How to Identify a Phishing Website & 3 Tips to Prevent Phishing
What is a Phishing Website?
A phishing website (spoofed website) is a common deception tactic threat actors utilize to steal real login credentials to legitimate websites. This operation, commonly called credential theft, involves sending victims an email that spoofs a trusted brand, trying to trick them into clicking on a malicious link. The link takes the victim to a login page where they are asked to enter credentials such as username and password.
Successful credential theft attacks provide threat actors with all the information needed to log in to a legitimate account and perform illegal activities, such as data extraction, credit card fraud, and wire transfers.
This is part of a series of articles about cyber threats.
Ways to Identify a Phishing Website
Take a Close Look at the Content
Legitimate businesses typically invest money and time to create a polished website with sharp graphics, a well-designed user experience (UX), and error-free texts. A phishing website typically looks sub-standard. Common red flags include broken English, grammar mistakes, spelling errors, and low-resolution images.
Additionally, a phishing website often does not include a “contact us” page. Websites of legitimate businesses typically display contact details, such as phone numbers, postal addresses, social media links, and email addresses. Sites that do not include this information should be flagged as suspicious.
Browsers often alert users when they visit an insecure site by pushing a security alert, such as “insecure connection.” This alert can indicate that the user is visiting a phishing website or that the site’s owners have not migrated the site securely.
Before visiting a site that prompted this warning, users must click on the padlock icon to the left of the URL. The padlock icon provides information on the website’s security certificates and cookies. A cookie includes data sent from a certain website and stored on end-user computers by the browser over the Internet.
In addition to verifying the site’s connection, users should ensure that their connection is encrypted and secure. It helps keep search information private and prevents actors from flagging the user as a vulnerable target.
Check Payment Methods
Legitimate websites accept credit or debit cards or other standard online payment methods like PayPal. However, phishing websites often ask for a bank transfer. Users falling prey to fraudulent online schemes can claim their money back if they made the purchase with a debit or credit card. However, there is no way to get back money transferred via a bank transfer. Since legitimate websites do not ask for bank transfers, users must never make online purchases via this method.
Be Wary of Pop-Ups
A phishing scam can direct users to a website and use a pop-up window to obtain their personal information. If the pop-up window shows up immediately, asking users to enter personal information, such as their usernames and passwords, this can indicate a phishing scam. Unless users know with 100% certainty that the website is legitimate, verified, and secure, they must never enter their information into such pop-ups.
Reviews can help identify fake phishing websites. Before making any purchase online or providing personal information, users should research the company to determine whether they are legitimate and check its reputation. If the website defrauded visitors in the past, the victims might share this experience online. Since actors can easily fake reviews, users should check several trusted sources.
Here are common indicators of fake feedback:
Many similar reviews — Might have a similar writing style or describe everything in the same manner.
Very recent — The ideal reviewer is a long-standing member of a reviews website. They are more likely to offer credible information if they have reviewed hundreds of websites.
Few reviews — This can occur when a company is new. However, if the site seems suspicious and there is little online feedback, avoid the site.
Learn more in our guides to:
3 Tips to Prevent URL Phishing
Here are key security measures to help protect users and businesses against phishing URLs:
Organizations can protect users against URL phishing by ensuring their email security has URL filtering or link protection. These technologies can limit access to certain URLs by comparing the URLs of users who try to visit against a blocklist or other lists of known malicious domains. Link protection can automatically rewrite these URLs so the security solution can scan them when attempting to block malicious links.
Threat actors often adapt their techniques to bypass spam filters and email gateways. A spear-phishing solution can help protect against phishing URLs using artificial intelligence (AI). AI-based protection solutions can identify and block anomalous or impersonating URLs. Inbox defense helps protect against spear-phishing attacks employing malicious URLs even if the phishing website is hosted on a high-reputation domain or was not used in previous campaigns.
Security Awareness Training
Organizations should include URL phishing as part of their security awareness training program. Staff should learn to recognize phishing attacks, understand how they work, and know how to report them. A phishing simulation technology can help test the program's effectiveness and evaluate the users vulnerable to attacks.
How to Report Phishing Websites
When identifying a suspicious URL, the first step is to alert the IT department, which needs to block it and remediate the threat. The next step is to choose an entity to report the website to. It is critical to report these sites because many defenders rely on this information to protect users and organizations against phishing websites.
Many security companies collect data on URL phishing sites and other threats. Unfortunately, they keep this information to themselves. Instead, organizations and individuals can report phishing URLs to the Anti-Phishing Working Group (APWG) by sending emails to [email protected].
The US Cybersecurity and Infrastructure Security Agency (CISA) has partnered with the APWG to create a collection of fake website addresses and phishing emails. The APWG’s eCrime Exchange (eCX) provides a threat data repository and data sharing platform.