How do you avoid navigating to a fake website & avoid being a victim of “Phishing”

Phishing is a very common technique used by hackers.  In fact, 1 out of every 4 successful hacking incidents involves Phishing.  So let’s first look at the definition of Phishing in technical terms, after which I will try to explain with an example.

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

Phishing is typically carried out by email spoofing and it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate one and the only difference is the URL of the website in concern.  Communications purporting to be from social websites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that are fake.

Two things come out from the above description regarding Phishing:

  1. An Email which seems to be from your bank, or financial organization (which is actually fake), which asks you to click on a link contained in that email to provide additional details.
  2. The link takes you to a fake website which looks authentic, so the user might end up entering personal data, thus providing this to the hackers.

In the previous blog post, we saw how you can ensure that, you are looking at a website or a page that is secure and the one you intended to navigate to.  All of this information is available in the URL bar in the browser.  Remember the green lock image, https:// prefix of the URL and the ‘I’ icon to get additional information.  You must ensure you see all of the above before you proceed with entering confidential/personal information on the page.  If you follow the instructions I gave you in the previous post, I am sure you will avoid being a victim of item ‘2’ (fake website) above, because you will immediately notice the website is a fake one and will NOT enter any information on it.

Now I will talk more about how to detect ‘1’ (Phishing URL) so you don’t even get to step ‘2’ (navigating to the fake website). How to detect the URL which the email asks you to click on is a fake URL.   You want to ensure you don’t follow fake URLs as sometimes a simple navigation via the URL will end up providing some data (although not your personal data) to the hackers (such as validity of the email address).

Let’s look at an email that I received recently:

When I open the mail, it looks like a mail from NETFLIX

And since I was trying to create an account recently, to me this may seem to be a real issue that I need to resolve.

Next, the mail instructs me to click on “Update Account Now” (arrow ‘2’).

And that’s what the hackers want me to do.  But before clicking any links which you might suspect to be fraudulent, hover over the link to see the actual website the URL (or the button) is pointing to.   In the picture below, you can see my Mouse Cursor position, and the status bar of the browser showing the URL which will open if I clicked at the position where the mouse cursor is.

All the web browsers will show you the target URL when you simply HOVER your mouse over the area where the page wants you to click.  So you can find out the target before you actually click.

As you can see from ‘arrow 3’, the URL is completely different and nowhere close to NetFlix’s URL.

If Netflix wants me to give them additional details, I would expect them to send me a link to their own site.  (something that has Netflix.com in it).

The hover over URL should ideally be to the site you want to navigate to.  If it doesn’t look anywhere close to the company or bank you want to get to, don’t click on it.  Go directly to your bank’s website and navigate as desired (or in this case, go to Netflix to resolve issue from their website).

Hovering over to see the target URL is available in the browsers on your laptop or desktop.  In case of mobile device, if you are looking at an email on your mobile, or ipad, just hold down the URL link (in my case the “Update Account Now” button) in that email to get a popup with the target URL and an option to navigate to (as seen in the picture below):

So as we look back at these 2 blog posts, ensuring you are clicking on the right link and avoiding any bad ones, and then confirming the page is what you intended to get to, you will have a better, and most importantly safer browser experience.  As always, be very cautious and conscious when sharing any personal information, including bank login details.  It’s better to double-check than repent later.

Websites – What to watch out for when submitting confidential or personal data

One of the concerns I had heard was about the fear of doing online financial transactions or online banking due to the instances of phishing or hacking. Hackers often cheat by creating a fake site which looks exactly like your Bank or financial institution and then steal your login/password.  Recently I heard about an instance where a technology company sent a link to a fake site which looked genuine to their employees, who went to that site and entered their internal login credentials. So this cheating is not limited to non-technical users only. It shows the severity of the problem.

In this blog, I will try to explain how to know that the site you have navigated to is a genuine one.  In a subsequent blog post, I will cover what precaution you must take when you follow a link sent to you by someone.

Let me try to explain how to detect a secure site or page, so you can have safer online experience.  Also, please note that I will be concentrating more on the browser.  Typically, on the mobile, you are doing payments or using the bank from their dedicated app.  But even on a mobile, you sometimes navigate to a page in the browser to fill in some information or a form.

All of the below discussion applies only when you want to ensure the website is secure, especially when you are visiting a bank site and logging into it, or your financial partner site, or a page where you will enter your personal information such as address, phone number, date of birth.

URL Bar

When you navigate to a site – I have used Fidelity.com, a large financial organization based in the USA as an example – you will notice few of the highlighted regions (This is from Mozilla Firefox.  On other browsers, you will see the same content but the positioning might be different).

