In order to make money, a business needs to make more money than it spends, even if the business is criminal. Creating new ransomware or new data-stealing Trojans requires a lot of research and coding. On the other hand, creating a fake version of a PayPal or banking website is almost effortless by comparison. Phishing fraudsters maximize profits by minimizing payouts. All they need to do is trick enough people into giving away their credentials on a fake website. With stolen credentials, they can drain bank accounts, steal personal information, or simply sell those credentials wholesale to other criminals. You don’t want to fall victim to a phishing scam. Here are some tips to help you avoid this sad fate.
How has COVID-19 affected online fraud?
At the height of the pandemic, with millions of people stuck working from home and seeking entertainment on the internet, phishing scammers are in pig heaven. First, they just gained a larger audience for common credential-stealing scams. But the fear, uncertainty and doubt created by this unprecedented pandemic have provided perfect fodder for a new type of scam.
Back in March 2020, Google reported blocking 18 million virus-related scams every day. Google does a great job; it blocks an estimated 9.18% of spam and phishing emails. However, this means that every day, 000,000, <> unwanted messages get through, and sent to an unknown number of victims.
Virus scammers don’t just want your passwords; they want your money. Scams and cons exist just as much as humans, and they work just as well online as they do in person. Be wary of any pandemic-related email, especially if it urges you to click a link or download a file immediately. If the urgency of the fake email worries you, go directly to the source instead of using the link provided.
How do phishing scams work?
The key to running a credential-stealing phishing scam is to create a copy of a secure website that is good enough to fool most people, or even just a few. For the most classic fakes, every link leads to the real website. Well, every link except the one that submits your username and password to the perpetrator. As icing on the cake, fraudsters may try to create a URL that looks at least slightly legitimate. Instead of paypal.com, maybe pyapal.com or paypal.security.reset.com.
However, not every phishing page does a great job. Some use the wrong color or don’t match the page they’re imitating. Others have completely unconvincing URLs, such as seblakenakkalikalaudimakan.crabdance.com or X8el87.journal.com. Apparently, even these crappy fakes can pick up some duds, or fraudsters would give up.
Just in case you realize you’ve been scammed, they might pass your credentials to the real site so it looks like you’re logged in normally. Your only clues might come when you find out that your bank account is empty, or you can’t log into your email and your friends say they got spam from you. So how do you arm yourself against such attacks?
eliminate the obvious
Some fake sites are too poorly implemented to convince anyone who pays attention. If you link to a website, and it looks like crap, press Ctrl+F5 to completely reload the page, in case the bad look is a fluke. But if it still doesn’t look right, stay away.
Realism is crucial when creating a phishing page. Using a free web hosting service to leave their banner on your page or their domain in your URL is a giveaway. Even so, every time I run a phishing protection test, I come across fakes like this one that I haven’t even tried. Who would believe that Yahoo is running on Weebly?
What can you learn from the address bar?
Modern web browsers are moving away from a strong focus on the address bar. It’s now at least a search plus address bar. But that address bar is a very important resource when you’re staring at a page to make sure it’s legitimate. The best phishing sniffers can spot an inappropriate URL out of the corner of an eye, without even thinking about it.
Sometimes it’s easy. Not many people will look at “Placebo” and think oh yeah, that’s Facebook. But other fraudsters use trickier fakes, like Amazon’s Amazon.
Beware of attempts to mask the actual domain portion of the URL. This is the part that immediately precedes the final .com, .net, .org, etc. Anything before the domain is just a subdomain. If the URL fakery.paypal.com exists, it will be a subdomain of paypal.com. Instead, if you see paypal.fakery.com, well, it’s pure fake!
Do HTTPS locks matter?
The Hypertext Transfer Protocol (HTTP) communications system used for basic Internet communications is a holdover from the early days of the World Wide Web. It’s not safe, because no one imagines other people doing bad things on the nascent Internet. Well, the bad guys are here, and the only sensible way to connect is to use the secure HTTPS protocol. Web browsers display a lock icon for HTTPS pages. Chrome goes a step further by proactively marking HTTP sites as “not secure”. You should never log into any website that doesn’t use HTTPS.
If you haven’t noticed the odd domain name, this page might look like a legitimate Wells Fargo login page. Note, however, that there is no lock and the address starts with HTTP:, not HTTPS: Do not touch this page; it’s too evil!
“But wait,” you might argue, “is a legitimate website not yet secure? Sorry, I’m not buying it. There’s no excuse for HTTPS being ubiquitous in this day and age. One wishes you were in a situation where HTTPS wasn’t used . ” Even if it is not fraudulent, it is not legitimate.
Sometimes, you just can’t tell by looking. The Commonwealth Bank website does refer to its online banking system as Netbank. The secure page for netbank.com shown above appears to be legitimate. If you’re not sure, a quick look at a domain name’s whois data might help you decide. I think we can agree that the actual Commonwealth Bank website is unlikely to host it with CrazyDomains.com.
Where Do Email Scams Come From?
You’ve heard it a million times. Don’t click on links in emails from people you don’t know. Don’t click on links in emails from people you know, as they may have been hacked. This is good advice! Clicking on random links may lead you to malware-hosting sites or scams. It is especially important to consider the source when a link takes you to a landing page.
It is conceivable that you may receive an email from your bank, although many banks shy away from this form of communication. If you clicked on a link on an unrelated site and ended up with Armorica Bank when you logged in, there’s a good chance it’s a fake.
Get help fighting phishing
Outsmarting fraudsters and uncovering their cunning tricks is sure to give you a good feeling. But you might not be as sharp tomorrow, so it’s worth asking for some help in fighting phishing scams. Modern browsers have built-in protection against fraudulent websites, and they do a decent job. Most antivirus and security suite products add their own phishing protection; the best of them scored as high as 100% protection in our tests.
Protect Yourself From Phishing Attacks
To avoid the pain of being scammed out of much-needed cash or the embarrassment of having sensitive data leaked to fraudsters, take advantage of available resources like password managers and phishing detection systems in your antivirus software. But keep your eyes open for any fraud. If the page comes from a suspicious link, if there is no HTTPS lock in the address bar, or if it looks wrong in any way, don’t touch it! Your vigilance will be rewarded.
