Phishing
We visit dozens or even hundreds of websites every day. As long as they are all the same familiar sites, and there is no illegal downloading or adult content, we can feel pretty safe. It’s a different story if we sometimes click on links in incoming mail, like to dive into the depths of the net, jumping from one site to another based on links, or if some of our friends like to bombard us with interesting links. In the latter cases, we should be aware of the most important characteristics of fraudulent sites – but we can also benefit from knowing them.
Homoglyphs
Spoofed URLs and ambiguous characters, or homograph attacks, are among the most common deceptive tactics used by cybercriminals. They involve registering fake websites under domain names that look very similar to known, trusted sites, which in turn contain characters that look confusingly similar. Examples include the use of “rnicrosoft.com” instead of “microsoft.com”, where the letter “m” is replaced by “rn” characters. It is also possible to use the Greek omicron or “o” instead of the letter “o” in a domain name: for example, in the case of “facebook.com”, the second “o” has been replaced by the omicron, but there is almost no difference in appearance.
Typosquatting
Attackers attempting to deceive by deliberate misspelling register domain names very similar to the names of popular websites, such as “gogle.com” or “gooogle.com” instead of “google.com”. It is worth noting that the misspelled versions in this example have been purchased by Google for security reasons, so fortunately they will automatically redirect to the company’s real site, but there are still many fake versions that can be found. Fake pages are usually deceptively similar to the original, so be very careful and always check that you are on the right page (more on this in the box). Fortunately, several security programs can detect homograph attacks and warn you when you try to access a suspicious website.
Missing privacy policy
If you are unsure about the authenticity of a site, you should always check whether the site has a privacy policy. Indeed, under data protection laws, all websites must have a policy explaining how users’ data is protected and handled. If there is no such information on the website at all, it is reasonable to question the reliability of the website.
Missing/unavailable contact details
All legitimate companies that wish to maintain contact with customers should place their contact details on their websites. This can be a contact form, telephone number, or direct email address. If nothing can be found, that is suspicious in itself, as is if the phone number provided is unavailable or is answered by someone who does not appear to be at all competent. In such cases, it is worth considering whether fraud is involved. As well as following these safety tips, it is also worth being wary of suspicious adverts and websites with spelling mistakes.
HTTPS is no panacea
A widely used method to check the security of websites is to test the HTTPS protocol. HTTPS is often seen as a key element of security, but the reality is more nuanced. In reality, it only ensures that the connection between the web server and the user’s browser is encrypted, i.e. it protects against eavesdropping. It does not, however, provide any information about whether the website that you are connecting to via an encrypted connection is the official website or a fake, phishing version. Nowadays, cybercriminals can obtain a valid SSL/TLS certificate for their fake sites just as easily as a legitimate business. Therefore, it is better to treat this method as just a piece of the puzzle, part of a larger puzzle. As far as certificates are concerned, it is also worth taking a look at what services the website offers and which organization issued the SSL or TLS certificate. If the data the site handles is sensitive but the certificate issued is cheap or free, it’s worth pulling the emergency brake. For more information on the validity of the certificate and the issuing organization, click on the padlock icon in the browser address bar.
Reliable security software
Using up-to-date, reliable security software is another big step towards thwarting cyber threats. Security software usually uses built-in scanning techniques to analyze websites and look for malicious content. If detected, they immediately flag the threat and block access to the site and the download of malicious content, protecting the user. Cutting-edge security solutions also usually include anti-phishing protection, preventing attempts to obtain passwords, bank details, and other sensitive information. When an attempt is made to access a particular URL, the security software compares it against a database of phishing sites and, if a match is found, immediately terminates access and warns the user of the threat. In summary, to stay safe online, we should always be very careful as cybercriminals are using increasingly sophisticated techniques to deceive us.
Have you got more ideas on what to look for when surfing online to be safe? Let us know your suggestions below!