Image credit: Christiaan Colen/Flickr
Phishing scams are all too common these days.
They usually come in the form of an email claiming to be from a legitimate company. Usually there's a link in the email asking you to "confirm your account" or "claim your prize".
But how can you avoid phishing scams and tell the difference between these type of malicious emails and emails that are sent from the legitimate company?
Well to be honest, some of them are really convincing, and it seems the fraudsters are getting better at it.
The best thing to do is to have a paranoid mindset, and be constantly aware of phishing and links in emails.
But when you're not concentrating and let your guard down, it's easy for the fraudsters to trick you.
So I'm writing this post in answer to the question in the title i.e. "How can you avoid phishing scams?".
By reading this post, it will help boost your phishing detection skills, and to teach you what to look for so that you don't get caught out during those lapses in concentration.
Please help your friends and family out too by sharing this post with them, so that they also know what to look for.
Ready? OK let's begin 🙂
What you can do to avoid phishing scams
Most phishing comes in the form of an email or text message as I've said, but sometimes it's possible to arrive at a phishing site by accidental means too.
But there are a few things that you can do and things you can look for which should help you to recognise the traps.
Always check the hyperlink
When you check a link in an email, be sure you check the actual hyperlink itself rather than the text that is displayed (which can be anything the scammers can dream up).
For example, look at the URL below and see for yourself. If you hover over it, you'll see that it actually links to paypol.com but the text displays paypal.com
Check the website's domain in the URL.
Scammers can buy up very deceptive domains, so you need to know what you're looking for.
The golden rule when checking a URL is to work backwards from the last forward slash on a URL.
If there are no forward slash apart from in the "https//" bit, then work backwards from the end of the URL and look at the bit between the ".com" or ".co.uk" and the last period (or fullstop if you're in the UK). Doing this will reveal the true domain.
For example, the following domains are nothing to do with PayPal even though they use the word PayPal in the domain and they are typical of the types of links that you might see in a phishing email.
Example 1:
The domain in this example is www-paypal.com
Example 2:
The domain in this example is payments-paypal.com
Example 3:
https://paypal.com-myaccount.com
The domain in this example is more deceptive. It's com-myaccount.com and it uses the word "paypal" as a subdomain.
Real phishing site example – Bank of America
For a real life example, check out the image below which is an actual Bank of America phishing site I've found using PhishTank.
The giveaways to me are the URL (look at it carefully, it's a deceptive one) and the fact that it isn't secure (non-https):
The phishing site also looks very different to the real site as you can see below:
Check for a secure connection (https)
Have a look in the address bar in your browser and check if it has "https" in the URL.
If it doesn't then it's a good indicator that it's a phishing site.
Having said that, scammers are starting to use https for phishing sites, so use this as an indication only.
Look at the site itself
Take a look at the site on which you are on. Does it look like the site you site you think you are on, or does it look slight different?
You can double check by visiting the site you think you're on by opening a new tab and typing in the URL.
If they're different, it's probably a scam site.
A lot of scam sites and phishing emails have spelling and grammar mistakes in them so it's worth checking the email and website itself for these mistakes.
The email or phishing site might have been produced by someone whose native language isn't English, hence the spelling and grammar mistakes.
A legitimate company would check emails and websites thoroughly before making them public as it can affect their reputation if they get these things wrong.
Type the URL into the Browser yourself
One of the best things you can do to avoid phishing scams is to go directly to the website itself by typing the address into your browser. Do this especially with your online bank.
This is much better than clicking a link and it saves you the bother of checking the URL, checking the site etc etc.
An even better idea is to save your favourite websites as bookmarks which gets you into the habit of visiting sites directly rather than clicking on links.
Unfortunately, even this isn't a completely infallible way to avoid landing on a phishing site, because scammers can use something known as DNS poisoning so that even if you type the correct URL into your browser, you will still arrive at the phishing site.
This is very rare however and malware will more than likely need to be installed onto your machine in order to modify your Operating System's DNS cache.
Use a custom DNS service
DNS (Domain Name System) is basically the phone book of the internet and it is responsible for converting human readable domain names (such as facebook.com) into IP addresses (such as 125.5.6.75) which computers can understand.
It's usually your Internet Service Provider (ISP) that provides the facility (the servers) to look up domains to find their IP addresses, but if you use a third party DNS service, then they can do a lot more.
Third party DNS services not only have the ability to resolve domain names, some also have the ability to filter sites based on their content (i.e. if they are a phishing site) or if they contain malware.
One of the most popular is OpenDNS but it's also worth checking out Google's Public DNS too.
Use PhishTank to check lists
Really not sure about that link you just clicked on?
Well there are websites out there that will tell you whether it's a phishing site or not based on their own findings and/or crowd sourced data.
One of the largest collections of phishing data and information is PhishTank.
You can use this site to check if your link is a phishing site and it even has an API which developers can use to integrate it into their own websites and applications.
Wrapping up
These tips should provide you with the know-how to spot phishing and will help you to stay safe online if you follow them.
Always be vigilant though, you can never be too careful or too paranoid online.
Always keep your browser up to date and take notice of browser warnings. Chrome will often turn the entire screen red if it detects you have clicked on a phishing site.
Furthermore, be wary of requests for personal information. Companies will already have the details they need on their systems and will have no need to ask you again.
Also, be very wary of competitions you've won, yet you've not entered.
I always go with the advice that "if it looks too good to be true, it probably is".
And finally, never open attachments unless you know who the email is from. It could be a virus.
Now that you're a pro, why not test your knowledge with this Phishing Quiz by OpenDNS?
Also be good person and share your new found knowledge with others, so that they too don't get caught out online!
Do you know any good tips to avoid phishing emails and spot phishing sites? Let me know in the comments as they may benefit someone someday!
Cheers!
Baz