5 Tips to Avoid Phishing Scams

 

Phishing attacks are prevalent yet often easily identifiable. I consistently assess phishing detection capabilities using actual examples and possess all the necessary information to prevent falling victim to scams. I have been evaluating security software for over three decades. In my assessment of antivirus applications, I ensure they effectively eliminate known malware and successfully defend against emerging threats. Additionally,

 I rigorously test their capacity to identify phishing schemes using real-world examples. The reason for this is that a phishing attack does not need to bypass the operating system or evade your antivirus; it merely needs to deceive you, the unsuspecting user. Crafting a webpage that mimics your bank's site is relatively straightforward compared to developing a new ransomware attack. To avoid becoming a victim, it is essential to recognize the signs that reveal these fraudulent attempts .

How Do Phishing Scams Work?

The fundamental aspect of executing a credential-harvesting phishing scheme involves crafting a replica of a secure website that is sufficiently convincing to deceive a majority of individuals, or at least a portion of them. The most sophisticated forgeries ensure that every pixel aligns with the authentic site, and all links direct to legitimate, accurate destinations, with the sole exception being the link that transmits your username and password to the criminals. 

To enhance the site's credibility, the scammers attempt to devise a URL that appears somewhat legitimate, opting for variations such as pyapal.com or paypal.security.reset.com instead of the genuine paypal.com. Phishing scammers can achieve success even with subpar skills; some counterfeit pages may utilize incorrect color schemes or otherwise fail to replicate the appearance of the original page accurately. Others feature absurdly unconvincing URLs, such as 1oglnperiodupdatejsesslonmalnusa.188-166-248-152.cprapid.com or lime-elysia-47.tiiny.site, both of which were actual URLs collected during my analysis. Remarkably, even these poorly executed fakes manage to ensnare a few victims, suggesting that the fraudsters continue their efforts for a reason.

When you input your username and password on a fraudulent website, the operators of that site gain complete control over your account. To maintain the illusion for as long as possible, they might relay your credentials to the legitimate site, making it appear as though you have logged in as usual. The first indication of trouble may arise when you discover your bank account is depleted or when you are unable to access your email, while your contacts report receiving spam messages from you. Therefore, what measures can you take to prevent being ensnared by this deception? 

1. Look for Obvious Phishing Sites

Certain fraudulent websites are so poorly designed that they fail to persuade any discerning observer. If you encounter a site that appears unprofessional, try refreshing the page by pressing Ctrl+F5, as the unsightly appearance may be a temporary issue. However, if the site continues to look unappealing, it is advisable to avoid it. Consider the aforementioned page: why are all the input fields misaligne d? 

Most contemporary websites are designed to adapt to the dimensions of your browser window. With your suspicions now heightened, you are more likely to notice that the website's name in the address bar is marked as insecure. When constructing a phishing site, authenticity is crucial. Utilizing a free web hosting service that displays its banner on your page or includes its domain in your URL

 is a clear indication of deceit. Nevertheless, during my phishing protection assessments, I frequently come across a few blatant fakes that show no effort, such as this one. Who would believe that AT&T operates on Weebly? 

2. Pay Attention to the Address Bar

Contemporary web browsers have shifted their emphasis away from the traditional address bar, evolving it into a search-plus-address bar at the very least. Nevertheless, the address bar remains a crucial tool for verifying the legitimacy of a webpage. 

The most adept phishing detectors can identify a fraudulent URL almost instinctively. Sometimes, the deception is straightforward; few would mistake 'Placeboook' for Facebook. However, some scammers employ more sophisticated imitations, such as 'Arnazon' for Amazon. At the highest level of deception, they may incorporate visually similar foreign characters. Would you be able to distinguish between 'wellsfargo' and 'wellsfarġo'? Be vigilant for efforts to obscure the true domain part of the URL, which is the segment just before the final .com, .net, .org, etc. Anything preceding the domain is merely a subdomain. For instance, if 'fakery.paypal.com' were to exist, it would be a subdomain of 'paypal.com'. Conversely, if you encounter 'paypal.fakery.com', that is unequivocally a fraudulent site !  

Phishing attacks targeting online storage accounts do not provide the same guaranteed rewards for criminals as obtaining bank login information. In contrast, individuals often do not exercise the same level of caution with these accounts. Online storage can contain a wide array of information, ranging from lists of Girl Scout cookie orders to confidential plans for a Mars mission. Similarly, while there may be limited financial gain from stealing login credentials for streaming services, such access could jeopardize more critical accounts that share the same login details. Observe the address bar in the image above; even if you manage to deceive a friend into providing their Netflix credentials, the URL will not display 'idiotfriend' in a legitimate Netflix link !

 The screenshot above reveals another anomaly. It is evident that the URL does not correspond to Xfinity, Comcast, or any associated brand. Furthermore, the browser is indicating a significant warning, highlighting that the site's security certificate has been revoked. While it is true that webmasters of legitimate sites may occasionally make mistakes and allow their certificates to expire, it is clear that this page is fraudulent.

3. The HTTPS Lock Is Important

The HyperText Transfer Protocol (HTTP), which serves as a fundamental communication system for the internet, is a remnant from the early era of the World Wide Web. It lacks security features because the potential for malicious activities was not anticipated during the internet's infancy. However, with the presence of cyber threats today, the most prudent method of connection is through the secure HTTPS protocol .

