People have gotten wiser to phishing schemes over the years as they’ve exploded in popularity. Companies the world over are trying to educate users to recognize things like domains and common mistakes like spelling errors in phishing emails. But scammers are clever. They have a few tricks to hide the URL and many more to trick you into not looking at it to begin with.
One of the oldest phishing tricks in the book is inducing panic or a sense of urgency in the victim to lower their defenses. The infamous Clinton campaign hack email told the victim they must act immediately to fix a security issue, and the victim responded bleary-eyed in the morning hours and didn’t scrutinize the email as much as they should. Presidential campaign staff are briefed and trained on phishing, but all that training doesn’t matter if you’re sleepy. This is what makes phishing attacks so effective.
On the technical side, attackers will often hide the URL of the malicious web page inside a button or use a redirect service like bit.ly. This ensures you can’t see what the URL is (and scrutinize it) before you click. You can get around this in two ways when you suspect something is up but don’t want to click on the link. On your computer, you can always hover over the button to see the URL, or long-press the button or link on your phone. Attackers also like to use URL shortening services like bit.ly to force you to click to see the real URL. While I don’t recommend clicking on phishing links, merely clicking on a link is not enough to get your phone or computer hacked most of the time (there have been exceptions to this, but they’re rare, highly publicised, and fixed quickly).
Real-world example: The Clinton campaign hack
Here’s the screenshot of the phishing email that dealt a huge blow to the 2016 Clinton campaign. Check out the screenshot and then look at the plain text version of the email. Can you find the biggest sign it’s a fake?
Now, take the quiz to see if you’re right!
What’s the biggest sign this email is fraudulent?
What’s the best way to check the URL of a button?
You got it!
Not quite. While checking the URL after clicking might be fine, many sites try to use annoying tricks like audio alerts or popups you’re better off avoiding, and copying and pasting the button won’t show the target URL in most cases.
You’re now armed with everything you need to know about two-factor, security keys, and the many ways that hackers try to phish you. But we are all human. We get tired, we make mistakes. In the next lesson, I want to cover what happens if you do get phished, so in case the worst happens, you’re prepared.