Protect your business from phishing attempts with these practical tips for secure browsing

What is a phishing attempt?

First and foremost, a phishing attempt (also known as a phishing attack) is a scam that digital con artists use to trick people into revealing sensitive information, such as passwords, credit card numbers, or other personal details. To gain the target’s trust, fraudsters typically pretend to be companies that consumers expect to hear from, such as delivery companies, banks, or internet service providers.

The most common phishing attempt starts with an email, which usually contains alarming language, claiming that there’s a problem or an important reason why the recipient needs to provide or verify their personal information. For example, many messages get a person’s attention by claiming that an account has been compromised, that unusual activity has occurred, or that a payment has been missed. Below is an example of a phishing email (and you can see more examples here).

In reality, the sender is almost always a bad actor, patiently waiting to reel in the user’s information. When an attempt is successful, they gain almost instant visibility into the individual’s existing accounts as well as the authority to open new ones. In fact, phishing scams are one of the most common online tricks, according to a 2022 report from the Federal Bureau of Investigation.

The good news is that when you know what to look for, you will be able to identify threats long before your data is ever in danger. Let’s talk about some tactics that can keep you safe and help you avoid these digital evil-doers.

Pay close attention to URLs and domain names

Many people use the internet daily, whether to complete work-related projects or use a smartphone to order groceries. There’s even some data that suggests the average internet user visits more than 100 websites per day! With that much activity, those who are surfing the web are bound to come across sites they’ll be visiting for the first time, so being attentive to the little details can pay off big time (and keep your information secure).

Domain names that raise doubts

If you see any words or characters in a website’s URL that look amiss, you could be in the wrong place (and may want to keep searching for a different resource). For instance, any misspelled words or variations in the domain name should raise a red flag. That’s because phishing websites often use domain names that resemble legitimate ones but have slight differences. For example, instead of “paypal.com,” you might see something like “paypall.com” or “p4ypal.com.” If the URL looks slightly off or different from what you expect, proceed with caution. URL mistakes that indicate a site is a scam can sometimes be very subtle and hard to spot, so it’s important to pay close attention.

Odd domain extensions

Another thing to pay attention to is the domain extension at the end of the URL. The most common extensions are “.com,” “.org,” or “.net” and are used across the internet. If you come across a website with an extension such as “.xyz,” “.info,” or “.biz,” it might indicate a higher risk. Should the characters in the extension look unfamiliar (or just plain strange), it could be a website to avoid.

Sneaky subdomains

Subdomains are another thing that aspiring “cybersleuths” should be aware of. And these types of attacks are a growing problem. In 2022, more than two-thirds of campaigns reported to the Cofense Phishing Defense Center (PDC) involved URLs with subdomains.

These types of phishing attacks can be especially hard to notice as subdomains are inserted before the main domain name in the URL, separated by a dot. This technique is sometimes used to deceive consumers. For example, a legitimate bank’s website may have a subdomain like:

• login.bankname.com

On the flip side, a phishing site could use something like:

•  bankname.login-security.com

If you notice a strange subdomain or one that’s unexpected, you’ve likely spotted a website to stay away from.

Let’s talk about some other ways to keep yourself from visiting a website that can be problematic.

Signed, sealed, delivered

All reputable sites should be secured with SSL (also known as Secure Sockets Layer) encryption, which is used to prevent any sensitive information from being intercepted as it’s transmitted. This means data entered on the page can’t be read, which can protect user privacy, prevent data breaches, and make sure online transactions are secure.

Look for the security seal

One way to know if you’re on a website with proper security is to look for the padlock icon next to the URL in your browser. If you come across a site without one, it’s likely not secure and potentially dangerous. To get a closer look, here are some examples of the padlock in use on Chrome, Firefox, and Safari browsers.

Padlock in the Chrome browser

See more information from Google on how to make sure a connection is secure using their browser.

Padlock in the Firefox browser

More information from Mozilla on their product security.

Padlock in the Safari browser

You can read more information from Apple on how their browser encrypts sessions to protect users.

“S” marks the spot

Another way you can tell if a website has an SSL certificate is if the address starts with “https://” (the “s” is intentionally bolded), instead of just seeing “http://” in your browser window.

The extra “s” stands for “secure” and is generally a good sign that the website is using a protocol that encrypts information before it’s sent from your computer to the website’s server. Without the “s,” it could pose a threat and is likely a website to avoid.

Practice your eagle eye

Phishers often create dupe login pages that look real at first glance ⁠— but when taking a closer look, they don’t pass the test. The dupe pages intentionally mirror the look of well-known brands to build trust, while getting consumers to let their guard down. If you have ever received an email, clicked a link, and ended up thinking something isn’t quite right, know that you’re not alone. In fact, Security Magazine published research that found over 50,000 dupe pages exist on the web.

What are some items that could indicate a fake website or login page? There could be:

• A large number of typos and misspellings
• Presence of low-resolution images
• Missing or vague contact information
• No website terms and conditions or private policies are listed

It’s OK to be skeptical and ignore unsolicited messages with these phony dupe pages, especially those that are requesting personal information or financial details. If you receive an email from an organization you expect to receive communications from but are not positive it’s genuine, you can also verify its legitimacy through other means, such as contacting the organization directly using their official contact information.

Two-factor authentication

On top of keeping an eye out for red flags, it can be a good idea to take extra precautions with any accounts you have online. For example, turn on two-factor authentication, which is also known as multi-factor authentication (MFA). This is an extra layer of security that’s designed to help protect users by having them provide two different types of identification factors to verify their identity when logging in or performing certain actions (such as logging into a bank account or cloud-based tool). MFA use by consumers is on the rise, jumping 51% from 2017 to 2021, according to the digital news site, Gitnux.

Report fraudsters

If you receive an email message that appears to be a phishing attempt, you can usually report it to your email service provider with a few clicks. To do this, look for options like “Report phishing” or “Report spam” within the email application you use. Different email service providers have different ways to report phishing, so each company may have a different method. For example, in Gmail, you can click the three dots to the right of an email message and click the “Report phishing” option. You can see an example of this below.

Another way to prevent scammers from expanding their reach is to report any cyber shenanigans you encounter to anti-phishing organizations that work to detect and combat phishing attacks.

Agencies like the Anti-Phishing Working Group (APWG) or the Internet Crime Complaint Center (IC3) both have ways you can report incidents. In addition, the Federal Trade Commission (FTC) as well as other government agencies are also on the lookout for these practices in order to protect consumers. By doing this, you can help others on the web from becoming victims down the road too.

Update software regularly

It can be a good idea to regularly update your operating system, web browser, and antivirus software to protect against known security vulnerabilities, per the FTC. Conducting these regular updates ensures you have important patches and protections as they are issued to protect you against security threats. If you need help with the best way to go about this, reach out to your information technology department or the person who is in charge of your computer networks and devices.