Anti-Phishing Tips You Should Not Follow

Anti-Phishing tips debunked


Today every other online banking website features the "anti-phishing tips" page intended to teach an ordinary computer user how to fight those annoying emails collecting your personal data. While this educational initiative is praiseworthy, many of the tips, and some of them originate from security experts, are in fact questionable, incorrect, or misleading. This article debunks the most common myths. At the end of this page you'll find a couple of tips that will help you correctly identify both valid and impersonated websites.


Myth #1: Secure, encrypted web page indicates a valid website.


Contrary to a popular advise, never rely solely on "https://" prefix or padlock icon that indicate a "secure" page. It is possible for a phishing website to have a valid SSL certificate. You might want to check certificate details to see if the "Common Name" field of the certificate matches the host name of the organization's website, but it requires some level of technical expertise.


Myth #2: Secured by [insert authority name]. Click here to verify.


Have you seen those? Well, they are worthless. The splash window you get by clicking on the link does not guarantee that you are on a legitimate website.


Myth #3: Address bar always shows a correct URL.


Another faulty advice is to check if the address bar contains a correct URL. It is not enough to ensure validity of a website. Vulnerabilities in browser software could allow phishers to spoof information in the address bar. There is another type of attack (DNS Spoofing) that can also trick you to think you are visiting a valid website.


Myth #4: Moving mouse over a link shows the real URL in the status bar.


Status bar text can easily be changed. In fact, it is even easier that spoofing the address bar content.


Myth #5: Anti-phishing software prevents scams.


Similarly to antiviral software's inability to detect new malicious code, your Anti-phishing browser plug-in (often offered for free by internet providers) is incapable of detecting all phishing attempts. On the contrary, by adding software (sometimes of questionable quality) to your browser you make yourself vulnerable to the malware that specifically targets that software.


Myth #6: An email containing your personal data is legitimate.


If you receive the message from your bank and it contains your name and your account number (or a part of it), it might as well be a fraudulent email. Phishers can get access to some of your personal data by using public databases or data leaked from other organizations.


Myth #7: It is safe to log in once you know the website is legitimate.


NO! Website vulnerabilities (called Cross-Site Scripting) could allow a sophisticated attacker to use the form on company's website to capture your credentials by redirecting you to attacker's website as soon as you click "Login" button or hit "Enter". Read our tips below on how to prevent this.


What to do to avoid getting scammed:


Tip #1: Do not click on links in your e-mail.


If you receive a message from your bank asking you to do something, do not click on links in the email and do not use forms in the email to log in. Instead, open your browser, go directly to your bank's website, log in, and continue there. Even if the email is from someone you know, DO NOT CLICK ON THE LINKS.


Tip #2: Invalid credentials usually work on impersonated websites.


If you feel there is something wrong with a website, use invalid username and invalid password to log in. If the website then presents you with the "Logon failed" page, you are possibly on a legitimate website. It may not always work as sometimes impersonators simulate failed logons for double-checking victim's input or redirect to a legitimate website after collecting credentials. But if your invalid credentials get you right through - it is definitely a phishing attempt.


Tip #3: Report the message to the company impersonated in the email.


Most financial organizations have guidelines and dedicated email addresses where to report security problems. If you suspect a message is a phishing attempt, forward it to the organization. You can find email address to forward suspicious emails to in our Scam Reporting Database. You should include all email headers. Do not expect a reply from the organization as they receive thousands of those reports.