  • http vs https (item ‘4’ above)

When you open a webpage, either you open it using a bookmark or type the address in the URL field.  The address almost always has a prefix of a ‘http’ or a ‘https’ .  There’s a big reason why that additional ‘s’ is important.  http (hypertext transfer protocol) is a protocol which is used for transferring data from the browser to the actual web-site (both ways – to the browser and from the browser).  ‘http’ does not encrypt the data, whereas ‘https’ encrypts the data during the transfer and that’s where additional security comes in.

So if a website’s url is simply http:// , then the data transmitted is not encrypted, so anyone (possibly a hacker) can intercept and find out what is being sent.  But if the website is using https protocol, the data is encrypted so intercepted data cannot be seen or misused.

So if you are simply browsing and reading some generic website, and using it to exclusively read only, then you could continue with browsing even though the URL has a ‘http://’ prefix.  But if you are going to fill in some confidential data or for that matter sending any information to the website, you should quickly take a look at the browser’s URL bar for that page, and ensure it has a https:// prefix.  This way, you will be sure that the data you fill in and submit is encrypted before it gets to the destination.

  • Lock Icon (item ‘2’ above)

The 2nd important information you should look at is the existence of the lock icon and the color of it.  A green lock means the site is encrypted and secure.  Use the information below to decide what you should do by observing if there is a lock icon on the URL bar, and if there is, which color is it.

No lock – The site is not secure.  If you are only reading the page, it’s fine.  But do NOT send any confidential or personal data.

Green lock – The site is secure and same as the URL address shown.  And the contents are encrypted so nobody can intercept.

Gray with Yellow warning icon or red cross-out – Site data might not be completely encrypted.  So I would strongly recommend that you do not send any confidential information using this site

There will always be a ‘I’ icon  (item ‘1’) next to the lock, which when clicked on will tell you who the site certificate belongs to.  Ideally this will be site you are browsing to.

The 2 confirmation signs above (https prefix, and the green lock icon) should be enough for you to have confidence that the site is secure and can be trusted.

So next time a site asks you to enter some confidential data (username/password, or other personal data), look at the browser’s URL bar, and ensure that there is a Green Lock icon and https:// before proceeding.

WhatsApp – is it secure?

Last week I needed to share my Bank Account number with my son so he could transfer some money to my account.  As I was sharing, my wife cautiously asked me if it was ok to do that.  All the recent headlines about Facebook and data leaks were fresh in her mind.  That made me do some research about WhatsApp’s security and at the end it made me feel quite confident about sharing the details (account number, not my account password).

WhatsApp is used extensively in India and many other countries, although not as much in the US. And simple knowledge of what is safe and what’s not would help everyone using WhatsApp.

If you have ever started a new conversation on WhatsApp with someone, you must have seen a message:

I am sure nobody clicks on the message to know more, but if you did, you would get another message:

The key here is ‘encryption’ – the message (chat or calls) are encrypted with your credentials as well as receivers’.  So no other individual can see the content of the message, even if they somehow get hold of it.  Only you and the receiver can read the message (decrypt it).   A simple analogy for ‘encryption’ is a ‘lock’, so the message is locked, and only you and the receiver have the ‘key’ (decryption ability) for the message.

The same is true for a message you post in a Group.  Only people who are part of that group can read it.

So the bottom line is, the message is safe as long as you trust the receiver not to share it with others or to misuse it.

And the best part is, even WhatsApp (ironically owned by Facebook) – a company that is providing the infrastructure to get your message and deliver to the recipient – can’t see the message or decrypt it.  This is the part that’s most important for me.  This means that WhatsApp will not provide APIs (programmatic access) to 3rd parties to get to the message, neither will WhatsApp run any analytics on my posts/sends/calls to eventually use it for any company benefit.  Facebook has access to all of your posts along with all of your actions in Facebook.  Doing analytics, providing relevant advertisements & access to this data to advertisers was the main issue in the Facebook / Cambridge Analytica saga (see my earlier post).   But the encryption prevents WhatsApp from getting at the content of any of your postings

So the bottom line is:

  • Its fine to share information on WhatsApp, without fear of any 3rd party or WhatsApp (as a company) being able to get to it or read it.
  • You have to use common sense while sharing. Like me sharing my account number with my Son, making sure I don’t share my online login ID/Password or my ATM Pin.  That’s never safe no matter how you share.
  • Also know that the receiver can misuse it or share your message with others.  But it’s between you and the receiver.
  • And don’t forget, if someone gets hold of your mobile or receiver’s mobile and can open WhatsApp, they are opening it with your (or their) identity. So of course, they can read the messages. In this case, they are not a 3rd party.

As long as you keep all of the above in mind, you will have peace of mind and proper sharing on WhatsApp.

You can read more about WhatsApp security by clicking here.

My efforts from these posts is to simplify technology, explain it in simple terms so that when the time comes, you will not ask questions similar to what’s being asked in the accompanying video.