Tech ramblings and grumblings

How to spot and protect yourself from phishing online

A friend of mine who studies in the field of cyber security recently shared a blog post about a tool called BlackEye, which essentially shows you how easy it is to setup a phishing attack against someone.

This sparked my interest to write this post about phishing, what it is, how to spot a phishing attack and how you can protect yourself against it.

What is phishing?

Let’s begin with a definition of what phishing is in my own words… Phishing is an attempt to steal data (usually personal information, login credentials or financial details) by pretending to be a legitimate source e.g. Gov.uk, Facebook or HSBC.

How does phishing work?

The attacks are usually spread by mass communication such as email and SMS but can also be on social media too. This is either through a link or a button which links to a website or web page.

The attacker will usually setup a fake website or web page designed to look exactly the same as one of a legitimate source e.g. a Gov.uk refund form, Facebook’s login page or HSBC’s login page.

The victim would then use the website or web page as normal, thinking they are entering their data into the real version. However, this data gets sent to the attacker instead.

The scary part is the victim doesn’t know their data has been stolen by the attacker, since the fake website or web page would usually just redirect to the real one, once the victim has entered the data.

How do you spot and protect yourself?

So “how do I spot a phishing attack and protect myself against it” you ask?

Firstly, look at the email, SMS or social media message you have received…

  • Does it contain any spelling or grammatical errors?
  • Does it visually look the same as any other emails you have received from the company?
  • Does it look professional or does something feel “off” about it?

Look particularly at the sender…

  • You can usually click on the name of the person who sent an email to reveal the email address that sent it.
  • Check that the domain part of the email (the part after the @) matches the domain name of the company who the email is supposedly from.
  • Be aware that email names and addresses can be spoofed/faked.
  • Gmail is one of the best email providers at recognising if an email address has been spoofed but you can do it by eye sometimes.

Next, hover (press and hold on mobile) over any links or buttons before you click on them.

  • By doing this, you can see if a link is actually directing to where it says it is going to.
  • Some links can say they go somewhere but actually go somewhere else when you click on them.

Be sure you are using a good antivirus if you are on a computer (such as Norton or Kaspersky) as this can sometimes detect malicious emails and links, even after you’ve clicked on them.

You can also use a browser extension such as Web of Trust to verify that the links you are visiting are actually the legitimate ones.

Next, when you are on the website or web page, check the URL/address bar…

  • It should have the domain name of the website or web page you were intending to visit and nothing else.
  • You can check this by Googling the name of the website or web page you were intending to visit.
  • Be aware that attackers are using a more sophisticated method to mimick the domain name of a legitimate source by using foreign characters e.g. “ą” instead of “a” to make up web addresses that look like the real thing e.g. “www.fącebook.com”.
  • It should also have https:// or a green/black padlock before the web address.
  • If it doesn’t have these things, you should leave the website or web page immediately.

Again, a good antivirus can usually detect URL modification.

Next, check the website or web page itself…

  • Does it contain any spelling or grammatical errors?
  • Does it visually look like the website or web page of the company you have seen before?
  • Does it look professional or does something feel “off” about it?

Finally, before you enter any data, just click the “Next” or “Submit” (or similar) button below the form where you’re being asked to enter the data…

  • Sometimes this may just redirect you to the legitimate website or web page, if the attacker has been lazy.
  • Other times, this may bring up errors to say you haven’t filled in the correct fields – check this for spelling/grammatical errors too.

Some closing tips…

  • If you don’t know whether an email/message or website/web page is legitimate or not, you can always ask a knowledgeable family member, friend or social media community.
  • If you have any doubts, do not enter ANY information into a website or web page – that includes but is not limited to… name, date of birth, address, phone number, email address, login credentials/passwords/pass codes, banking or credit card information.
  • If you are asked to buy a gift card of any kind to pay for something, it is most likely a scam and you should NOT COMPLY, even if you are threatened by a financial, legal or service loss implications.
  • Most banks will never ask you to login through an email or SMS message and will ask you to go to your online banking account through Google or your own means (not by clicking on any links inside the email/SMS message).
  • If you spot a phishing page and want to be a good samarian, you can report it on scammer.info or by forwarding the email to report@phishing.gov.uk which will be dealt with appropriately.

I hope you’ve found this guide useful.

It took a little while to put together, but I wanted to share as much information on this topic as possible, so sharing it with your friends, family and on social media would really help!

« »