Phishing scams are nothing new.  By now we’re all pretty familiar with emails from Nigerian princes and the UK lottery and we know to avoid clicking links or providing personal information.  However, scam artists are not stupid, and they’ve proven extremely adaptable when it comes to conning unsuspecting victims in the online arena.

When it comes to phishing, you can’t afford to rest on your laurels.  Constant vigilance is required to ensure that your company and your customers are safe from phishing scams.  This means updating security regularly, as well as researching new threats and the best ways to defend against them.

With proper SSL certification and encryption, you can ensure the most secure connection, and when you are up-to-date with current virtual threats, you should be able to help your customers avoid accidentally stumbling into trouble.  Here’s what every business owner needs to know about phishing attacks.

What is Phishing and How Does It Work?

According to the Merriam-Webster online dictionary, phishing is “a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly”.  It’s important to understand, however, that this definition is very basic and not entirely accurate.

Phishing scams originated via email, but have expanded in scope to include a variety of scams, which is why they’re more commonly called phishing attacks these days.  As noted above, most people are familiar with basic email phishing scams, like those that say you’ve won something and all you have to do is provide sensitive, personal information to claim your prize.  Another email phishing attack spoofs emails from legitimate companies, like banking institutions, to get you to provide information, click through to a false homepage where you enter your password information, or even download a file containing malicious software.

There are also phishing attacks that have nothing to do with email.  Pharming attacks fall into this category, and these occur when hackers reroute users seeking legitimate websites.  Say, for example, you type in a web address like “www.gmail.com”, if a pharming attack is underway, you may be redirected to a website that looks like Gmail, where you’ll enter your login information, only to have it stolen.

There are all kinds of malware that can get into your system through downloads or straight hacking.  Keystroke trackers and screenloggers monitor and log everything you type or view on your computer and use it to figure out passwords and gain access to your online accounts.  Software can be used to wait until you log in to accounts, such as online banking, and then hijack your session.

There are many variations on these themes, including host file poisoning, man-in-the-middle attacks, content-injection phishing, and many other types of deception, spoofing, and more.  All are designed to get you to take a desired action and give up confidential information that can then be used to access accounts, steal your identity, and secure a payday for cyber criminals.  Some target specific people or entities, while others cast a wide net and see what they reel in.

Increasing Sophistication

Phishing attacks may have started as simple, deceptive emails designed to elicit information, but as users became savvy to these ploys, scam artists had to change their tactics in order to continue harvesting sensitive data.  Over the past couple decades, phishing attacks have significantly increased in sophistication, so that now they can be difficult or even impossible to spot.

One type of phishing attack that has become increasingly common is the homograph attack, and it involves an extremely sophisticated form of deception.  Cyber criminals use encoding software to create a phony web address that looks just like one you’re familiar with, often targeting sites that provide access to personal information or money accounts, such as social media sites like Facebook or online pay sites like PayPal.

When you click on the domain, you not only see the web address you expect, but in many cases, these websites are actually registered with valid SSL certificates, which means they bear the HTTPS designation that web users recognize and associate with safe and legitimate websites.  This, of course, is part of a bigger problem you might not know about – the Letsencrypt initiative.

Letsencrypt was designed with a lofty goal: to make it easier for small websites to obtain the SSL certificates and security needed to prove legitimacy.  It made sense at the time because users were concerned about the dangers of unencrypted sites where their sensitive data could be easily stolen in transmission.  In addition, SSL certificates used to be difficult and expensive to obtain, effectively pricing out smaller businesses trying to create a web presence.  Letsencrypt automated the process and made it free to encrypt website communications online.

It may have started with a noble goal in mind, but the end result was far from surprising for anyone who understands human nature.  Cyber criminals quickly discovered that they could use Letsencrypt to obtain SSL certificates and essentially validate spoof websites, making them look legitimate and safe to an unsuspecting viewing public.  Now a “secure” site no longer denotes safety.

The best proof of this paradigm at work is PayPal.  As of earlier this year, more than 15,000 SSL certificates had been issued through Letsencrypt with the word “PayPal” in the domain name or in the certificate identity, and nearly 97% of them turned out to host phishing sites.

Avoiding Phishing Scams

What does all of this mean for legitimate businesses operating online?  What can companies do to protect themselves and their customers?  With Letsencrypt opening the door to countless phishing scams and making them look like legitimate websites, how can companies and consumers avoid the lure of sophisticated phishing scams?

The answer lies in Extended Validation SSL (EV SSL).  In case you didn’t know, there are several levels of SSL certification meant to prove a secure, encrypted connection, as well as protect the safety of users.  This type of SSL certificate is more difficult to obtain, it requires additional validation, and it costs more.  However, the end result is a more secure and reliable browser connection, as well as visual clues for users.

 

The main distinction for customers is that the address bar will not only feature the HTTPS identifier to show a valid SSL certificate, but it will also display a green lock icon and URL address bar with the legal name of the website owner displayed.  If you want to ensure customer safety, there are two things you need to do.  First, you must upgrade to an extended validation SSL certificate.  Then you need to inform your customers what to look for when they visit your website.

 

Whether customers type in your web address or they reach you through a link that pops up in a Google search query, they need to not only verify the address, but also look for the green lock and your organization’s name next to the address.  When they see these identifying factors, they’ll know they’ve reached your legitimate website and it’s okay to enter their login data.

Phishing is an insidious, criminal practice that could negatively impact your business and your customers if you’re not careful.  It’s imperative that you keep up with current phishing attacks, take precautions to secure your website, and keep your customers informed so that they can place their trust and their sensitive information in your capable hands.

Contact us today to set up a consultation to see how you can secure your site.