How to identify a phishing website

Security challenges

Our increasing dependence on the internet has produced the perfect environment for fraudsters to launch phishing attacks. Not to mention that their methods are becoming increasingly sophisticated and harder to identify. According to a recent study, 20% of all employees are likely to click on phishing email links and, of those, 67% go on to enter their details on a phishing website.

These numbers are concerning when you consider how costly data breaches can be for businesses. IBM estimates that the average cost sits at $3.86 million. 

Wondering how to spot a phishing website and prevent yourself from becoming hooked?

Here are our top six methods:

1) Check the URL

One of the first steps you should take to identify a phishing website is to look at the URL. There should be a padlock symbol in the address bar and the URL should begin with either 'https://' or 'shttp://'. This indicates that the website is encrypted and secured with an SSL (Secure Sockets Layer) certificate.

However, although it's good practice to look for these details, you can't rely on this information alone. It's estimated that around three-quarters of all phishing sites now use SSL protection in a bid to fool visitors. 

The other tell-tale sign you need to look at is the spelling of the web address. Fraudsters take advantage of the fact that we tend to skim read information. As such, they will create web addresses that are similar to well-known and trusted ones to launch their phishing attacks. For example, a web address that usually ends in '.org' may be changed to '.com' or letters could be substituted with numbers.

Be aware that if you clicked on a link in an email or SMS message that looks legitimate, you could have been redirected to a fraudulent site, so you should always use the above steps to verify you’re where you’re supposed to be. 

2) Take a close look at the content

Is the website looking sub-standard? Perhaps you've stumbled across a phishing website. Most legitimate businesses will invest a lot of money and time in creating a polished website where the spelling and grammar are correct, the graphics are sharp and the user experience makes sense. 

Here are some common red flags you should look for:

Simple spelling and grammar mistakes

Broken English

Low-resolution images

Another indication that you may be on a phishing website is the lack of a 'contact us' page. Authentic businesses usually provide contact details, including their postal address, phone number, email address and social media links. If this has been omitted, treat it with suspicion.

3) Think about your journey

Did you visit the website directly or did you click on an emailed link? An analysis of over 55 million emails revealed that one in every 99 emails is a phishing attempt. If you clicked a website link in a suspicious email, don't enter your credentials there. Even if you believe the email to be from a reputable source, if you weren’t expecting it, then use the two previous steps to check the legitimacy of the website (and if in doubt, find another way to contact the sender that isn’t via the original email).

The best way to avoid a phishing attack in this instance is to bookmark your frequently visited websites once you've verified their authenticity. That way, you can rest assured that you're in the right place and won't fall victim to a phishing attack.

If it's a new website that you haven't visited before, take the time to manually visit the website via your usual browser.

4) Read reviews

It's always a good idea to do your research on a company to establish whether they are who they claim to be and check their reputation. If the website has previously defrauded visitors, the victims are likely to share their experiences online. 

It's best to check reviews across a variety of trusted sources since positive feedback can easily be faked. Here are some ways to spot fake feedback:

There are lots of oddly similar reviews: perhaps they all have a similar writing style or maybe they describe everything the same way

They're all very recent: try to find reviews from longer-standing members of the review website. If they've reviewed hundreds of websites, they're more likely to be a credible source of information

There aren't many reviews: this may simply be because the company is new; however, if you're already suspicious and there isn't much online feedback, give the website a miss

5) Check payment methods

If a website is legitimate, it will accept credit/debit cards or include standard payment methods such as PayPal. However, it's common for phishing websites to ask for a bank transfer. 

If you purchase something that turns out to be a scam with a credit or debit card, you're more likely to be able to claim your money back. But, there's very little you can do if you've paid by bank transfer. Legitimate businesses will never ask for bank transfers so don't send money using this method.

6) Find out who owns the website

Every domain has to be registered, so it's always useful to run a background check to see who owns it. You can find this information out, alongside their contact details and the website creation date, here.

As scammers become more astute, their phishing, or 'spoof', websites are beginning to look more convincing - some are even designed to look like they represent a leading brand. However, if you realize the website has been active for a short time or the domain is registered to a person in another country, it's probably not real.

Learn more about Phishing

Cybercrime is constantly evolving, so you must stay in the know. 

Visit the Egress phishing hub to read expert advice and learn more about the latest phishing tactics. Protect yourself and your data today.