Would you know a good phish when you see one?
This time on The Lowdown with Lou – we’re learning all about how to spot a fake website…
“Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons.”
When browsing the Internet, have you ever questioned the legitimacy of the websites you come across? As in, are they real and what they say they are? In previous weeks I’ve talked about fake goods and fake emails, so it only seems right to now talk about, you guessed it, fake websites. A good fake website can be quite hard to spot, (they’re designed that way ;) ) but there are a few basic things you can look for which give them away.
Firstly, it’s probably important to understand why someone might want to create a fake website. Usually, they are created to imitate a legitimate site, with the intention of tricking you into thinking they are the real thing (basically phishing). They can be used to gather personal information, financial details, all stuff that you don’t really want people knowing about. Luckily, many fake sites are reported and picked up by Internet browsers these days, so if you ever get the message shown below, trust what it’s saying and select ‘Get me out of here! – and NOTHING ELSE!
Should you find yourself looking at a website though that hasn’t already been flagged as a fake, and you have a feeling something just isn’t quite right with it, there are three really easy things to consider in your quest to identify a phish; the first is appearance.
As I’ve already said, these websites are designed to look just like the one they are trying to be, however, there are often a few tell tale signs that may indicate that it’s not the real deal. More often than not, phishing sites are put together quickly, so often contain errors. As an example, here’s a copy of a phishing website, pretending to be HSBC.
At first glance, you may think this website looks ok. The company logo is there and it’s talking about banking, as you’d expect. However, notice how bare it looks in places, and how the plugin hasn’t worked. These are all signs that something maybe isn’t quite right. Any reputable company knows how important appearance is, and will spend time making sure that their website is fully functional to their customers. If something just doesn’t quite ring true about a website, its worth being suspicious.
So, you’ve taken some time to look at the appearance, and you’re still not sure if it’s the real deal or a phish. The next thing to consider, is the web address, or URL. I’m going to turn to Twitter to help demonstrate this one. As I’m sure many people (if not everyone) are aware, the web address for Twitter is www.twitter.com. Below is an example of a website that looks suspiciously like Twitter.
This is where you have to be vigilant, as sometimes the ‘misspelling’ of words is quite easy to overlook. The human brain is sometimes a little to clever for its own good, and is more than capable of reading misspelled words and interpreting them as what they think they should be. For example, if I write ‘can you read this’, with some of the letters swapped around, so it says ‘cna yuo raed tihs?’ many should be able to read and understand that without much difficulty. The same applies to web domains that are designed to look just like legitimate ones, often with only one minor change to the spelling. As you can see in this example, it has an ‘i’ at the start and a ‘j’ instead of an ‘i’ in Twitter. Interesting stuff.
Unfortunately, it isn’t always as obvious as this, some fake sites have totally made up addresses, which are all spelled correctly, so don’t generally give you any reason to be suspicious. In this case, it’s onto step 3 – spelling and content.
So, you’ve checked out the appearance, and you can’t see any glaring mistakes in the URL but you’re still not convinced. Now it’s time to look at what the site is actually saying to you, and how it’s saying it. As I’ve already said, reputable companies know how important first impressions are, and how important their customer facing website is to the business. They will most definitely take their time writing and reviewing their content, for accuracy and quality, so if you come across a site that is littered with spelling errors, it’s time to get suspicious. It’s not only spelling mistakes either – other clues include the overuse of punctuation (the exclamation mark is a popular one, any site with lots of !!!!!!! would suggest to me that the site isn’t very professional!) or repetition of words (I saw one some time ago that referred to email accounts, the word ‘account’ appeared in one sentence 5 times. That’s a bit too many ‘accounts’ for me, and as such I decided not to log into my account because I thought my account might be compromised if I did and I like to keep my account safe, because, well, it’s my account. See what I mean?) I’m not saying just because there is the odd mistake on a site, it automatically means it’s a fake, as we’re all human and mistakes do happen, however I’d advise you bear them in mind, especially if you’re about to enter your personal information, financial details or click any links. It’s your information, so only share what you are comfortable sharing (remember, how much is too much?)
I think that’s enough detective work for one day, there are many other tell tale signs to look for, but I think the points I’ve covered today are enough to get you started. So, to summarise:
Respect any warning messages that come up when you attempt to visit a website – they are there to protect you!
Always check the appearance of a webpage, if it looks bare, has broken links, poor pictures or just doesn’t seem quite right, close it down and leave it alone!
Check the web address for spelling mistakes, or strange text that you weren’t expecting to see. If you’re not happy with it, close it down!
Have a good read of the content, if it’s badly worded, contains spelling errors or over use of punctuation, be cautious! I’m not saying it makes it a fake, but it sure makes it look like the person behind it hasn’t spent much time on it!
And finally, only share information that you are comfortable to share – don’t be fooled or bullied into logging into websites that you are not sure of (a good easy trick here is to use fake credentials to login with – if the login is successful with something you’ve just totally made up – it’s definitely a phishing site, so leave it well alone!)
Until next time, stay safe!