What do phishers and vampires have in common?
They BOTH know that the easiest way to attack a victim isn’t brute force. Instead, it’s to ask nicely and get invited through the front door.
Yup, today we’re talking URL phishing. These are the millions of fake websites out there that trick victims into sharing their private information.
A 2020 report by SlashNext estimated that 50,000 phishing emails are sent every day. Many of these will contain a link to a website that looks like a real, reputable brand. Small businesses and freelancers are common targets.
Today, we’ll show you how to spot these fake websites. We’ll cover:
Table of Contents
URL Phishing 101
8 Tips for Spotting a Phishing Website
- Does the message seem legitimate?
- Does the URL look suspicious?
- Check for anything weird in the website URL
- Check the website address isn’t a homograph
- Check if the website uses HTTPS
- Check if the website has a certificate or trust seal
- Be wary of pop-ups
- Give a fake password
Use these tips to stop you becoming the next victim.
What is URL phishing?
Typically, URL phishing is when a victim is sent to the login page of a ‘familiar’ website. The hacker’s aim is to trick you into typing your username and password into the fake site.
Once they have this info, they can then log into your real account. This might be to steal your identity, move money out of your bank, use your credit cards, read your private emails, lock you out of your accounts… the list goes on.
How do phishing websites reach you?
Here are some scenarios where a victim may be sent a phishing website.
Scenario #1: The fake warning and login
Hagrid gets an urgent email from his “bank” warning him of suspicious activity on his accounts.
He quickly clicks the link to his “bank website” where he then logs in and changes his passwords.
Unfortunately, this was a fake website and the hacker now has the details to get into his bank accounts and empty them.
Scenario #2: Fake government or health organisations
Jon Snow gets an email from the “CDC” warning him about COVID-19 outbreaks in his neighbourhood. Scared, Jon clicks on the link in the email and types in his contact and medical details in exchange for “Coronavirus updates”.
Unfortunately, this was a fake website and he’s now at risk from medical identity theft.
Scenario #3: Fraudulent ads
Elsa wants to pay her phone bill. She types the company name ‘FastMobile’ into Google and clicks the first link that popped up. She doesn’t notice that the link is a paid Google Ad linking to the phishing website “FastMobille.com” (with an extra L).
She logs in and makes her payment. The following week, she finds fraudulent charges on her credit card.
It’s a wild world out there. If you don’t want to always be looking over your shoulder, you can hook yourself up with a good VPN. VPNs can help detect malicious sites and serve as an extra pair of watchful eyes.
8 Tips for Spotting a Phishing Website
All the above scenarios are based on phishing attacks that happen in real life.
You could also be sent a fake website URL through an email, SMS, WhatsApp, Tweets, video conferencing or gaming platforms. Malicious links can be hard to catch because they are usually engineered to look like they’re from a trustworthy source.
Just because a site looks real, doesn’t mean it’s legitimate. Phishers can easily build websites that look indistinguishable from the real website, with logos, privacy policies and SSL certificates that look legitimate. Stay alert.
Common fake websites can include social media like Facebook, e-commerce sites, streaming sites like Netflix and banking websites.
Here are some tips to help you identify a fake phishing website.
Before you click the URL, ask yourself…
Tip #1: Does the message seem legitimate?
If you are sent a URL to a potentially malicious website, look out for red flags in the message itself. These could include:
- The message is asking you to act ‘urgently’
Many fraudsters will try and make you panic in order to act carelessly. Be wary of emails that threaten things like “Urgent action required” or “Your account will be closed”.
- Unofficial “From” address
Look out for a sender’s email address that is similar to, but not the same as, a company’s official email address. Often, it may have extra letters or punctuation.
- Bad grammar
Look out for spelling / grammatical errors.
- Generic greeting
Be skeptical of an email sent with a generic greeting such as “Dear Customer”, “Dear Member” or “Hi Dear”.
- Requests for personal information
Legitimate companies will never ask you to verify or provide confidential information in an email.
Tip #2: Does the URL look suspicious?
Make sure to examine the URL closely before you click it. To do this, hover over hyperlinked text and check the text that pops up at the bottom left of your browser.
Remember, a fake link is trying its hardest to trick you into thinking it’s real. So, a URL will try and imitate the real website as closely as possible.
Ask yourself, is there anything that looks odd? Watch out for any minor spelling variations, an unusual country domain (e.g. it’s .uk or .io), or long strings of text and symbols. You can also Google the company name to check what its official URL looks like.
After you’ve clicked the URL, do these checks:
If you’ve accidentally clicked a phishing link, there’s no need to panic yet.
First, have a check to see if there are any obvious red flags. Does the page have any obvious errors or weird formatting?
If the site does appear real, you should still look out for any more red flags before you log any information.
Tip #3: Check for anything weird in the website URL
Check the URL that’s shown in your address bar.
Is the company name spelt correctly? Sometimes the URL will actually use a common misspelling of the company.
- Look for a character or symbol BEFORE or AFTER the name.
- Check if there are any strange characters – e.g. substituting 1 for I or 0 for O.
- Missing or added punctuation.
Also, watch out for URLs that contain any weird or long strings of text. Fake websites often have URLs with lots of meaningless characters before or after the address.
Tip #4: Check the website address isn’t a homograph
Even if the website URL looks normal, there’s still a chance it may be fake.
Hackers can use a nasty trick called ‘script spoofing’. This is where they essentially register a URL using letters from a foreign language such as the Cyrillic alphabet.
Many languages contain glyphs that look identical, or very similar, to a Latin equivalent. When they display in your browser, it may look indistinguishable to the real thing.
Luckily, most browsers have ramped up security in response to this vulnerability. However, you can also copy and paste the URL into an URL checker to detect if there are unusual characters.
Tip #5: Check if the website uses HTTPS
Check that the website uses HTTPS protocol instead of HTTP.
HTTPS is much more secure because it ensures that your data is encrypted. You can check this by double clicking on the URL in the address bar to see if it starts with “https://” (the S makes all the difference).
Tip #6: Check if the website has a certificate or trust seal
Most legitimate sites will use some sort of trust seal issued by third party companies – for example a Secure Sockets Layer (SSL) certificate.
You can click onto the little lock symbol at the left of your address bar to view more information on the certificate, and check that it’s been issued by a renowned online security provider.
However – don’t rely on this as a method alone. It’s still possible for a fake website to register for SSL (often, using the script spoofing tricks we mentioned in point #2).
Tip #7: Be wary of pop-ups
Sometimes, phishers might send you to a legitimate website, but activate a pop-up window that asks you to enter your username and password.
So, make sure you don’t enter your details into a pop-up, even if the website looks real.
Tip #8: Give a fake password
If you’re not sure if a site is authentic, you can try entering a fake password. If it logs you in anyway, you’re probably on a phishing site. Stop browsing immediately and close your browser.
That said – some phishing sites will automatically show an error message regardless of the password you enter. So, just because your fake password is rejected, don’t assume the site is legitimate.
Conclusion: Better to be safe than sorry
Unfortunately, there’s no one ‘single’ method to identify a fake site.
However, combining our tips above and staying vigilant will help prevent you being the next URL phishing victim.
The bottom line is this:
- If you don’t know the person who sent you the email or message – don’t click it.
- If you do know the person, still be wary, and carry out the checks above. Remember, they may have been hacked.
It’s always good practice to treat all links with a degree of caution. If you’re at all unsure about a website, never sign in.
Many web browsers today have free extensions to help you detect phishing sites – you can also check those out.