Don’t Get Hooked on Phishing

Don’t Get Hooked on Phishing

Online businesses have been lamenting phishing for decades. Phishing not only harms the direct victims, but also erodes general consumer trust, which affects all online commerce.  Banks are one of the most, if not the most, attacked sectors today, and fending off those attacks is critical to maintaining trust.  In this blog, we wanted to share our best practices to help you avoid becoming a victim and remain safe is cyberspace.

But first, let’s start with the numbers: Over 1.4M[1] fake websites are created each month.  Over a million phishing campaigns are launched each year[2]. One in 25 branded emails are phishing attacks[3], and phishing accounts for 90% of data breaches[4].

Despite industry’s best efforts to contain phishing, focusing only on technology solutions continues to fall short. Ultimately, phishing is a ‘social engineering’ exploit, rarely taking advantage of technical vulnerabilities, but rather the vulnerability of human nature. This isn’t to say we should stop developing technical solutions.  In fact, we should press on with more fervor than ever; however, now it is clear that augmenting technical solutions with more human-focused solutions is necessary to achieve the results we hope for. Traditionally, these human-focused solutions come in the form of education. In the banking industry, employees are required to undergo Security Awareness and Education training programs, but few other industries have such requirements. Meanwhile, the general public is typically left to self-educate, and often after they become victims themselves.

Combatting phishing and anti-phishing education itself is often a Byzantine process involving many steps, but following the steps below should give you high confidence the website is legitimate (click on the title to expand each section):

[accordion autoclose=false openfirst=true clicktoclose=true][accordion-item title=”1. Check the URL.“]Ensure the protocol, subdomain, domain name, top-level domain, and file path are all correct. Don’t fall for symbols or unicode phishing that uses characters that can appear similar but are distinct from the perspective of a computer. When in doubt, don’t click, but rather use a search engine to find the page you’d like, as search engines remove known phishing sites.[/accordion-item]

[accordion-item title=”2. Check for security indicators.“]HTTP websites should be avoided. All legitimate commerce sites use HTTPS, which encrypts data-in-transit to protect it. Look for the ‘padlock’ icon as an added form of confirmation.[/accordion-item]

[accordion-item title=”3. Check the certificate itself. “]Is it issued by a legitimate Certificate Authority? Does the company information for the website match details of the business, and is it independently verifiable?[/accordion-item]

[accordion-item title=”4. Look for “Trust Marks.”“]Not all websites have these, but many do. Trust Marks are provided by Third Party-Validators to help users identify higher reputation websites. Typically, users may click through these Trust Marks and verify the website is in good standing with these Third Party-Validators. See figure 1.[/accordion-item]

[accordion-item title=”5. Check the domain using trusted third-party tools.“]If there are no Trust Marks, consider checking the domain or company using Google’s Safe Browsing site status or the Better Business Bureau.[/accordion-item]

[accordion-item title=”6. Check the domain’s “Whois” data to glean information on the domain owner.“]While Whois data is becoming more obscured from the general public as an unfortunate consequence of privacy regulation, recent registrations or transfers may indicate the site is not trustworthy.[/accordion-item]

[accordion-item title=”7. Check the website to ensure there are no grammatical or spelling errors.“]Awkward phrasing or a single letter changed in a name is a tell-tale sign of a phishing website.[/accordion-item]

[accordion-item title=”8. If the website has advertising, how invasive is it?“]Are there pop-ups? Flashing banners? What type of advertising is it? Is it appropriate to the content of the website? Phishers may not just be attempting to steal from you, they may also be monetizing your attention with aggressive ads.[/accordion-item] [/accordion]

Unfortunately, very few people, if anyone, are going to routinely follow each of these steps ahead of every online transaction they make.

Most reasonable people check the URL, and hopefully ensure the lock icon exists and, perhaps passively acknowledge a Trust Mark, should one be displayed. That’s it.

While human-focused solutions continue to evolve, the banking and insurance industries continuously “harden” their .com security posture through consumer protection technologies like frontend controls such as Transport Layer Security (TLS) (see figure 2) which protects your online transactions and backend controls like Domain-based Message Authentication, Reporting & Conformance (DMARC) which blocks fraudulent email from being delivered and, in concert, provide repeated doses of consumer education through notifications and information contained on security pages.

The industry has also developed an independent domain solution that enforces strict eligibility requirements that prevent phishers and other bad actors from acquiring these domains. Every domain in .BANK and .INSURANCE is owned and operated by an independently verified and regulated organization and uses enhanced security controls to protect the online experience.

These capabilities enhance security, but the onus is still squarely on all of us to browse safely and validate every URL link is the one we expect.  When there is any inkling of doubt or suspicion, follow the above recommendations to reduce the likelihood you are being scammed.

Cybersecurity is a shared responsibility and each of us has a role to play to keep ourselves, our families, our associated organizations, and the global community-at-large safe online.


Fig. 1: Example of Trust Indicators Fig. 2: Example of a TLS Secured Website


Disclaimer: The views expressed in this post are those of the author(s) and do not necessarily reflect the position of the Bank Policy Institute or its membership, and are not intended to be, and should not be construed as, legal advice of any kind.