In this post, I will show you what you must do to enable you identify phishing websites quickly and easily, with as much as a 99% accuracy.
The number of phishing websites is on the rise, and the tactics & techniques malicious phishers employ are becoming increasingly sneakier than ever before.
But fortunately for us all, there are technical signs that will give away any phishing website almost EVERY time, no matter how advanced the techniques the attackers are using to make the phishing site look legitimate and believable.
Here are 6 guaranteed ways to detect ANY phishing website based on research & on my experience as an ethical hacker who has created several advanced phishing websites for educational purposes.
- 1. Is the domain name of the website mimicking the domain name of another website?
- 2. Is the website secured with an SSL or TLS certificate?
- 3. Who issued the SSL certificate and how long ago?
- 4. What is the domain age of the website?
- 5. Is the website requesting you to take an action?
- 6. What made you visit the phishing website in the first place?
1. Is the domain name of the website mimicking the domain name of another website?
The fastest way to detect ANY phishing website is to examine the domain name of that website. Domain name mimicking or falsification is the most accurate single point of failure almost ALL phishing websites have in common.
Once you land on a website that is using some form of misspelling, typo, or extra characters to coin a domain name that resembles the domain name of another — usually a popular or authority — website, IT’S A PHISHING WEBSITE, Period!!!
Cybercriminals either want your money, your data, or both and ofcourse everything else in between. That is why they are constantly trying to mimic popular or authority websites and services you use to get to those.
A very recent 2019 phishing report reveals that the most targetted websites or brands in phishing attacks are:
- Bank of America
So it wouldn’t be too surprising to see phishing sites that try to social engineer users into believing they are visiting the domain names of the original brands.
Here are a few examples of phishing domain names. I crafted these on the fly and it’s exactly what an advanced attacker would do:
This one attempts to trick users of Wells Fargo bank that they are on the support page of the bank’s website. Therefore any information including usernames and passwords the web page or form is requesting, the user would gladly fill them in.
Some unsuspecting users would fall for this because the link looks very believable. But without a second blink, a savvy user would detect this as a phishing website because the official WellsFargo.com website has NOTHING to do with WellsFargo247.support.
There is a lot more to say here about this, but the short of it is that user education is very key & important in this situation.
If you received a link like this in an email or text message and then you clicked on it and the resulting web page was an Apple login look-alike page, you wouldn’t hesitate I’m sure before your supplied your credentials. Right?!
My best bet would be because you saw the text appleid at the beginning of that link, and the general idea on the link is suggesting that you have won an iPhone you are about to claim “once you log in”.
But in reality, it is a phishing website and only user education can help users identify this. Because far too many people fall for this kind of phishing scams including IT guys who should have known better.
In the same vein, this is another one trying to target Gmail email account users. And if you’re not observant, you may fall for this.
2. Is the website secured with an SSL or TLS certificate?
The next quick thing to look out for in detecting a phishing website is to check whether the website is using SSL or TLS protection.
A fleeting glance at your browser’s address bar will reveal this. If the website is using SSL protection, you will see a (green) padlock next to the website’s URL or domain name.
Otherwise, you’ll see an open padlock that is probably crossed with a red stripe or could simply display a “Not Secure” tag if you are using the Google Chrome browser.
Although the presence of a green padlock or SSL protection on a website doesn’t mean that the site cannot be a malicious one set up by a malicious person to wreak havoc, it only means that the site owner has put in extra effort to protect his users’ personal/sensitive information from cyber eavesdropping which is the right & recommended thing to do.
Any website which is worth their salt these days MUST have an SSL or TLS certificate (which is that green padlock) installed. It is mandatory in today’s web. If you know any legitimate website which is not using SSL protection in this age, something is very wrong!
So if the presence of an SSL certificate cannot help one ascertain whether a website is safe or not, why then am I asking you to look out for it?
It’s simple! It can still help you identify and catch a lot of the remaining phishing websites out there which are set up by amateur cybercriminals who have not yet started to adopt the use of SSL protection to boost legitimacy.
Just so you know, phishing websites that don’t use SSL are becoming fewer and fewer each year. This is according to research conducted by the APWG (Anti-Phishing Working Group) as documented in their yearly Phishing Trends Report for the year ending 2019. It reports that almost three-quarters (that is 3/4) of phishing websites now use SSL protection. So please be careful!
3. Who issued the SSL certificate and how long ago?
This goes right along with the previous point. What if it’s a phishing website but the attacker has implemented SSL protection to make the phishing site look legitimate, how do you identify that?
Very simple! Just click (or if you’re on a smartphone tap) on the green padlock right there in your browser’s address bar to reveal the SSL Certificate information.
In there you would see which Certificate Authority (CA) is provisioning the SSL or TLS certificate for that website, when the certificate was issued, and when it’s expected to expire.
