A successful phishing attack relies on several factors. First, spammers have to convince their victims to open a fake email. The recipient must then click on a link to visit a fake website. Finally, the victim has to be tricked into sharing sensitive information (password, credit card number, bank account details) with the hacker.

Phishing attacks remain popular with criminals because they really do work. By investing time and effort into creating a fake website that looks just like the real thing, victims are duped into believing everything is ok. If the fake website looks right, people will share their most sensitive information.

The fake URL trick

One way to make a fake website look even more realistic is to give it a website address that looks very similar to the official URL. In the UK, Lloyds Bank has the website address lloydsbank.com. If a criminal creates a phishing website with the URL lloydsbank-online.com, they can catch people out; it looks just about right.

This particular technique is very effective because (a) a lot of people don’t know the exact URL of the website they want to visit, (b) modern website often use a number of different URLs and (c) without checking very carefully, the address looks pretty much as expected.

Automating fake URL detection

To help better protect web users, Google has begun testing a new feature for the Chrome web browser, designed to automatically detect potentially fake URLs. Google has not announced exactly how the feature works, but it appears to compare the URL entered into the address against a list of known “good” sites. If there is a mismatch, users will be given a warning before they proceed.

Users are not blocked from visiting suspicious websites, but they do have to click a button to accept that they have seen the warning.

Protecting yourself now

The URL checker is still being tested, and it’s not foolproof either. But it will offer another layer of protection against phishing scams once testing completes.

The good news is that you can protect yourself against phishing and malware right now. The Panda Dome Suite already includes automated website address checking, helping users to avoid being scammed. Using a daily-updated blacklist of known phishing websites, Panda Dome detects and block fake URLs automatically.

Importantly, Panda Dome also allows users to customise those blocking features. If a access to a website is being restricted in error, you can add the address to a personal ‘whitelist’, ensuring normal access in future. Similarly, a ‘blacklist’ can be used to block access to any content you don’t want to see – not just fake phishing sites.

These features are available right now, so there’s no need to wait for Google to complete testing of their new feature. Download a free trial of Panda Dome and protect yourself against fake URLs today.

Panda Cleanup