What is and how to recognize phishing

Phishing is a type of cyber attack in which a hacker tries to steal your personal information. A phishing attack is executed using “bait”. The bait is usually an email, which is made to look like it came from someone else. It could also be a website disguised to look like another, such as Google or your bank, where the attacker wants you to insert your login credentials. You think you are logging into a familiar service, while your username and password are actually sent to the hacker. In a worst case scenario, the hacker might get ahold of your credit card information, which in turn enables him to make payments using your account.

Phishing is the most common form of cyber crime. At the same time, it’s one of the easiest to detect and thus avoid. It’s very important for every internet user to know the characteristics of a phishing attack. The only thing that can prevent you from falling victim to phishing is to recognize it.

How to detect phishing on the web

Phishing websites work hard to look like another website. Usually, they try to look like Facebook, Google, PayPal, or any other larger services login screen.

Phishing sites can come in many forms. The most common form of phishing site tries to look exactly like another site. They’ll copy the entirety of your bank or PayPal’s website and try to trick visitors into “logging in there”. It will then send the login credential to the hacker. Modern browsers take steps to defend users from such attacks, which is why a new form of phishing has emerged. The hacker won’t try to replicate the entire website, but just the login section.

This works because people are used to logging into third-party services using their Facebook, Google, or vKontakte accounts. This has made many users careless when inserting their social media passwords into forms. Taking over social media accounts is a great business for criminals. They can use your account to scam your friends, distribute malware, or post ads to groups of which you are member.  

It’s not hard to defend yourself against either type of attack. You simply verify the site before typing in your password. Modern browsers help you by highlighting a secure connection. A lock icon and https:// in the address bar indicate an SSL-encrypted connection. A secure connection is encrypted with a certificate, which is strictly tied to the domain. Most phishing sites don’t have a certificate, as they don’t come free. Most criminals don’t usually want to pay for anything that can reveal their identity.

Lock icon indicating secure connection in Google Chrome

Lock icon indicating secure connection in Google Chrome. Your connection to grynersec.com is encrypted.

Never enter your password to an address which does not have an SSL certificate. Addresses protected with an SSL certificate start with https:// instead of the regular http://.

The lock sign and https shows the connection is encrypted, but you shouldn’t trust it blindly. There are ways for a phishing site to have an SSL certificate. First and foremost, SSL certificates can be obtained for free. Another way is for the hacker to use a hijacked domain. The important thing is to check the domain name you are currently visiting. You should never type your password anywhere but the official URL. How hard can it be to distinguish a legitimate URL from a fake one? It might be trickier than you’d think. Look at the following (made up!) addresses.

1. https://login.facebook.com

2. https://login.facebook.security.asdg.co

3. https://login.facebook.remember.me.hu/

4. https://facebook.com/login

5. https://example.com/facebook/login

Once again, most these URLs are made up just to illustrate the point. All of the URLs support https and have “facebook” and “login” in them. The catch is that only the first and fourth are actually facebook.com. All the rest are phishing sites made to look like the Facebook login; they have nothing to do with the real thing.

The fifth example might be a legitimate login URL, if it opens a popup window or directs you to real facebook.com. However, it’s definitely phishing if it asks you to type in your Facebook password directly.

Just using https does not mean the site is actually what you think it is.

How to recognize well-hidden phishing with an SSL certificate? You have to look at the full length of the URL. The last dot in the URL before the first forward slash separates the domain name from the extension. For this article, the domain name is “grynersec” and the extension is “com”. The problem is that any domain name can have practically anything in the subdomain part of the URL. If you just look at the last dot, you’ll easily spot attempts to confuse you with a subdomain. Let’s analyze the previous examples.

1. The last dot separates the domain facebook from the extension com. This is the real Facebook.

2. The last dot separates the domain asdg from the extension co. Everything before that is a subdomain, trying to look like the Facebook login. The actual address is https://asdg.co.

3. The last dot separates the domain me from the extension hu. The address might read “facebook remember me”, but it has nothing to do with Facebook. “Me” is just a two letter domain name, and .hu is the Hungarian national domain extension.

4. The address only has one dot before the first forward slash. It separates the domain facebook from the extension com. This is the real Facebook.

5. All references to facebook come after the first forward slash. The domain in this example is example.com, which has no reason to ask your Facebook username or password.

Always check that you enter your credentials at the correct domain.

What if the domain checks out, but you still have a nagging feeling that something is not right? In that case you can actually check the SSL certificate the site uses. It’s a slightly more complicated procedure, but nothing requiring a CS degree.

You need to locate your web browser’s developer tools to check the certificate. You can do this in Google Chrome by selecting “More tools” and then “Developer tools” from the menu. A frame will open in your bowser window. Select the “Security” tab and “View Certificate”. This opens the certificate profile, which shows if the certificate is issued to the correct domain.

