Ever gotten an email like this one? (Click to enlarge the image.)
I often wonder how many people are actually big enough suckers to respond to these emails. It must be a surprising number, whatever it is, because we wouldn’t be getting them if there wasn’t some money in it.
Unfortunately, a lot of phishing scams are much more subtle. And that’s when even the most seasoned Internet users can accidentally type their login information (or even credit card information, Social Security number, and so on) into a fake form. It hasn’t happened to me yet, but I’m quite aware that it might.
I got sent a link to an enlightening quiz a few days ago. There are several things that you should watch out for to determine if a website is real or fake (if you look at the examples in the quiz, you’ll see the first two things, and the other two don’t really need screenshots, so I won’t take any):
- Check the URL in the address bar. Every modern web browser puts the actual domain name (like google.com) in bold. This is because sometimes scammers create URLs that look like this: http://7436et.kjfgk.com/ebay.com/login/7463e8et.php. Then people look at the address bar, see “ebay.com,” and figure that it’s legit. So remember: the part that’s in bold is the only part that matters.
- Check for a security certificate. If you’re being asked for sensitive information, the connection should always be encrypted, which will be signified with a small lock icon and sometimes the company’s name next to the address bar. SSL (the encryption system used for web browsing) is a really complicated topic, but basically, if you don’t see that icon, beware, and never, ever enter your financial information into a page that doesn’t have the lock. (Some legitimate websites have login pages that are unencrypted but then send your login information over an encrypted connection when you actually press Submit.)
- If the website doesn’t look quite like the login screen usually does, beware. If at all in doubt, play it safe: close that tab, open a new tab, type the website’s URL into the address bar, and start again from there.
- If you’re clicking a link in an email, check the status bar before you click. Just hover your mouse over the link and look in the very bottom-left corner of your browser, and you should see the URL displayed. Make sure it’s what you were expecting.
The biggest problem is not determining whether a website is real or fake when you’re suspicious–these four steps should catch just about every phishing attack out there. The real problem is remembering to check. Make it a habit to glance over and check the URL and the lock icon before entering any sensitive information, and if you’re ever asked to log in to a website when you weren’t expecting to (for instance, you click a link on Facebook and are presented with a login screen, even though you were already logged in), be sure to take a long, hard look.
If you haven’t taken the quiz yet, I’d encourage you to. After reading this post, you ought to get a perfect score.
Soren “scorchgeek” Bjornstad
If you have found an error or notable omission in this tip, please leave a comment or email me: email@example.com.
Copyright 2011 Soren Bjornstad.
Verbatim copying and redistribution of part or all of this article
is permitted, provided this notice is preserved.