Advanced phishing

How to identify a phishing website

by Egress
Published on 24th Feb 2023

Our increasing dependence on the internet and, specifically, email for business and personal communication has produced the perfect environment for cybercriminals to launch phishing attacks.

As organization’s technical controls have advanced, cybercriminals have evolved their attacks, making them more difficult for traditional email security solutions that use signature-based detection (such as Microsoft and secure email gateways (SEGs) to detect. These attacks are also more difficult for people to spot as well. In results published from a phishing simulation, 53% of employees opened phishing emails and 23% input data into a form. Only 7% of employees reported the simulation to the Security team.

These numbers are concerning when you consider how costly data breaches can be for businesses. IBM estimates that the average cost reached $4.35m in 2022.

What is a phishing website?

A phishing website is a website used by cybercriminals for malicious purposes, like credential theft or financial fraud. People frequently visit phishing websites having clicked on a phishing link in a malicious email. Phishing websites can be created using spoofed or lookalike domains or they can be built as part of a compromised legitimate website (this is a social engineering technique known as water-holing).

Cybercriminals can use phishing websites in multiple different ways. For example, the target might be presented with a log-in screen to enter their credentials, which are then scraped by the cybercriminal for use in account takeover attacks; or they might be prompted to enter payment details to confirm an order or pay for an item that will never arrive; or they might even automatically download malicious files or do so via a prompt on the webpage.

As phishing websites are one of the most common types of payload used in phishing attack attacks, here are our top six methods. (Plus, take a read of this article for more information on how to spot a phishing link.)

Six tips for how to identify fraudulent websites

Check the URL

One of the first steps you should take to check whether a website legitimate is to look at the URL. There should be a padlock symbol in the address bar and the URL should begin with either 'https://' or 'shttp://'. This indicates that the website is encrypted and secured with an SSL (Secure Sockets Layer) certificate.

However, although it's good practice to look for these details, you can't rely on this information alone. It's estimated that around over half of all phishing websites now use SSL protection in a bid to fool visitors. 

Another indicator you need to look at is the spelling of the web address. Cybercriminals take advantage of the fact that people tend to skim read information. As such, they will create web addresses that are similar to well-known and trusted ones to launch their phishing attacks. For example, a web address that usually ends in '.org' may be changed to '.com' or letters could be substituted with numbers, such as ‘amazon.com’ changed to ‘amaz0n.com’.

Redirects to phishing websites, including URL shorteners

Be aware that if you clicked on a link in an email or SMS message that looks legitimate, you could have been redirected to a fraudulent site. The cybercriminal can use text that appears innocent (the URL for the legitimate website or even a prompt like ‘Sign in’) to hide their malicious URL.

To try to avoid detection, cybercriminals launching advanced attacks can also put redirects in place once an email has been delivered. This is known as post-delivery weaponization.

Similarly, URL shorteners can be used to hide the phishing link, with legitimate services being used to avoid detection. The text within the phishing email will contain the shortener URL, which will redirect to the phishing website once clicked.

So even if you’ve clicked on a seemingly harmless hyperlink, you need to remain alert to the risk of phishing.

Take a close look at the content

Is the website looking sub-standard, for example low-quality images or branding (including logos) or poor spelling and grammar? This can signal that you’re on a phishing website.

Most legitimate businesses will invest a lot of money and time in creating a well-designed and highly polished website where the language is correct, the graphics are sharp, and the user experience makes sense. 

Here are some common red flags you should look for:

  • Simple spelling and grammar mistakes
  • Subpar language (for example, broken English)
  • Low-resolution images

Another indication that you may be on a phishing website is the lack of a ‘contact us’ page. Authentic businesses usually provide contact details, including their postal address, phone number, email address and social media links. If this has been omitted, treat it with suspicion. While the lack of contact details can still indicate a phishing website today, some cybercriminals create simple ‘contact us’ pages or add this information to the webpage footer to make their attacks appear more legitimate. In templated brand impersonation attacks, the legitimate brand’s information might be scraped from elsewhere and used on the phishing website.

