Phishing scams—the ones that try to get you to provide private information by masquerading as a legitimate company—can be easy to uncover with a skeptical eye, but some can easily get you when you let your guard down for just a second. Here’s how you can boost your phishing detection skills and protect yourself during those times when you’re not at full attention.
Want to test your phishing IQ and find out what kind of scams you’re most likely to miss? Take this test.
Blast from the past is a weekly feature at Lifehacker in which we revive old, but still relevant, posts for your reading and hacking pleasure. This week, with yet another group of scams making the rounds, we thought it was time to brush up on our phishing detection skills.
What You Can Do
The way most phishing scams find victims is through email, but sometimes you’ll come across a phishing site in the wild as well. Either way, here are the basic principles you want to follow to keep a cautious eye out for these malicious traps.
Check the URL
Phishing scams are designed to look like official emails and web sites from actual companies, but they aren’t actually those things—they’re just imitations. Because the emails and web sites are imitations they’ll probably look a little different from what you’d expect in general, but more importantly those sites can’t have the same URL as the web site they’re pretending to because they are different sites. To check the URL, just hover of the link you’re thinking of clicking. At the bottom of your window you should see the URL displayed. Once you do that, you have to figure out if it is a good URL or a bad URL.
Using PayPal as an example, you’ll generally see http://www.paypal.com as part of the URL. Sometimes you’ll see something like http://subdomain.paypal.com as well. Both of these URLs are okay, because they end in paypal.com. A phishing URL, however, might look something like this: http://paypal.someotherdomain.com. In this case, “paypal” is attached to another domain name (someotherdomain.com). URLs like this are the ones you want to avoid.
Type the Address Yourself
The best thing you can do to avoid phishing scams is always go directly to the web site you want to visit rather than clicking a link. This way you don’t have to figure out if the URL is safe or not because you’ll be using a URL in your bookmarks (or your brain) that you already know is safe. Doing this can also help protect you from phishing scams when you let your guard down because you’ll be in the habit of visiting sites directly rather than clicking links.
I fell for a phishing scam once when I read the email right after I woke up in the morning. It was from my bank and they’d sent me a lot of verification notices lately since I’d been traveling and using my debit card all over the place. When I got another one, I didn’t even think about it because I’d just woken up. I went to the site, filled in my info, and then immediately realized I’d just provided that information to a phishing scam site. I called the bank to let them know right away and got a new card, but had I changed my default behavior to calling the bank of visiting the bank’s web site this probably wouldn’t have happened. Of course, that’s what I do now and it hasn’t been a problem since.
What Your Browser Can Do For You
Detecting phishing scams on your own mainly require the mild paranoia and the behavioral adjustment described above, but there are a few other things you can do to make your everyday browsing safer.
Turn Off Form Autofill
One great feature of many web browsers is the autofill feature. It makes it really easy to fill out forms using information already stored in the browser. It also makes it easy for you to ignore the form you’re filling out and just submit it, causing you to potentially miss a phishing scam when you’re rushing through the process. While this precaution isn’t necessary, and you might prefer the convenience of autofill to the safety benefits that deactivating it can provide, turning it off will provide a little added protection.
Utilize Your Browser’s Built-In Tools
Most browsers come with some phishing protection built-in to help protect you, but it isn’t always enable by default. Google Chrome keeps track of common phishing sites and can alert you when you visit one, but you may need to go through the short setup process to make it work. Firefox also offers phishing and malware protection in a similar way, and you can enable it in the Security section of Firefox’s preferences.
Bump Up Your Phishing Protection with Web of Trust
Web of Trust is one of our favorite browser extensions because it automatically lets you know if a web site is trustworthy or not. While it can’t possible verify every single site on the internet, it can make you aware of potentially harmful sites and phishing scams. All you have to do is install the extension for your browser and it will display a trust rating in your browser’s toolbar. (You can read more about this here.) Web of Trust is available to download for Google Chrome, Firefox, Internet Explorer, Opera, Safari, and as a bookmarklet for other browsers.
Got any other tips for avoiding phishing scams? Let’s hear ’em in the comments!