Published in


Why Phishing Scams Are Difficult To Detect

As the CEO of MetaCert, a cybersecurity company that protects more crypto traders, investors and enthusiast than all other companies combined, I have a unique perspective on the latest and greatest phishing attacks. Phishing is responsible for over 90% of all data breaches and it’s responsible for the vast majority of crypto being stolen. Yet, humans are the weakest link in the chain.

Today, I asked this question on Twitter:

How many of these URLs would you trust?

When you look at the screen shots above, can you tell which ones are phishing and which are real? Look again before you continue reading.

When I asked this question I had one goal in mind — help reduce the risk for at least one person. At least five people said they would check the SSL certificate. Given that over half of all phishing sites use an SSL certificate, it provided me with an opportunity to point this out. That’s five, possibly more who witnessed the exchange, people who should stop looking at the padlock to help identify when a website is legit.

A short while later, I posted a screen shot of the domains with a white background, to make it easier for people to evaluate each character in each URL. See below. Most were still unable to identify what others thought were obvious phishing scams. A few people responded to say that #10 was the real Take a close look at #10? If you saw this amongst other links, or inside an email, you’d immediately assume it was the real URL. There’s no reason to suspect it’s not. Right?

Are you good at “spot the difference”? Imagine having to rely on that skill every time you opened a link. 😓

Scroll down to find out the truth…

If you continue to scroll you will see that I’ve made it easy for you. Number 10 isn’t an “a” as you thought.

Every single domain is a phishing domain. And they’re not made up either. I didn’t create these URLs for the purpose of this educational exercise. They are all real phishing domains classified by MetaCert. If you look at #10 closely and inspect the character “ɑ” you will notice that it’s not “a” — even the two in this sentence are not the same character. Phishing sites use special characters so it’s more difficult to detect phishing URLs. So the difference between ɑ and a could be the difference between you losing your personal identity or the content of your crypto wallet.

Asking people to check the URL before opening a link, or before signing into a website, is advice that does not work. Yet, it’s what every company tells their customers and community members.

Below are just a few of the phishing sites that we’ve classified for —and that’s just one website!

By now I hope to have helped a few people avoid phishing scams with this single exercise. Please pass it on to your friends and co-workers to help them stay a little safer online.

You might want to look at installing Cryptonite — no user has ever fallen for a phishing scam while using this browser add-on.

Reminder — don’t rely on the padlock / SSL certificate.

👉 Follow MetaCert on Twitter at
👉🏼 Connect with me personally on Twitter at
👉🏽 Engage with our team and the community on Telegram at




Zero Trust cybersecurity for teams and remote workers

Recommended from Medium


InfoSecSherpa Newsletter — 08 May 2021

TryHackME — VulNet: Roasted

What is The Metaverseand how does it work?

DEC-Bidesk Press Release

How to Add a Self-Referencing Rule to a Security Group using the CDK

InfoSecSherpa’s News Round Up for Monday, September 20, 2021

STIR/SHAKEN didn’t stop your Spam labeling, did it?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Paul Walsh

Paul Walsh

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.

More from Medium

Apollo 2.0 — New Year, New Features

Digital Footprints — Leaving Trails Behind For Cyber Forensics

Three quick takes regarding the 2021 updates to the OWASP Top 10 list

TrendNET AC2600 RCE via WAN