We’re all cooped up at home, which prevents us from being scammed on the street. However, dastardly digital plots are growing day by day. One of the shining stars of this crime constellation is phishing. But what is it exactly? And how can you identify a phishing site? That’s what you can find out in this article.
What is phishing?
Phishing is a scam that relies on impersonating a legitimate entity to trick you into giving them money and/or data.
What is a phishing website?
A phishing website is a fake website that is set up to look genuine. Some of them are copies of real existing websites. Scammers are operating them to trick you into spending money or stealing your data.
How does a phishing site work?
Users are usually directed to a phishing website by a phishing email or a phishing text message, but you can also just stumble upon it via a search engine. It looks like a genuine site, using stolen visual assets, fonts, and so on. The site may also have a similar address to the real website to make the illusion look more real.
A phishing website may have been made by using a phishing kit, which is a pre-packaged hacked version of a website. Packages like that allow phishing websites to spread far and wide with minimal effort.
The fake websites trick you into entering your logins, passwords, credit card info, and whatever other data you’d submit to the real website. This gives your data to the hackers. Sometimes, they go one step further and redirect you to the real site to make the scam less obvious and to lessen the chances of you taking preventative action.
How to identify a phishing site
Phishing websites are, by design, made to look legitimate and to fool you into believing that it’s real (like spear phishing). However, there are ways to check if the website is the real thing.
Read the address
The URL – the website address – is a hard thing to fake, but scammers will try to do it. Some will get very close, like this scam site pretending to be a UK government site and even including “gov.uk” in the URL:
Some are more obvious in their fakery, like this fake Outlook site: the address might include Microsoft, but it’s still a URL that comes from the popular website hosting site Wix – there’s even an ad on top:
Others might not even try to look in any way legitimate – just look at this address:
Another favorite trick of scammers is replacing letters with other similar symbols, like writing “g00gle” instead of “google.” Hackers may also rely on homographs – that is, characters in non-Latin alphabets that appear just like Latin letters. You can check for homographs by copying and pasting the link into another window to see if the address changes.
Check for a padlock
This method is less-than-surefire these days, but you should take a look at your browser bar to see if there’s a padlock next to the address. This is usually meant to signify that this is a trusted website that has an official security certificate. You can also check the address for the s in https://, which marks a secured connection.
However, scammers, these days, are getting more sophisticated, and they can find ways to obtain these security marks – just check the examples posted in point #1.
Perform a WHOIS lookup
WHOIS is an internet protocol – a set of procedures – used to check who a website belongs to and similar data. Naturally, the registry data for a phishing website will be suspect, especially when compared to an official website.
Here’s how the WHOIS looks like for http://www.pubgofficialrewards.com (notice the lack of an s as well as the very suspicious “official” jammed in the middle):
Created 8 days ago, registered by an anonymous source? Feels very suspicious to me. Now, let’s look at the WHOIS for https://www.pubg.com:
This one is very publicly registered by Krafton, the holding company owning PUBG assets! It’s also registered in Korea, the country where Krafton is established at.
Beware of low quality
Legitimate big business websites have a lot of money poured into them to make them look good. And while a good scammer will have just cloned all of the components over, that’s not always the case. For example, look how blurry this fake Outlook page is:
Check the Contact Us section
It’s one of the softer checks you can make, but if you suspect the website to be a copy of a website you often use, you can check the contacts in the Contact Us section against the ones you already have recorded in emails, contracts, the back of your credit card, and so on.
Trust your browser
There are online databases of known phishing sites. So if the scam website you’re visiting isn’t new, there are chances that your browser will warn you that you’re about to visit a dangerous website. When these warnings pop up, trust them and don’t continue further to the site.
How to report a phishing site
Government agencies, IT companies, and others have channels open for reporting phishing websites. Here are some of them:
US Cybersecurity and Infrastructure Agency (CISA):
Send an email to [email protected]
Submit a link (and other details) here.
Go here to sign in to your account and submit the report.
The website’s host:
If you do a WHOIS lookup, you should also see the information of the organization hosting the website. This usually includes an email address for reporting abuse and scams.
Stay safe from phishing sites
If you know what a phishing website looks like, you have a much better chance of identifying it and saving yourself from a lot of trouble. But even then, your privacy and security could be improved even further. How about getting a VPN to encrypt your data (to keep it secret from snoopers) and mask your IP (to make you much harder to track online)?