page URL. If the ‘s’ is missing, don’t enter your details.
· Data:text — A recent Gmail scam sent victims to a sign in page that appeared almost exactly correct, except the URL began with ‘data:text/html’ before the authentic Google sign-in address. Don’t trust the site if you find this at the beginning of the address.
· Forward Slashes — Official Yahoo sites always have forward slash at the end (‘yahoo.com/’). If this slash is missing, the site is fake. Take a good look at the URLs of sites you use regularly so you become familiar with details like this.
· Beware of Pop-Ups — Random pop-ups asking you to enter your password or other information are inherently suspicious. Real companies wouldn’t ask for this information for no reason. Sometimes hackers can rig these popups to run on legitimate sites.
· Don’t Trust the Padlock — The closed padlock at the beginning of an address bar is supposed to be a sign of security, but this can be easily faked. The lock alone doesn’t mean the site is secure.
If you think you may be on a phishing site, don’t wait to find out. Close the browser window, open a new one, and sign into your account again by typing the official URL into the address bar. If you’ve entered your password or any account details, contact the company immediately.