Viruses, Trojans, and other malicious programs attack your OS and your apps. With phishing attacks, the target is you, the user. Here’s how to protect your personal information and avoid phishing scams.
To make money, a business needs to rake in more than it spends, and that’s true even when the business is criminal. It takes a lot of research and coding effort to create a new strain of ransomware or a new data-stealing Trojan. Creating a fake version of PayPal or a bank website, on the other hand, is almost effortless by comparison. Phishing fraudsters maximize profit by minimizing expenditures. All they need to do is dupe enough people into giving away their credentials on the fake site. With stolen credentials in hand, they can drain bank accounts, steal personal information, or just sell those credentials wholesale to other malefactors. You don’t want to be a phishing scam victim. Here are some tips to help you avoid that sad fate.
How Has COVID Affected Online Scams?
With vast numbers of people stuck working at home at the height of the pandemic, seeking entertainment on the internet, phishing scammers were in hog heaven. For starters, they just gained a larger audience for ordinary credential-stealing frauds. But the fear, uncertainty, and doubt brought on by this unprecedented pandemic made perfect fodder for new types of scams.
Even back in April of 2020, Google reported blocking 18 million virus-related scams every day. Google does a good job; estimates suggest it blocks 99.9 percent of spam and phishing emails. That means, though, that 18,000 unwanted messages got through, to an unknown number of victims, every day.
Virus scammers aren’t just going for your passwords; they want your money. Scams and cons have been around as long as humanity, and they work online just as well as in person. Be wary of any email bearing any connection to the pandemic, especially if it exhorts you to immediately click a link or download a file. If the fake email’s sense of urgency worries you, go directly to the source rather than using a provided link.
How Do Phishing Scams Work?
The key to running a credential-stealing phishing scam is creating a replica of a secure website that’s good enough to fool most people, or even just some people. With the classiest fakes, every link goes to the real site. Well, every link except the one that submits your username and password to the perpetrators. As icing on the cake, the fraudsters may try to create a URL that looks at least a little bit legitimate. Instead of paypal.com, perhaps pyapal.com, or paypal.security.reset.com.
However, not every phishing page is well done. Some use the wrong colors or otherwise fail to match the page they imitate. Others have totally unconvincing URLs, things like seblakenakkalikalaudimakan.crabdance.com, or X8el87.journal.com. Even these lame fakes can pick up a few suckers, apparently, or the fraudsters would give up.
When you enter your username and password on a phishing site, the site owners gain full access to your account. To keep you from realizing you’ve been scammed, they may pass the credentials along to the real site, so it looks like you logged in normally. Your only clue may come when you find that your bank account is empty, or that you can’t log into your email, and your friends say they’re getting spam from you. So how do you armor yourself against this kind of attack?
Eliminate the Obvious
Some fake websites are just too poorly implemented to convince anyone who’s paying attention. If you link to a site and it just looks like garbage, press Ctrl+F5 to totally reload the page, in case the bad appearance was a fluke. But if it still doesn’t look right, stay away.
Check out the page above. Why are all the entry fields off to one side? Most modern websites adjust to fit the size of your browser window. Now that your suspicions have been raised, you’re more likely to see that the website name in the Address Bar lacks the all-important lock icon.
When you create a phishing page, verisimilitude is essential. Using a free web hosting service that leaves its banner on your page or its domain in your URL is kind of a giveaway. Even so, every time I run a phishing protection test, I encounter a handful of not-even-trying fakes like this. Who’d believe Yahoo runs on Weebly?
What Can You Learn From the Address Bar?
Modern web browsers are moving away from a big focus on the address bar. It’s now the search-plus-address bar, at the very least. But that address bar is an extremely important resource when you’re eyeballing a page to confirm that it’s legitimate. The best phish-sniffers can spot an off-kilter URL out of the corner of one eye, without even thinking about it.
Sometimes it’s simple. Not many people would see “Placeboook” and think oh, yes, that’s Facebook. But other fraudsters use trickier fakes, likes Arnazon for Amazon.
Watch out for attempts to obscure the actual domain portion of the URL. That’s the portion immediately preceding the final .com, .net, .org, and so on. Anything that comes before the domain is just a subdomain. If the URL fakery.paypal.com existed, it would be a subdomain of paypal.com. If instead you see paypal.fakery.com, well, that’s pure fakery!
