How to Avoid Phishing Scams

[Animous]

Writing malware is just another coding job these days, but it’s a tough one. Legitimate coders need to create programs that do what they’re meant to do, in cooperation with the operating system and any other processes. Malware coders have the added task of crafting programs that can hide their nefarious deeds from the operating system, and from antivirus programs. It’s not an easy way to make a buck. No wonder, then, that some malefactors skip trying to outwit the operating system and switch to a much easier target…you! They create fraudulent copies of popular websites and wait for victims to log in. When you fill in your credentials on one of these fakes, you’ve given your account to the fraudsters. Keep your eyes open, though, and you can avoid being scammed.

The COVID-19 Factor

With vast numbers of people stuck at home, seeking entertainment on the internet, phishing scammers are in hog heaven. For starters, they've just gained a larger audience for ordinary credential-stealing frauds. But the fear, uncertainty, and doubt brought on by this unprecedented pandemic make perfect fodder for brand-new types of scams. 

Even back in April of 2020, Google reported blocking 18 million virus-related scams every day. Google does a good job; estimates suggest it blocks 99.9 percent of spam and phishing emails. That means, though, that 18,000 unwanted messages got through, to an unknown number of victims, every day.

Virus scammers aren't just going for your passwords; they want your money. Scams and cons have been around as long as humanity, and they work online just as well as in person. Be wary of any email bearing any connection to the pandemic, especially if it urges you to click a link or download a file. If the fake email's sense of urgency worries you, go directly to the source rather than using a provided link.

Remember, too, that the check you're expecting from Uncle Sam is called an "economic stimulus payment." If you see a phrase like "stimulus check," you're looking at a scam.

I haven't personally encountered any frauds or scams related to COVID-19, perhaps thanks to Google. And the websites I scrape to find real-world phishing frauds for testing focus on credential theft, not other types of scams. But I don't doubt for a second that the virus scammers are out there, in force. 

For specific tips on protecting yourself from this type of threat, please read How to Spot and Avoid COVID-19 Scams.

How Phishing Scams Work

The key to running a credential-stealing phishing scam is creating a replica of a secure website that's good enough to fool most people, or even just some people. With the classiest fakes, every link goes to the real site. Well, every link except the one that submits your username and password to the perpetrators. As icing on the cake, the fraudsters may try to create a URL that looks at least a little bit legitimate. Instead of paypal.com, perhaps pyapal.com, or paypal.security.reset.com.

However, not every phishing page is well done. Some use the wrong colors or otherwise fail to match the page they imitate. Others have totally unconvincing URLs, things like admin.dentistry.com/forms, or X8el87.journal.com. Even these lame fakes can pick up a few suckers, apparently, or the fraudsters would give up.

When you enter your username and password on a phishing site, the site owners gain full access to your account. To keep you from realizing you've been scammed, they may pass the credentials along to the real site, so it looks like you logged in normally. Your only clue may come when you find that your bank account is empty, or that you can't log into your email, and your friends say they're getting spam from you. So how do you armor yourself against this kind of attack?

0 seconds of 0 secondsVolume 0%

00:00

00:00

Eliminate the Obvious

Some fake websites are just too poorly implemented to convince anyone who's paying attention. If you link to a site and it just looks like garbage, press Ctrl+F5 to totally reload the page, in case the bad appearance was a fluke. But if it still doesn't look right, stay away.

Check out the page above. The formatting is weird, and it’s weirder as you change the browser window width. The labels for the email and password fields move differently from the corresponding data entry fields. How hard would it have been to just center all the content?

When you create a phishing page, verisimilitude is essential. Using a free web hosting service that leaves its banner on your page or its domain in your URL is kind of a giveaway. Even so, every time I run a phishing protection test, I encounter a handful of not-even-trying fakes like this. Who’d believe Facebook uses 000webhostapp.com?

Check the Address

Modern web browsers are moving away from a big focus on the address bar. It's now the search-plus-address bar, at the very least. But that address bar is an extremely important resource when you're eyeballing a page to confirm that it's legitimate. The best phish-sniffers can spot an off-kilter URL out of the corner of one eye, without even thinking about it.

Watch out for attempts to obscure the actual domain portion of the URL. That's the portion immediately preceding the final .com, .net, .org, and so on. Anything that comes before the domain is just a subdomain. If the URL fakery.paypal.com existed, it would be a subdomain of paypal.com. If instead you see paypal.fakery.com, well, that's pure fakery!

Phishing attacks on Dropbox accounts, or other online storage accounts, don't have the guaranteed value that thieves get from capturing bank logins. Conversely, people don't necessarily apply the same level of vigilance to these accounts. Anything might turn up in online storage, from a list of Girl Scout cookie orders to secret plans for a mission to Mars. Likewise, there’s not much obvious income potential in capturing logins for streaming media, but access to that account might lead to compromising some more important account with the same credentials. Have a look at the address bar in the image above. Even if you log into Netflix by scamming credentials from an idiot friend, you surely won’t see “idiotfriend” in the URL!

Here’s another oddity. Clearly the URL doesn’t represent Xfinity, or Comcast, or any related brand. But beyond that, the browser is waving a big red flag, pointing out that the site’s security certificate has been revoked. Yes, webmasters for valid sites do occasionally screw up and let their certificates lapse, but this page is clearly a fraud.

Look for the Lock

The HyperText Transfer Protocol (HTTP) communications system used for basic internet communication is a holdover from the early days of the world wide web. It's not secure, because nobody imagined others doing bad things on the nascent internet. Well, the bad folks are here, and the only sensible way to connect is using the secure HTTPS protocol. Web browsers show a lock icon for HTTPS pages. Chrome takes a step beyond, actively marking HTTP sites "Not secure." You should never log into any site that doesn't use HTTPS.

"But wait," you may argue, "what about a legitimate site that just hasn't gotten around to going secure?" Sorry, I don't buy it. In this age of HTTPS Everywhere there's no excuse. A site that wants you to log in without using HTTPS, even if it's no fraud, is just not legitimate.

If you don’t notice the .ru domain, this page might look like a legitimate Amazon login page. Note, though, that there’s no lock, and that the address begins http:, not https:. Don’t touch this page; it’s evil!

RECOMMENDED BY OUR EDITORS

Don't Get Scammed by Scareware: 3 Easy Tips to Stay Safe

Simple Tricks to Remember Seriously Secure Passwords

7 Signs You Have Malware and How to Get Rid of It

Sometimes, you just can't tell by looking. The Commonwealth Bank website does call its online banking system Netbank. The secure page at netbank.com shown above looks legitimate. If you're not sure, a quick look at the whois data for the domain may help your decision. I think we can agree, it's very unlikely that the actual Commonwealth Bank's site would park its hosting with CrazyDomains.com.

[Silent Watcher]

Avoid unnecessary posts such as 'Thank you', 'Welcome', etc. Such posts will be deleted and user will be warned if it happens again. If caught spamming, the following actions are applicable -

• First time - Warning
• Second time - 5000 Points will be deducted
• Third time - Ban for 7 days
• Fourth time - Permanent Ban

If the post helped you, reward the user by reacting to the post like this -