You've probably heard of phishing. It's where scammers send you an email that looks like it's from an official organisation, usually your bank.
The email usually contains links to a fake log in page which collects your username, password and other security details. If you enter them, the scammers will subsequently use your credit card, empty your bank account or commit some other crime against you.
Some phishing websites are laughably bad, with terrible grammar, bad spellng and shonky design. But others can be very convincing.
Spot the phishing site
To show you just how convincing phishing sites can be, here are two screenshots for you. One is the genuine sign in screen for the Co-operative Bank's online banking service. The other is a fake sign in screen from a phishing email I received.
You can click the image to see both screens full size. Can you tell which is which?
So, how did you do?
Well, the top screenshot is of the genuine sign in screen. The second one is the fake.
If you're familiar with this bank's online interface, you'll probably realise that the site asking for your full name is not genuine. But if you don't use your online banking often or simply aren't paying 100% attention when you click the link, it's easy to see how you could be fooled.
Three principles to avoid phishing
Checking the address of a site like this is usually the most foolproof way to see if it's fake. In this case, it was easy to tell, because the URL clearly wasn't the Co-operative's normal address:
It isn't always as obvious as this through, so here are three foolproof ways to avoid phishing traps:
- Don't click sensitive links in emails. If an email from a trusted source like your bank asks you to log in to your account, do so by manually typing in the website address rather than clicking a link.
- Pay attention to security notices. Most phishing emails will be caught by email filters, security software or web filtering tools. If you see a warning about an email, link or website, don't ignore it. (It's amazing how many people do.)
- Let the sender know your concerns. If you're in any doubt at all about whether an email or website is genuine, get in touch with the organisation it claims to represent. A quick phone call should be enough to confirm your doubts.
And as a final warning, don't ever enter sensitive log in information if you have any concerns at all about the website you're on. Even if it just looks or feels a bit funny, that's reason enough to stop and think before you make a mistake.
Note: don't click links in dodgy emails like we did. They can be dangerous, even if you don't enter in any sensitive information.