You can try this out by going to www.paypal.com and following the steps listed below. You’ll see the certificate is indeed issued to paypal.com and the site is legitimate. By expanding the details dropdown you’ll see which organization the certificate is issued to. It’s PayPal Inc. for paypal.com, which is exactly right.

Paypal.com certificate

The certificate is issued to Paypal inc for www.paypal.com. This is the real Paypal.

You can always check the SSL certificate to verify the website.

Just a quick note about the certificate details. Not all certificates come with the subject section like PayPal’s does. Only the most expensive certificates have that feature. All financial services (banks and payment processors) have expensive certificates to verify their identity; so do large service providers like Facebook and Google. Smaller websites are probably using cheaper certificates. This doesn’t mean they are not secure; you just can’t use them to confirm the organization it belongs to.

How to detect phishing in email

Phishing using emails is more common than on the web. To execute a phishing attack on the web, the attacker has to first get the victim to visit the website. Using e-mail, he can send it to millions of potential victims with ease. Phishing emails are harder to distinguish from legitimate ones than websites. This means you have to be even more careful with email. That said, you can always spot phishing if you are careful enough.

You should always use an e-mail filter system. If you use a popular public email service provider like Gmail or Hotmail, then you are already set. That might not be the case if you or your employer uses a private mail server. In that case the filtering software needs to be installed and configured manually. That’s something your IP department should do. All you can do is ask if you do have an email filter in place. If the answer is no, then you should urge them to install one as soon as possible. Give them the link to this article if they don’t think it’s worth it.

How to detect phishing emails? No corporation or government agency will contact you from a free service provider account. Emails from addresses like irs@hotmail.com, taxoffice@gmail.com and googlesupport24@yahoo.com are sure to be scams. You can delete them unopened. Always check the email’s sender and make sure it comes from the correct domain.

The correct domain name does not guarantee that the email was sent by the entity it seems. All emails sent under someone else’s address are probably phishing. How is it even possible to send email from someone else’s name and email address? Emails have more in common with regular letters than you might think. When sending regular mail, you write the recipient’s address on the front of the envelope and your own on the back (or upper left corner in the US). Nothing stops you from writing anyone’s name and address on the other side. The person receiving the letter will think it’s from the address you wrote down. Emails work practically the same way. It’s actually not hard to send an email with president@whitehouse.gov as the sender. That’s called spoofing.

Any decent spam filter will catch it, as email is a bit easier to trace than a regular letter. It will cross reference the sender’s domain name with the IP address the email came from. The filter knows something’s not right if the email comes from the whitehouse.gov domain, but the IP address is located in Africa.

There are methods to get past such filters. Many of them are not used maliciously. For example, most newsletters you’ve subscribed to are sent through third-party services. Some spoofed e-mails might make their way past your email filter, exactly like newsletters do.

How do you know the e-mail was really sent by the sender? It’s easy in Gmail. You can click the small arrow next to the sender for additional information. You should check the “set by domain” section. It’s a bit more work if you or your company doesn’t use Gmail.

Gmail has made it simple to check the sender domain

Gmail has made it simple to check the sender domain

If you don’t use Gmail, locate the “raw email” option in your email client. Raw email is the machine readable form of the email. Your email client uses it to render the e-mail. You’ll see a long text, which will probably look quite strange. That’s OK; computers don’t really need the content to be readable. The part you need are the email headers. If your client provides you with full raw e-mail, find the first occurrence of “Content-Type:”. Everything above that are email headers. In Outlook, open the email in a new window and choose File -> Info -> Properties. Then locate the field “Internet Headers”.

Copy the headers to Google Email Header Analyzer Tool and click “Analyze the header above”. This will show you the path the email took to reach you. The first server in the generated table should match the email sender’s domain. If you got an email from something@important-government-stuff.org, the first domain in the list should be important-government-stuff.org.  

Always check that the email was really sent from the domain it appears to be from.

Of course, you don’t have to analyze every single email you get, but you should definitely do it if the content seems suspicious.

Treat all e-mails asking for your information as suspicious.

Domain mismatch does not always equal phishing, but it should put you on high alert. Do confirm the identity of the sender by some other means than replying to the email. You could call the organization the email claims to be from. It only takes a moment to confirm if the email was really sent by your bank or the IRS. This also lets the organization know someone is scamming people under their name, should the email turn out to be phishing.

A more telling sing of phishing is if the email sender and reply address don’t match. You can find the reply address using the Google email header tool. Make sure the sender and “Reply-To” match. Be suspicious of emails with different sender and reply-to addresses.

Phishing doesn’t necessarily have to come from a spoofed email address. A hacker could take over someone’s email address and send phishing emails to all the contacts. This means the phishing email might come from your best friend’s email account. The account might be compromised if a friend or acquaintance suddenly asks money or your information via email. An email from your friend’s email account might not really be sent by him/her.

The email might also contain malicious links. The link might take you to a different location than what it seems. The link anchor text might read “google.com/login” or “the cutest puppy I’ve ever seen!”, but take you to a phishing site or download a virus once you open it. Keep everything from the “How to detect phishing on the web” section in mind when opening links in email.

