Why Phishing Scams Are Difficult To Detect
As the CEO of MetaCert, a cybersecurity company that protects more crypto traders, investors and enthusiast than all other companies combined, I have a unique perspective on the latest and greatest phishing attacks. Phishing is responsible for over 90% of all data breaches and it’s responsible for the vast majority of crypto being stolen. Yet, humans are the weakest link in the chain.
Today, I asked this question on Twitter:
How many of these URLs would you trust?
When you look at the screen shots above, can you tell which ones are phishing and which are real? Look again before you continue reading.
When I asked this question I had one goal in mind — help reduce the risk for at least one person. At least five people said they would check the SSL certificate. Given that over half of all phishing sites use an SSL certificate, it provided me with an opportunity to point this out. That’s five, possibly more who witnessed the exchange, people who should stop looking at the padlock to help identify when a website is legit.
A short while later, I posted a screen shot of the domains with a white background, to make it easier for people to evaluate each character in each URL. See below. Most were still unable to identify what others thought were obvious phishing scams. A few people responded to say that #10 was the real myetherwallet.com. Take a close look at #10? If you saw this amongst other links, or inside an email, you’d immediately assume it was the real URL. There’s no reason to suspect it’s not. Right?
Are you good at “spot the difference”? Imagine having to rely on that skill every time you opened a link. 😓
Scroll down to find out the truth…
If you continue to scroll you will see that I’ve made it easy for you. Number 10 isn’t an “a” as you thought.
Every single domain is a phishing domain. And they’re not made up either. I didn’t create these URLs for the purpose of this educational exercise. They are all real phishing domains classified by MetaCert. If you look at #10 closely and inspect the character “ɑ” you will notice that it’s not “a” — even the two in this sentence are not the same character. Phishing sites use special characters so it’s more difficult to detect phishing URLs. So the difference between ɑ and a could be the difference between you losing your personal identity or the content of your crypto wallet.
Asking people to check the URL before opening a link, or before signing into a website, is advice that does not work. Yet, it’s what every company tells their customers and community members.
Below are just a few of the phishing sites that we’ve classified for myetherwallet.com —and that’s just one website!
By now I hope to have helped a few people avoid phishing scams with this single exercise. Please pass it on to your friends and co-workers to help them stay a little safer online.
You might want to look at installing Cryptonite — no user has ever fallen for a phishing scam while using this browser add-on.
Reminder — don’t rely on the padlock / SSL certificate.