Overview of Phishing Techniques: Fake Websites
Introduction
It’s an average Tuesday afternoon when you get an email from your bank.
The fraud team is reaching out because they detected some unusual purchasing activity on your account. Can you log into your account to see if anything looks fishy? Conveniently, they’ve also included a link to the login page. After entering your username and password, you close the tab, delete the email and go about your day like usual.
See Infosec IQ in action
Days or weeks later, you check your bank account and realize money is missing. Not only that, but your email account and social media profiles have also been accessed by someone other than you. Huh, that’s weird.
That’s when it hits you: maybe that email from your bank about the password update wasn’t from the bank at all. Maybe it was from someone pretending to be the bank. Someone who now has the same username and password you use for all of your accounts.
It’s a scary situation. But according to research by Webroot and Thales Security, it’s a lot more common than you’d think:
- Scammers create 1.4 million phishing websites every month
- Most phishing sites are online for 4 to 8 hours
- Spoofed sites led to $1.3 billion in losses in 2019
Who are scammers impersonating? Additional research by Webroot shows that the most common targets are big tech firms, including Facebook, Apple, Google, Dropbox and PayPal, as well as finance companies like Chase, Wells Fargo and Citi. However, this list is anything but exhaustive; scammers have also been known to create fake websites for colleges and government agencies like the IRS.
Since no website is safe from being spoofed by scammers, the best way to protect yourself as a user is to know how to spot a fake phishing website in the wild.
What is a “spoof” website?
The best way to think about site spoofing might be to remember the old adage about wolves in sheep’s clothing. By looking like something harmless, spoofed websites trick visitors into letting their guard down and disclosing sensitive information.
Fraudulent websites are designed to closely resemble the sites they’re mimicking, down to the logo, branding and content. Login pages and form submissions are popular targets for spoofers, since they can yield high-value information.
Spoofed websites are often accompanied by spoofed emails. The email contains a link to the site and encourages you to click it, often using urgent or alarmist language like “verify your account credentials immediately!” or “unusual account activity detected!” The faster visitors click the link, the less likely they are to realize they’ve been misled — until it’s too late.
How to spot a fake website
While there are some highly sophisticated phishing sites out there, most of them include one or more red flags that should have you hitting the back button ASAP.
Incorrect URL
In the world of phishing, nothing is as it seems, and URLs are no exception.
Sometimes this means the web address is slightly “off,” like it’s missing a letter or uses a number substitution for a letter (think: “amaz0n” or “fac3book”). Other times, scammers make up URLs that sound plausible because they use words we commonly associate with that business. Here’s an example:
(Image credit: Alfred Ng)
This appears credible at first glance, but it’s not a legitimate site. The address leads to a bogus page claiming to help visitors get compensation for the big Equifax leak of 2017. Yes, a scam within a scam.
Although this method can be trickier to detect than URLs with obvious typos, it’s easy to find a company’s legitimate URL via a quick Google search. When in doubt, trust your gut!
Insecure website
Websites use encryption to protect any data you share with them. This includes usernames, passwords, credit card numbers and more. All encrypted websites have two features you should look for: a padlock symbol in the browser window and a URL that starts with “https”. Unencrypted websites can’t protect your data, so it’s best to avoid sharing any personal information on them regardless of being a spoof site or not.
Typos and misspelled words
“Greetings, Sir/Madam! Pleas confirm you’re acccount info.”
If you see this kind of language on a website, run away! Companies put a lot of stock in how they’re perceived by the public. That means any content that appears on the site or in official emails has been proofread and spell checked, usually by multiple people. While even the most sophisticated businesses are capable of a typo here and there, it’s safe to say they’re pretty uncommon.
Multiple typos or typos featured in prominent places on the site (like the company name, section headings and links) are big red flags.
Low-resolution images or fake imagery
Phishing sites have a short lifespan: most are only live for four to eight hours before scammers take them down to avoid being detected by web crawlers. The result? Pages that are built in a hurry — and it shows. If you’ve ever tried to rush to finish something, you know exactly what we mean: sloppy details.
Spoof sites often don’t look quite right. They’re not as sleek or polished as the high-end companies they’re trying to mimic. They use low-resolution images that look fuzzy or pixelated. They may use an incorrect or outdated version of a company logo. Sometimes the whole site just feels off, like it’s been built using a low-end template. Don’t ignore these clues that you’re on a scam site!
Final word on website spoofing
It’s true that spoofing isn’t a new variety of cyberthreat, but as scammers learn to deploy it in ever more sophisticated ways, the ability to quickly detect them is imperative.
Since cybercriminals use short-lived spoof sites to evade web indexing, that means the burden for detecting spoof sites often falls to the user. Educating users on how to spot a malicious website will go a long way towards ensuring these fake sites don’t get real results.
See Infosec IQ in action
Sources
- Quarterly Threat Trends, Webroot
- 2019 Thales Access Management Index, Thales
- Quarterly Threat Trends: Phishing Attacks Growing in Scale and Sophistication, Webroot
- What is spoofing?, Malwarebytes
- Equifax sends breach victims to fake support site, CNET
- What is an SSL certificate?, Digicert