1. Cybercriminals purchase SSL certificates
An SSL certificate allows website operators to run their websites over HTTPS. HTTPS ensures that the data between your web browser and the website you’re visiting are encrypted and are not sent in plain text. While legitimate companies will setup HTTPS for their sites, cybercriminals will also implement HTTPS to appear credible.
Ask yourself these questions to stay safe online:
- Is the address in my toolbar the correct address for the website that I want to be on?
- Is there a picture of a lock in the address bar to let you know the website uses HTTPS? (example image shown below)
- Did your web browser alert you to an error with the “security certificate”? If you ever see a certificate error in your web browser, make sure you’re on the correct website. Reporting this error to the targeted company helps to combat phishing
3. Cybercriminals have graduated from grammar and spelling class!
The phishing toolkits available to cybercriminals these days can do everything from sending out mass emails to cloning actual websites and performing spelling checks. Phishing has become commercialized; so looking for poor grammar or misspellings is less relevant nowadays. To stay safe, just remember that the banks and retailers that you do business with will never contact you by email or phone and ask for login or personal information. When in doubt, contact the company by calling their official telephone number.
4. Today’s phishing kits can block search engine robots from seeing the phishing site
While phishing emails are less prevalent in our email inboxes thanks to industry advances such DMARC, the underground demand for phishing kits hasn’t likely decreased. Symantec reported over 800 phishing toolkits in the wild in their 2014 report and one of the features inside toolkits was the ability to prevent search engine robots from discovering the phishing content.
5. A phish that spoofs a given brand can involve dozens of unique domains
A domain name can be purchased for as little as $4 a year. At these costs, phishers can register dozens of domain names and stand up websites under a modest budget. When you’re online be sure to type in the correct address to the banks and retailers you do business with. It’s not uncommon for phishers to register misspelled variations to popular websites in the attempt to trick unsuspecting users. The actual practice of registering these spelling variations is typosquatting.