How to detect phishing on social media

Phishing attacks on social media are becoming increasingly popular. The reason hackers take over social media accounts is usually to perform phishing on their contacts. An average Joe’s Facebook account might be worth thousands of dollars to a skilled cyber criminal.

You probably wouldn’t transfer money to a random stranger on social media, but what about to your best friend? If a hacker gets control of your social media account, he can send messages to all of your contacts. They usually make it look like you are in a lot of trouble and need money fast. A common story is being stuck in a foreign country with no money to get back home. A good friend would probably want to help you out!

Such attacks are easier to recognize in non-English environments. The messages are almost always in English or translated by Google. English speakers have to be more careful though.

What to do if you get an obvious phishing message from a friend? The best course of action is to ignore it and notify the friend through an alternative channel. You should never click on such a link either. It might download a virus which hijacks your account as well. You shouldn’t risk it, even if you have a good antivirus or Mac.

You should be skeptical of friends asking for money on social media. Before wireing any money, make sure the message was really sent by the friend in question. Try to get hold of him/her through other means, perhaps by calling or emailing them. If that’s not possible, ask him/her something the hacker would have no way of knowing.

Never click on a link shared unexpectedly in a chat application.

It’s probably not that big of an issue if you trade links with a friend all the time (You should still be careful though!).The chances are high it’s a virus when an acquaintance you haven’t spoken to for years suddenly sends you a link. Ask the sender about the link before clicking on anything.

Make sure you are following the official pages of said person/brand.

There are thousands of fan pages on social media sites. Some of them try to look like an official page when they are not. That’s why Facebook, Twitter, and Instagram have introduced the “verified” badge for official profiles. A verified social media profile really belongs to the said person/organization. Only ever follow official social media accounts. An unofficial fan page might act harmlessly for years and then share viruses or phishing once it has millions of followers. At that point you probably won’t be suspicious of it at all.

Barack Obama's official Facebook page

The blue seal proves it’s Barack Obama’s official Facebook page.

Even verified profiles might get hijacked. This has happened to many celebrities, and even large organizations like HBO. Whenever you click a link on social media, always keep the section “How to detect phishing on the web” in mind.

How to detect phishing on the phone

The height of phishing on the phone was at the end of the eighties, but it’s still around. There is even a special term for a hacker extracting login information by calling an unsuspecting user – it’s “social engineering”.

It might be harder to detect phishing on the phone than in an email. Email phishing is rarely directed at you specifically. The hacker acquired an email list and sends the same email to everyone on it. The lists might have millions of email addresses in them. Social engineering is always directed at the recipient. The attacker will take time to study the user. He will probably know your name and can introduce himself in a believable way. That said, it’s easy to protect yourself from phishing on the phone by following a few simple rules.

By far the most common form of social engineering is pretending to be from the IT department. The hacker will call your work phone, introduce himself as someone from IT, and ask for your password to check something. Whatever the story, he will eventually need your login information. Never ever tell anyone your password on the phone. You should never give out the login information even if the caller sounds familiar (this friendly kid from the IT). The same applies for any other confidential information.

Your IT department will never ask for your password

In fact, it’s not just your company’s IT department that doesn’t need your password, Google, Facebook, and your bank will never ask for your passwords or any confidential information either. If you receive a call from someone asking for such information, cancel the call immediately. If the caller asks you to visit a website, make sure you follow all the advice from the “How to detect phishing on the web” section.

Cancel a suspicious call immediately

If the caller’s questions, tone, or phrasing raise even a slightest doubt about his/her identity, cancel the call immediately. Warning signs include threats, an aggressive tone, and a strong accent from someone claiming to represent a governmental agency.

Try typing the caller’s phone number on Google to see if it really matches the organization and person. The phone numbers of most employees are public for larger companies and almost all governmental organizations.

If the person’s phone number is not public, just call the general information line to check if such a person really works there. Also, ask if the phone number is actually legitimate. No one will get mad at you for taking your security seriously.

I have set my phone to block all calls from hidden numbers and I advise you to do the same. If someone doesn’t want to reveal his identity when calling me, I don’t want to talk to him/her.

What to do when you detect phishing

Phishing is not a part of normal internet usage – it’s a crime and should always be reported to the authorities. If the phishing site was made to look like your website or the social engineering call pretended to be your company, inform your IT department as well. You might have detected the phishing attempt, and others might fall for it. Your IT department can start the process of taking down the phishing site or at least warn other employees/clients.

In Gmail, always use the “report phishing” button. This helps Gmail eventually block similar emails automatically, making it safer for everybody.

If the email was made to look like a government agency, be sure to forward it to their IT/security department. You will usually find the contact information on their website. They can then take steps to warn other potential victims. They’ll also tell you if the email was actually legitimate and not a phishing attempt.