Think about your journey

Did you visit the website directly, through a search enginer, or did you click on an emailed link? If you’re having doubts about the legitimacy of a website and you arrived there by clicking a link, then before you take nay action, renavigate there by typing known addresses (e.g. ‘www.amazon.com’) into your browser or search the brand name via a search engine.

Even if you believe the email to be from a reputable source, if you weren’t expecting it, then use the two previous steps to check the legitimacy of the website (and if in doubt, navigate there another way or contact the sender using a method that isn’t the original email).

A good tip to avoid a successful phishing attack in this instance is to bookmark your frequently visited websites once you've verified their authenticity. That way, you can rest assured that you're in the right place and won't fall victim to phishing attacks that impersonate those brands.

If it's a new website that you haven't visited before, take the time to manually visit the website via your usual browser and to ensure there doesn’t appear to be anything malicious about the site using tips such as those from this article.

Read reviews

It's always a good idea to do your research on a company to establish whether they are who they claim to be and to check their reputation. If the website has previously defrauded visitors, the victims may have shared their experiences online. 

It's best to check reviews across a variety of trusted sources since positive feedback can be easily faked. Here are some ways to spot fake feedback:

  • There are lots of oddly similar reviews: perhaps they all have a similar writing style or maybe they describe everything the same way, or have given the same review and rating across multiple sites
  • The reviewers use recently created profiles: try to find reviews from longer-standing, established members of the review website; if they've reviewed hundreds of websites, they're more likely to be a credible source of information
  • There aren't many reviews: this may simply be because the company is new; however, if you're already suspicious and there isn't much online feedback, give the website a miss

Check payment methods

If a website is legitimate, it will accept credit/debit cards or include standard payment methods such as PayPal. However, it's common for phishing websites to ask for a bank transfer or request payment via cryptocurrency. 

If you make a purchase turns out to be part of a scam with a credit or debit card, you're more likely to be able to claim your money back. But, there's often very little you can do if you've paid by bank transfer. Legitimate businesses will never ask for bank transfers, so don't send money using this method.

Find out who owns the website

Every domain has to be registered, so it's always useful to run a background check to see who owns it. You can find this information out, alongside their contact details and the website creation date, here. You can also use search engines to check whether there are reports of the website being part of cybercrime schemes (or even used for lower-level scams).

As cybercriminals evolve their attacks to avoid detection and to make them more convincing to their target, phishing websites have become more convincing, with many leveraging sophisticated impersonation techniques.

However, by checking the origin of the domain, you can determine factors like domain age (has it been around for a long time, like the legitimate brand, or is it a new site?); what country the domain is registered in (checking whether that tallies with information you know about the legitimate company, such as where they operate or where their headquarters is located); and who it is registered to (checking whether that matches the information you know about the brand (for example, egress.com is owned by Egress Software Technologies)).

If your investigation raises any red flags, it’s best to navigate to a trusted brand website another way or avoid the website altogether.

Defending against phishing attacks and stopping people from visiting phishing websites

These are six great tips for identifying phishing websites, however, as noted in this article cybercriminals are advancing their attacks to evade detection – whether from traditional email security solutions or people.

Organizations are now enhancing their defenses against phishing attacks by using use an integrated cloud email security (ICES) solution (like Egress Defend). ICES solutions can detect advanced attacks that are engineered to bypass Microsoft 365 and SEGs, as well as include URL inspection, link rewriting, and time-of-click analysis to block people from visiting phishing websites.

Learn more about phishing

Cybercrime is constantly evolving, and it is important to stay up to date with the current threats. 

Visit the Egress phishing hub for expert advice and to learn more about the latest phishing attacks and tactics.

You might also be interested in ...

What is business email compromise (BEC)?

Learn how to recognise and prevent business email compromise (BEC).

The psychology of social engineering and phishing

Why do we fall for phishing attacks?

Guide to DMARC

DMARC is an email authentication protocol that helps recipient domains verify that an email sender is who they say they are and not a cybercriminal spoofing a domain name.