Phishing attacks on Dropbox accounts, or other online storage accounts, don’t have the guaranteed value that thieves get from capturing bank logins. Conversely, people don’t necessarily apply the same level of vigilance to these accounts. Anything might turn up in online storage, from a list of Girl Scout cookie orders to secret plans for a mission to Mars. Likewise, there’s not much obvious income potential in capturing logins for streaming media, but access to that account might lead to compromising some more important account with the same credentials. Have a look at the address bar in the image above. Even if you log into Netflix by scamming credentials from an idiot friend, you surely won’t see “idiotfriend” in the URL!
Here’s another oddity. Clearly the URL doesn’t represent Xfinity, or Comcast, or any related brand. But beyond that, the browser is waving a big red flag, pointing out that the site’s security certificate has been revoked. Yes, webmasters for valid sites do occasionally screw up and let their certificates lapse, but this page is clearly a fraud.
Is the HTTPS Lock Important?
The HyperText Transfer Protocol (HTTP) communications system used for basic internet communication is a holdover from the early days of the world wide web. It’s not secure, because nobody imagined others doing bad things on the nascent internet. Well, the bad folks are here, and the only sensible way to connect is using the secure HTTPS protocol. Web browsers show a lock icon for HTTPS pages. Chrome takes a step beyond, actively marking HTTP sites “Not secure.” You should never log into any site that doesn’t use HTTPS.
If you don’t notice the strange domain, this page might look like a legitimate Wells Fargo login page. Note, though, that there’s no lock, and that the address begins HTTP:, not HTTPS:. Don’t touch this page; it’s evil!
“But wait,” you may argue, “what about a legitimate site that just hasn’t gotten around to going secure?” Sorry, I don’t buy it. In this age of HTTPS Everywhere(Opens in a new window) there’s no excuse. A site that wants you to log in without using HTTPS, even if it’s no fraud, is just not legitimate.
Sometimes, you just can’t tell by looking. The Commonwealth Bank website does call its online banking system Netbank. The secure page at netbank.com shown above looks legitimate. If you’re not sure, a quick look at the whois data for the domain may help your decision. I think we can agree, it’s very unlikely that the actual Commonwealth Bank’s site would park its hosting with CrazyDomains.com.
Where Do Email Scams Come From?
You’ve heard it a million times. Don’t click links in email messages from people you don’t know. Don’t click links in messages from people you do know, as they may have been hacked. This is good advice! Clicking a random link could take you to a malware-hosting site, or a fraud. When the link takes you to a login page, it’s especially important to consider the source.
It’s conceivable you might get an email message from your bank, though many banks eschew that form of communication. If you clicked a link on an unrelated site and wound up at the login for the Bank of Armorica, chances are very good it’s a fake.
But what if your bank, or the IRS, or PayPal really is trying to get hold of you about a problem with your account? The solution is simple—skip the link and log in to the service directly, the way you normally would.
Beware, too, of pages or emails that seem to require urgent action on your part. The page shown above suggests that your Facebook account will be disabled unless you log in to prevent it. But look at the Address Bar; that’s certainly not Facebook. Once again, just log into Facebook as you usually would, and see if you encounter any trouble.
Get Help Fighting Phishing
Outsmarting the fraudsters, spotting their wiliest wiles, gives you a good feeling, for sure. But you may not be as sharp tomorrow, so it pays to enlist some help in the fight against phishing scams. Modern browsers have protection against fraudulent sites built in, and they do a decent job. Vintage IT Services offers products ad email phishing solutions that train your users how to look for bad actors that come through email.
Using a password manager also helps keep you away from frauds. With most such products, you can visit a secure site and log in with a single click. And if you somehow manage to reach a fraudulent site, the fact that your password manager won’t fill in the saved login credentials is a big red flag.
The savviest netizens use a virtual private network, or VPN for their online activities. Using a VPN protects your data in transit, because the data travels in encrypted form to the VPN server. It also offers some protection against cyber-stalking, because your traffic appears to come from the VPN server, not from your local IP address. But routing web traffic through a VPN doesn’t help at all against phishing. When you give your credentials to the owners of a phishing site, it doesn’t matter how they got there. Phishing attacks target you, not your devices or communication systems.
Phishing is more prevalent than you may realize. To get the images for this article, I just grabbed the latest five or six dozen verified frauds from a popular phish tracking site and worked through them, looking for good examples. Yes, fraudulent pages get blacklisted quickly, but the scammers just shut down and pop up with a new scam page.
Protect Yourself From Phishing
To avoid the pain of getting scammed out of your much-needed cash, or the embarrassment of giving away your sensitive data to a fraud, make use of available resources such as password managers and the phishing-detection system in your antivirus. But keep your own eyes open, to spot any frauds that get through. If a page comes from a suspicious link, if there’s no HTTPS lock in the address bar, if it looks wrong in any way, don’t touch it! Your vigilance will pay off.