Phishing scams are still quite prevalent today and have even become more sophisticated with time. Most of these scams are initiated from the victim’s email inbox, with a link that leads to a fraudulent website that is similar in name and appearance to a legitimate one.
These phishing websites can look eerily close to the original at first glance, but there are certain ways to expose them for what they are and stay safe.
1Check the URL
The easiest way to identify a phishing website is to check the URL. Most phishing websites capitalize on poor attention to detail. Be sure to take a good look at the link in your browser’s address bar or in the email sent to you. It will most likely be a tweaked version of the official website’s URL.
Keep an eye out for misspellings, leet substitutions, and weird domain names. For example, a phishing website might have a web address that says g00gle.com with the number 0 replacing the letter “o”, or binance.com.com to confuse unsuspecting visitors. Be sure to familiarize yourself withtop-level domains and how they are selected.
In some cases, the attacker might employ open redirects to manipulate legitimate URLs so that they redirect visitors to malicious websites. They are harder to detect since they are embedded in trusted domains.
For example, an open redirect attack could use the linkhttps://anexample.com/login?redirect_url=https://@nexample.comthat redirects you from legitimate websiteanexample.comto the malicious@nexample.com.
If you get an email that looks a bit off, take a good look at the link in it and double-check the parameters.
2Look for HTTPS and the Padlock Icon
Another good way to detect a phishing website is to look at the lock icon in the address bar. The lock icon should be closed, and the URL should start with “https://.” TheHTTPS protocolindicates that the website is encrypted and has a Secure Sockets Layer certificate (SSL).
If the lock is open instead or has a red strike over it, or if there is a red danger sign where it should be, then your connection with the website is not secure. Different browsers tend to use different security symbols, so be sure to look up what your browser uses.
However, this information usually isn’t enough to detect a phishing website. According to theAnti-Phishing Working Group (APWG), more than half of all phishing websites now use SSL/TLS certificates to look legitimate. So, having SSL protection doesn’t mean a website won’t steal your private information.
Note thatGoogle Chrome has removed its lock icon featureas of September 2023. Instead, there is now a tune icon to indicate a secure connection, so that users don’t conflate this with a trustworthy website.
3Scrutinize the Website Content and Design
Phishing websites tend to be sloppily built most of the time, so there should be more than a few inconsistencies in the design and content. Some of the markers of a phishing website include grammatical errors, “lorem ipsum” text/placeholders, low-quality images, and unusual site architecture. Read more in our list ofways to identify a legitimate business.
Looking for a ‘Contact Us’ page can sometimes help you identify a phishing website. Some of these scam websites do not bother to include contact details and when they do, they don’t match the website as they are copied and pasted from elsewhere.
4Be Wary of Pop-Up Windows
Pop-up windows are abused by these fake websites. You should be wary of a website that displays a pop-up window asking for personal information as soon as you visit the page. As a general rule, never enter your username or password into a pop-up window unless you are certain that the website is legitimate and secure.
5Use Fake Details
A great way to suss out a phishing website is to use fake details where you are asked to provide your personal information. Most phishing websites will sign you in regardless of what you put in the login box.
Some phishing websites, on the other hand, try to be clever and send you an auto-generated error the very first time (or if the password isn’t a certain length), so verify you try the fake credentials at least twice.
6Watch For Urgency and Threats
Phishers may employ a false sense of urgency to get the potential victim to act immediately. If a suspicious website is trying to get you to take action as soon as possible, it is a bright red flag.
The timeline is usually unrealistic and words such as “notification”, “important”, and “immediately” are used to make a potential victim act in haste without thinking. Be very cautious of threats or offers that seem too good to be true.
7Check Payment Methods
Not all phishing websites request for payment but the ones that usually do request for either cryptocurrency or a bank transfer because transactions made through these means are irreversible. Scam websites rarely request money via credit card or PayPal, since it is possible to reverse such payments.
If a website has any of the aforementioned red flags and is asking for a bank or crypto transfer, consider this a warning sign. You can get crypto-only sites, such as CD key platforms that accept Bitcoin and Ethereum, but you need to ensure they’re legitimate before making any payments.
8Use a Phishing Detector
Phishing detectors employmachine learningto identify phishing attacks. This involves analyzing URLs, email/website content, domain registration, and other variables to identify suspicious elements. While dedicated, proprietary anti-phishing software exists, they are usually targeted at large companies and may be too expensive for individuals.
All major email providers have built-in, anti-phishing solutions that prevent most of these phishing attempts from reaching your inbox in the first place. They are not perfect though and some scams tend to slip through.
Also, web browsers such as Google Chrome and Firefox use Google’s Safe Browsing service to warn you about deceptive sites and dangerous software. This setting is usually on by default on the desktop versions of both Firefox and Chrome.
You can find it in Firefox by navigating toSecurity>Privacy & Security>Security>Deceptive Content and Dangerous Software Protection. Ensure that all three boxes are checked.
Chrome has it inSettings>Privacy and Security>Security>Safe Browsing. Select eitherEnhanced protectionorStandard protection. you may also submit any deceptive websites you come across to Safe Browsing to help make the Web safer for everyone.
Online tools such asVirusTotalandURLscan.ioallow you to scan suspicious and malicious links for malware and phishing.PhishTankprovides a search tool that lets you check a website against its community-curated list of known phishing websites.
9Educate Yourself
Keeping yourself updated about common phishing tactics and scams can help you spot them early on. Helpful resources include the Anti-Phishing Working Group (APWG) website and Phishing.org.
You should also regularly learn about cybersecurity best practices. Some of these include visiting websites manually (rather than from a suspicious email), using two-factor authentication where possible, and never opening suspect attachments.
All of the above are common ways to identify a phishing website. However, it is worth noting that a phishing website might have all these boxes checked and still be very bogus. The important thing is to keep an eye out for these types of attacks and visit the actual website being spoofed via a bookmark or a search engine whenever in doubt.
