Phishing websites, emails, and links are all designed to mimic trusted companies to trick you into disclosing your login and password. The latest scheme uses domain names that appear identical to legitimate web addresses. In the past, fraudsters have duped internet users into visiting knock-off or misspelled domains; the new scam is much more sophisticated and hard to spot.
Fraudsters register domains with characters from various alphabets instead of the default Latin script. Known as a homograph attack, the well-devised domains are designed to look identical to legitimate domains. Practically impossible to spot, the best way to protect yourself online is to double-check where your browser is really going.
Look for the padlock icon in your browser indicating TLS or SSL encryption and check for a valid website security certificate (a digital file that verifies a site’s identity) before entering any of your personal information. Avoid accessing websites through links sent in emails or from around the web—type the address yourself in the URL bar, or use trusted direct links. Here are some other signs to watch for to protect yourself online.
Signs of a Phishing Site
The web address
An incorrect company name, misspellings, or extra characters or symbols are all signs of illegitimate sites.
If you’re sent to a website that immediately displays a pop-up asking for your login credentials, you’re probably on a phishing site. Some phishing scams direct you to a legitimate site before displaying a pop-up to gain your username and password.
Signs of a Phishing Email
Watch out for emails that include urgent calls to action and state that your account has been compromised or will be soon be closed. Scammers also tend to use language about maintenance activities, upgrades, and “routine security checks”—these phrases are all intended to trick you into providing confidential information like your login credentials or personal information. Companies like your financial institutions have your passwords securely stored and do not need you to log in “verify” your information, especially via an email—if they really have a problem they will contact you by mail or phone.
The originating email
These messages often do not come from obviously corporate email addresses like CustomerCare@chase.com but instead from firstname.lastname@example.org, so pay attention to the little details. If someone came up to you on the street not in a police uniform, you would question whether they were police, so make sure you know who you’re dealing with before handing over the keys to your financial kingdom.
LINKS TO FAKE WEBSITES
Fraudsters may include links to fake websites that look identical to legitimate websites (logos and branding are easy to replicate). Watch for web addresses that contain the official company name, but in the wrong location, or authentic links mixed in with fake links to make the phishing site appear legitimate.
When in doubt, remember to navigate to websites directly rather than using links, and if you do receive an unsolicited email, delete the email and reach out to the business to verify whether the message was legitimate. Some phishers are brazen enough to provide the real company’s customer service email and phone number in the message in an effort to convince you of their identity. The phishers don’t have a call center, so they just gamble that you won’t make the call to verify.
TIPS FOR THE TECHNICAL
Pay careful attention to the true destination of the links they send you—your browser verifies where you’re going and if it doesn’t say “chase.com” then you’re not going to Chase. This is an obvious giveaway and one they cannot hide. Your browser tells you definitively where you’re visiting and is one of few things you can trust.
Misspellings and “close” names are sometimes used fraudulently. With all the new TLD’s out there, you can obtain “Chase.travel” as an example and your email system may not display the true destination but your browser will. Try hovering over the link in your email and notice when it doesn’t match the rest of the email.
Many times the URL’s are short and have two-letter domains at the end because they are registered overseas, such as “goguscerrahisi.com.tr”—this is a domain registered in Trinidad in the Caribbean and obviously not Chase.com, or anything similar.
These schemes cannot prevent your web-browser from revealing your real web destination, so with a little care and diligence, you can prevent yourself from being duped.