Most web browsers, including Edge and Firefox, display a lock icon next to HTTPS URLs. However, starting a few years ago, Chrome adopted a different strategy. According to a Google study, nearly all websites accessed utilize a secure HTTPS connection. Consequently, Chrome has made HTTPS the default setting, prominently marking any HTTP connections with a large 'Not Secure' label. Regardless of how your browser indicates it, you should refrain from logging into any site that does not employ HTTPS.

It is important to note that even an HTTPS domain can be vulnerable if its security certificate is either compromised or expired. The URL presented above may appear nearly legitimate, yet the browser has flagged it as 'Not Secure.' Additionally, the HTTPS portion of the URL is crossed out and displayed in red. It is crucial to heed this warning and avoid such pages.

You might contend, 'What about a legitimate site that simply hasn't transitioned to a secure connection?' Unfortunately, I cannot accept that argument. In today's environment of ubiquitous HTTPS, there is no justification for a site to request your login information without utilizing HTTPS, even if it is not fraudulent; such a site cannot be considered legitimate.

4. Be on the Lookout for Email Scams

 It is a well-known guideline to avoid clicking on links in email messages from unknown senders. Additionally, it is advisable to refrain from clicking links in messages from known contacts, as their accounts may have been compromised. This advice is prudent, as clicking on an unfamiliar link could lead to a site that hosts malware or engages in fraudulent activities. When encountering a link that directs you to a login page, it is crucial to consider the legitimacy of the source. While it is possible to receive an email from your bank, many financial institutions prefer not to communicate in this manner.

 If you find yourself redirected to a login page for a national or international bank after clicking a link on an unrelated website, it is likely a phishing attempt. In the event that your bank, the IRS, or PayPal genuinely needs to inform you about an issue with your account, the best course of action is to bypass the link and access the service directly through the usual login process. Additionally, exercise caution with emails or web pages that demand immediate action from you. For instance, a notification may claim that your Facebook account will be disabled unless you log in to rectify the situation. However, upon inspecting the Address Bar, it becomes evident that the site is not Facebook. In such cases, it is advisable to log into Facebook through the standard method; if the warning is legitimate, it will be displayed there.

5. Use Security Software

Outsmarting fraudsters and recognizing their clever tactics certainly provides a sense of satisfaction. However, your vigilance may wane over time, making it wise to seek assistance in combating phishing scams. Contemporary web browsers come equipped with built-in safeguards against deceptive websites, and they perform adequately. When you are about to visit a fraudulent site, they display a prominent red warning, as illustrated below.

Many antivirus and security suite solutions incorporate their own defenses against phishing attacks. The most effective among them can achieve protection ratings as high as 100% in our evaluations. The following chart illustrates the effectiveness of the leading third-party phishing detection tools compared to the built-in protection offered by your web browser: Utilizing a password manager can also significantly reduce the risk of falling victim to phishing scams. Most password managers allow you to access secure websites and log in with a single click. If you inadvertently navigate to a fraudulent site, your password manager will not recognize it and will refrain from auto-filling your saved credentials, serving as a crucial warning sign. 

The most astute internet users employ a virtual private network (VPN) for their online activities. By routing your internet connection through a VPN, your data is safeguarded during transmission, as it is encrypted before reaching the VPN server. This also provides some level of protection against cyber-stalking, as your online activity appears to originate from the VPN server rather than your local IP address. However, it is important to note that using a VPN does not offer any defense against phishing attacks. When you submit your credentials to a phishing site, the method by which you accessed that site is irrelevant. Phishing attacks are designed to target you directly, rather than your devices or communication methods. Recognizing the Signs to Combat Phishing Phishing is more widespread than one might think. 

The images used in this article were captured during practical anti-phishing tests conducted for antivirus reviews. They were genuine at the time of testing, but they are likely no longer active. Fraudulent websites are quickly blacklisted, yet scammers continuously create new deceptive pages. Cybercriminals who engage in phishing schemes succeed because their victims fail to recognize the warning signs of deception. Now that you are aware of what to look for, you will be less likely to fall prey to such tactics. While it is advisable to utilize additional resources like password managers and the phishing detection features of your antivirus software, it is equally important to remain vigilant and identify any fraudulent activities that may evade detection. If a webpage appears suspicious, take the necessary precautions.

During the early days of the IBM PC, I held the position of president of the San Francisco PC User Group for a duration of three years. This role facilitated my introduction to the editorial team at PCMag, who subsequently invited me to join their ranks in 1986. Since that pivotal encounter, I have established myself as PCMag’s authority on security, privacy, and identity protection, rigorously testing antivirus software, security suites, and various security applications. Prior to my current focus on security, I provided PCMag readers with practical advice and solutions regarding widely used applications, operating systems, and programming languages through my columns 'User to User' and 'Ask Neil,' which commenced in 1990 and continued for nearly two decades. Throughout this period, I authored over 40 utility articles, in addition to writing 'Delphi Programming for Dummies' and six other books that addressed DOS, Windows, and programming topic s. 

I also conducted reviews of thousands of products, encompassing everything from early Sierra Online adventure games to Q-Link, the predecessor to AOL. In the early 2000s, I shifted my attention to security and the expanding antivirus sector. With years of experience in antivirus evaluation, I have gained recognition as an expert within the security industry. I currently serve as a member of the advisory board for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit organization committed to enhancing the testing of anti-malware solutions.