Phishing is a very common technique used by hackers. In fact, 1 out of every 4 successful hacking incidents involves Phishing. So let’s first look at the definition of Phishing in technical terms, after which I will try to explain with an example.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
Phishing is typically carried out by email spoofing and it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate one and the only difference is the URL of the website in concern. Communications purporting to be from social websites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that are fake.
Two things come out from the above description regarding Phishing:
- An Email which seems to be from your bank, or financial organization (which is actually fake), which asks you to click on a link contained in that email to provide additional details.
- The link takes you to a fake website which looks authentic, so the user might end up entering personal data, thus providing this to the hackers.
In the previous blog post, we saw how you can ensure that, you are looking at a website or a page that is secure and the one you intended to navigate to. All of this information is available in the URL bar in the browser. Remember the green lock image, https:// prefix of the URL and the ‘I’ icon to get additional information. You must ensure you see all of the above before you proceed with entering confidential/personal information on the page. If you follow the instructions I gave you in the previous post, I am sure you will avoid being a victim of item ‘2’ (fake website) above, because you will immediately notice the website is a fake one and will NOT enter any information on it.
Now I will talk more about how to detect ‘1’ (Phishing URL) so you don’t even get to step ‘2’ (navigating to the fake website). How to detect the URL which the email asks you to click on is a fake URL. You want to ensure you don’t follow fake URLs as sometimes a simple navigation via the URL will end up providing some data (although not your personal data) to the hackers (such as validity of the email address).
Let’s look at an email that I received recently:
When I open the mail, it looks like a mail from NETFLIX
And since I was trying to create an account recently, to me this may seem to be a real issue that I need to resolve.
Next, the mail instructs me to click on “Update Account Now” (arrow ‘2’).
And that’s what the hackers want me to do. But before clicking any links which you might suspect to be fraudulent, hover over the link to see the actual website the URL (or the button) is pointing to. In the picture below, you can see my Mouse Cursor position, and the status bar of the browser showing the URL which will open if I clicked at the position where the mouse cursor is.
All the web browsers will show you the target URL when you simply HOVER your mouse over the area where the page wants you to click. So you can find out the target before you actually click.
As you can see from ‘arrow 3’, the URL is completely different and nowhere close to NetFlix’s URL.
If Netflix wants me to give them additional details, I would expect them to send me a link to their own site. (something that has Netflix.com in it).
The hover over URL should ideally be to the site you want to navigate to. If it doesn’t look anywhere close to the company or bank you want to get to, don’t click on it. Go directly to your bank’s website and navigate as desired (or in this case, go to Netflix to resolve issue from their website).
Hovering over to see the target URL is available in the browsers on your laptop or desktop. In case of mobile device, if you are looking at an email on your mobile, or ipad, just hold down the URL link (in my case the “Update Account Now” button) in that email to get a popup with the target URL and an option to navigate to (as seen in the picture below):
So as we look back at these 2 blog posts, ensuring you are clicking on the right link and avoiding any bad ones, and then confirming the page is what you intended to get to, you will have a better, and most importantly safer browser experience. As always, be very cautious and conscious when sharing any personal information, including bank login details. It’s better to double-check than repent later.