In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Ever received an email asking you to update your account urgently? If the answer to this is yes and you often see these kinds of emails in your inbox, then you had seen the first step of phishing. Here are my tips to spot a fake website.
How to spot a fake website – Phishing
1] Check Security Signs while doing any money transaction
- You must always look for “https” on any site you use to enter sensitive information. It includes login pages, online shopping sites, and bank web sites. Notice that, there is an extra “s” in bold which tells that the server is secure. e.g., https://login.yahoo.com/config/login_verify2 for yahoo login.
- Notice the closed padlock/lock on the lower right corner of the browser window. If you click on it, it will open a window that gives you more details regarding the certificate. Every company that asks you for sensitive information must have a digital certificate, preferably one from an established certificate authority.
2] Misspelled and fake URL
Sometimes a site is replicated so well that you won’t be able to find a difference if its really a fake one. They will have the same design of the original website, and since most of us never look at the URL, we get into the trap. These smart criminals can replicate any web site down to the last detail. It wouldn’t surprise me if they used the same web designer to do it.
- Misspelled domains are big deceivers. Phishers will purchase a domain name that resembles the real domain. They will replace letters with numbers or with other letters. Pay close attention to the spelling of a domain name, and learn to spot a fake like www.yohoo.com or http://www.paypol.com/.
- Variations of domains should also be a red flag. Don’t click on any email that contains URLs like http://center.google-security.net. A legitimate URL should read if it belongs to Google. Anyone could’ve purchased www.google-security.net for a scam (I’m just using Yahoo! as an example here).
- An IP address looks something like 220.127.116.11. Bottom line, never trust emails that point you to URLs that only show an IP address.
3] Extra Tips
- Ask F-Secure Tool to see if the website is fake or not.
- Never test web sites to see if they’re legitimate or not. It means entering passwords or personal information. These sites may install malicious software known as key logger software that records everything you type, then sends that information to spammers. Also read our detailed post on, how to detect Hardware KeyLoggers
- Stay abreast of the latest scams: The FBI’s web site has a list of all the latest scams reported, so check it periodically.
- If you’re being urged to “verify” sensitive account information, contact the company directly instead. Always type the web site’s address in the address bar instead of clicking links on suspicious emails.
- PayPal never uses generic greetings in their emails. Next time you get an email from PayPal, check the salutation, as PayPal will usually use your member name.
- Emails from banks and credit card companies will usually include partial account numbers. Therefore, one should always be suspicious if the message does not contain specific personal information.
4] Test Your Phishing IQ
Phishing is one of the widespread cybercrimes, according to the FBI, and one that costs consumers millions of dollars each year. These scams have one purpose: to get as much personal information from a user as possible. This includes login information, Social Security numbers, date of birth, and other identifiable information. They can help scammers open up bogus accounts under your name or steal from your existing ones.