Now based on this information, you can have an inkling whether this site is a potential phishing site or not.
So who issued the SSL Certificate: Was it Let’s Encrypt or Cloudflare?
- They are completely free. It’s little wonder why cyber crooks will prefer to use these services because they love to take the path of least resistance or minimal attribution. Malicious hackers would rather use free services to avoid making payments which could make them attributable and get them caught eventually.
- They are SUPER EASY to install and renew. In just a very few clicks, anyone can install a Let’s Encrypt cert on their website and have it auto-renew itself every 3 months. Similarly with CloudFlare, one can IMMEDIATELY get an SSL or HTTPs padlock on their domain name if they handed over their DNS management to CloudFlare’s CDN.
Not only that, when using Cloudflare, you also get extra protection from the service which is very useful and recommended.
Now how long ago was the SSL cert issued: Was it that day or the previous day, or within that week?
It’s typical to see websites with newly provisioned SSL certs trying to phish users. The usual workflow of attackers is that once they create the phishing site, they immediately deploy it to start phishing for victim’s credentials they care about. I believe you get the idea now.
Notice: There are 3 important things I want you to take note about what we’ve discussed so far:
- Not all websites protected by Let’s Encrypt or Cloudflare SSL are phishing sites. A vast majority of websites (like mine) using these reputable Certificate Authorities are legitimate. And you can see how this is a big problem because cyber crooks are using these services too.
- Some phishing sites may not use Let’s Encrypt or Cloudflare SSL, they may use another CA. So be aware that it’s not a rule. Also, some phishing sites can go undetected or unreported for a long time, therefore the newness of the SSL cert may not apply then.
- You cannot use this method of identifying phishing websites in isolation. You must also check out for other indicators mentioned in this guide to be able to fully understand whether you’re dealing with a phishing site or not.
An important lesson you should take away from this should be to always remember the big websites/brands cybercriminals love to impersonate to phish for your credentials RARELY would use the Let’s Encrypt or Cloudflare SSL Certificates.
When in doubt, open a new tab and go navigate to the official website of the brand and checkout the issuer of their SSL certificate. This can be a very clear pointer that the previous site you were on was a phishing site.
4. What is the domain age of the website?
Another very important technical detail that will help to identify a phishing website is to look up how old the website is.
The reason this information is very important is because phishing websites typically don’t last long before they are found, reported, and burned.
So it is very most likely that a website that is trying to phish you right now, was created probably that same day you received the phish, or the day before or within that week or month.
Rarely would you find a phishing website that has lasted more than a month. In Q2 0f 2019 it was reported that the average time a phishing site lasted was 28 days.
When cybercriminals spin up phishing websites, they IMMEDIATELY start attempting to spear-phishing targetted individuals or mass phishing a large group of people before their phishing asset gets burned.
So how do you check how old a website or domain is?
It’s simple. Just copy the domain name portion of the website URL, and paste it in an online tool opened on another tab in your browser. It takes less than 5 seconds to do this.
I like to use iplocation.net for this. The tool is straightforward and the result is displayed in number of days (important!).
5. Is the website requesting you to take an action?
All phishing websites are generally geared towards eliciting action from the victim. That action is predictably always the same. It could either be one of the following.
- A credential based phishing website requesting your username and password, banking numbers, credit card details, and other personally identifiable information (PII), etc.
- An exploit based phishing website requesting you to unwittingly download and install malware which is usually just the beginning of more evil things to come. Or;
- An action based phishing website requesting you to take a direct action of compromise that would result in an instant win or payback for the attacker.
Here is another post I wrote about these categories of phishing attacks where you can learn more.
6. What made you visit the phishing website in the first place?
If you have a website before you and are not sure whether it’s a phishing site or not, a CRITICAL question you should probably ask yourself is: what led to my visiting this website in the first place?
There are a plethora of reasons which could lead you to visit a phishing website including but not limited to the following:
- You received a phishing email with a link to the phishing site.
- You were given a link to a web page to complete a web form by an entity that you thought was representing a credible source.
- Someone passed a link to you on WhatsApp or Facebook Messenger or any other social messaging platform to vote for them in a competition.
- You got a link passed to you for a job advertisement or anything else that may pique your interest.
- You received a text message on your phone that you have won something and to claim it, you should visit the link included.
- Or the same text message may claim your bank account will be suspended soon due to outdated profile details, visit the link included to update them.
The list is endless…
Phishing is very versatile and this list is only a small fraction of the many ruse phishers use to cajole victims to their phishing traps.
But thankfully, we can effectively combat phishing irrespective of the form it takes when we have the appropriate user awareness, education and training.
I hope you have learnt a thing or two from this post. If yes, would you please consider sharing it to help educate someone else, because you would be helping them avoid falling a victim of phishing websites.