Phishing (pronounced: fishing) is an attempt to steal money, or an identity, or to get you to provide personal information such as credit card numbers, bank information, or passwords. This can occur via email or on websites that pretend to be legitimate.
Cybercriminals typically pretend to be recognised companies, known friends, or acquaintances in a fake message, which contains a link to a phishing website.
How to spot a fake phishing website
Check the domain name and URL before opening, or entering login details
- Before opening a link, if it is found as a Google search result and especially from sources like spam emails or social media comments, always check the domain name and URL.
- Scammers often disguise fake URLs to look legitimate by changing top-level domains, misspelling names, or using similar-looking characters.
For example:
- www.standard.bank.co.za (extra dot) instead of www.standardbank.co.za (normal)
- business.ndbank.co.za (missing 'e') instead of business.nedbank.co.za (correct spelling)
- www.nightsbridgeauth.com (incorrect spelling) instead of www.nightsbridge.com (correct spelling)
You should always check the domain is safe before entering any personal or login details (usernames or passwords).
Safe:
NightsBridge URLs will always end in .com, or .co.za and not any other form, and will not be misspelt.
www.nightsbridge.com
site.nightsbridge.com
login.nightsbridge.com
(www.nightsbridge.co.za redirects to site.nightsbridge.com)
Unsafe:
nightsbridgeauth.com (incorrect spelling)
nightbridge.com (missing 's')
nightsbridge.travel (incorrect top-level domain)
nightsbridge.io (incorrect top-level domain)
Check if the website is HTTP secure.
- An SSL/TLS certificate will be indicated by a padlock symbol and an HTTPS in the web address bar (“https://” instead of “http://”).
- Fake websites typically are not authenticated and don’t use the secure HTTPS protocol.
- You can hover over the link with your mouse to see the destination (URL).
- If you’re using your mobile phone, press and hold the link down until the URL appears.
- You can use this Link Checker tool to see if an URL is legitimate.
Use a website checker
- Google’s Safe Browsing Site Status tool can help.
- Google’s Safe Browsing technology examines billions of URLs per day looking for unsafe websites.
- If a site is known for phishing, malware, and other harmful activities, it will be listed as unsafe in Google’s database.
Check the domain age
- A real website often has an older domain compared to its fake copies.
- The age of a domain can be checked using the tool Whois Lookup page.
Simply paste the URL you want to inspect and review the “Dates” in the domain profile details.
How to spot a phishing message
Phishing is a popular form of cybercrime because of how effective it is. Cybercriminals have been successful using emails, text messages, and direct messages on social media, to get people to respond with their personal information.
The best defense is knowing what to look out for.
Here are some ways to spot a phishing email:
Urgent call to action or threats
- Be suspicious of emails and messages that request you to click, call, or open an attachment immediately. Often, they'll claim you have to act now to claim a reward or avoid a penalty.
- This is creating a false sense of urgency - a common trick of phishing attacks and scams. This is so you won't think about it too much or consult with someone you trust.
Tip: Whenever you see a message calling for immediate action take a moment, pause, and look carefully at the message. Are you sure it's real? Slow down and be safe.
First time, infrequent senders, or senders marked [External]
- While it's not unusual to receive an email or message from someone for the first time, especially if they are outside your organization, this can be a sign of phishing. Slow down and take extra care at these times.
Spelling and bad grammar
- Professional companies and organizations usually have writing staff to make sure customers get professional content. If an email message has obvious spelling or grammatical errors, it might be a scam.
- These errors are sometimes the result of automatic translation from a foreign languages. Sometimes there errors deliberate in an attempt to evade filters that try to block these attacks.
Generic greetings
- An organization that works with you should know your name and these days it's easy to personalize an email.
- If the email starts with a generic "Dear sir or madam" that's a warning sign that it might not really be your trusted bank or shopping site.
Mismatched email domains
- If the email claims to be from a recognised company but the email is being sent from another email domain like Gmail.com, or NitesBridge.com it's probably a scam.
- Look out for very subtle misspellings of the legitimate domain name such as:
- [email protected] where the "s" has been left out
- [email protected], where the "m" has been replaced by an "r" and a "n".
Suspicious links or unexpected attachments
- If you suspect that an email message, or a message is a scam, don't open any links or attachments that you see.
Instead, hover your mouse over, but don't click the link. - Look at the address that pops up when you hover over the link. Ask yourself if that address matches the link that was typed in the message.
- In the example below, resting the mouse over the link reveals the real web address in the box with the yellow background. The string of numbers looks nothing like the company's web address.
Tip:
- On Android devices, long-press the link to get a properties page that will reveal the true destination of the link.
- On iOS devices, do what Apple calls a "Light, long-press".
Cybercriminals can also tempt you to visit fake websites with other methods, such as text messages or phone calls.
- If you're feeling threatened or being pressured, it may be time to hang up. You can always find the phone number of the establishment and call back when your head is clear.
- Sophisticated cybercriminals create call centers to automatically dial or text numbers for potential targets. These messages will often include prompts to get you to enter a PIN number or some other type of personal information.
What to do if you think you've been successfully phished
If you think you have fallen for a phishing attack/scam there are a few things you should do.
- While it's fresh in your mind write down as many details of the attack/scam as you can recall.
Try to note any information you may have provided to the scammer such as:
• usernames
• account numbers
• passwords
- Immediately change the passwords on all affected accounts, and anywhere else that you might use the same password.
While you're changing passwords, create unique passwords for each account.
- If possible, add a multi-factor authentication, also known as two-step verification, to your accounts where possible (if the account offers the feature).
Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password.
For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.
- If this attack affects your work or business accounts, you should notify the IT support at your work or business of the possible attack.
If you shared information about your credit cards or bank accounts, you may want to contact those companies as well to alert them to the possible fraud.
- If you've lost money, or been the victim of identity theft, don't hesitate, report it to local law enforcement.