What do phishers and vampires have in common?
They BOTH know that the easiest way to attack a victim isn’t brute force. Instead, it’s to ask nicely and get invited through the front door.
Yup, today we’re talking URL phishing. These are the millions of fake websites out there that trick victims into sharing their private information.
A 2020 report by SlashNext estimated that 50,000 phishing emails are sent every day. Many of these will contain a link to a website that looks like a real, reputable brand. Small businesses and freelancers are common targets.
Today, we’ll show you how to spot these fake websites. We’ll cover:
URL Phishing 101
8 Tips for Spotting a Phishing Website
Use these tips to stop you becoming the next victim.
Typically, URL phishing is when a victim is sent to the login page of a ‘familiar’ website. The hacker’s aim is to trick you into typing your username and password into the fake site.
Once they have this info, they can then log into your real account. This might be to steal your identity, move money out of your bank, use your credit cards, read your private emails, lock you out of your accounts… the list goes on.
Here are some scenarios where a victim may be sent a phishing website.
Scenario #1: The fake warning and login
Hagrid gets an urgent email from his “bank” warning him of suspicious activity on his accounts.
He quickly clicks the link to his “bank website” where he then logs in and changes his passwords.
Unfortunately, this was a fake website and the hacker now has the details to get into his bank accounts and empty them.
Scenario #2: Fake government or health organisations
Jon Snow gets an email from the “CDC” warning him about COVID-19 outbreaks in his neighbourhood. Scared, Jon clicks on the link in the email and types in his contact and medical details in exchange for “Coronavirus updates”.
Unfortunately, this was a fake website and he’s now at risk from medical identity theft.
Scenario #3: Fraudulent ads
Elsa wants to pay her phone bill. She types the company name ‘FastMobile’ into Google and clicks the first link that popped up. She doesn’t notice that the link is a paid Google Ad linking to the phishing website “FastMobille.com” (with an extra L).
She logs in and makes her payment. The following week, she finds fraudulent charges on her credit card.
It’s a wild world out there. If you don’t want to always be looking over your shoulder, you can hook yourself up with a good VPN. VPNs can help detect malicious sites and serve as an extra pair of watchful eyes.
All the above scenarios are based on phishing attacks that happen in real life.
You could also be sent a fake website URL through an email, SMS, WhatsApp, Tweets, video conferencing or gaming platforms. Malicious links can be hard to catch because they are usually engineered to look like they’re from a trustworthy source.
Just because a site looks real, doesn’t mean it’s legitimate. Phishers can easily build websites that look indistinguishable from the real website, with logos, privacy policies and SSL certificates that look legitimate. Stay alert.
Common fake websites can include social media like Facebook, e-commerce sites, streaming sites like Netflix and banking websites.
Here are some tips to help you identify a fake phishing website.
If you are sent a URL to a potentially malicious website, look out for red flags in the message itself. These could include:
Make sure to examine the URL closely before you click it. To do this, hover over hyperlinked text and check the text that pops up at the bottom left of your browser.
Remember, a fake link is trying its hardest to trick you into thinking it’s real. So, a URL will try and imitate the real website as closely as possible.
Ask yourself, is there anything that looks odd? Watch out for any minor spelling variations, an unusual country domain (e.g. it’s .uk or .io), or long strings of text and symbols. You can also Google the company name to check what its official URL looks like.
If you’ve accidentally clicked a phishing link, there’s no need to panic yet.
First, have a check to see if there are any obvious red flags. Does the page have any obvious errors or weird formatting?
If the site does appear real, you should still look out for any more red flags before you log any information.
Check the URL that’s shown in your address bar.
Is the company name spelt correctly? Sometimes the URL will actually use a common misspelling of the company.
Also, watch out for URLs that contain any weird or long strings of text. Fake websites often have URLs with lots of meaningless characters before or after the address.
Even if the website URL looks normal, there’s still a chance it may be fake.
Hackers can use a nasty trick called ‘script spoofing’. This is where they essentially register a URL using letters from a foreign language such as the Cyrillic alphabet.
Many languages contain glyphs that look identical, or very similar, to a Latin equivalent. When they display in your browser, it may look indistinguishable to the real thing.
Luckily, most browsers have ramped up security in response to this vulnerability. However, you can also copy and paste the URL into an URL checker to detect if there are unusual characters.
Check that the website uses HTTPS protocol instead of HTTP.
HTTPS is much more secure because it ensures that your data is encrypted. You can check this by double clicking on the URL in the address bar to see if it starts with “https://” (the S makes all the difference).
Most legitimate sites will use some sort of trust seal issued by third party companies – for example a Secure Sockets Layer (SSL) certificate.
You can click onto the little lock symbol at the left of your address bar to view more information on the certificate, and check that it’s been issued by a renowned online security provider.
However – don’t rely on this as a method alone. It’s still possible for a fake website to register for SSL (often, using the script spoofing tricks we mentioned in point #2).
Sometimes, phishers might send you to a legitimate website, but activate a pop-up window that asks you to enter your username and password.
So, make sure you don’t enter your details into a pop-up, even if the website looks real.
If you’re not sure if a site is authentic, you can try entering a fake password. If it logs you in anyway, you’re probably on a phishing site. Stop browsing immediately and close your browser.
That said – some phishing sites will automatically show an error message regardless of the password you enter. So, just because your fake password is rejected, don’t assume the site is legitimate.
Unfortunately, there’s no one ‘single’ method to identify a fake site.
However, combining our tips above and staying vigilant will help prevent you being the next URL phishing victim.
The bottom line is this:
It’s always good practice to treat all links with a degree of caution. If you’re at all unsure about a website, never sign in.
Many web browsers today have free extensions to help you detect phishing sites – you can also check those out.
Dani is an editor and writer based between KL and Mexico City. Sprung from the advertising and travel industries, she’s also spent the last 10+ years freelancing for a slew of creative online businesses around the world. Connect with her via LinkedIn.