Read why this is the most important tip to detect phishing links virtually beyond a reasonable doubt. […]
“Phishing” is a kind of portmanteau of “password” and “fishing”. This is how criminals use methods to steal data from their victims, usually usernames and passwords to e-banking and other online accounts, often including credit card numbers and other personal information.
The criminals usually send e-mails with a catchy design, e.g. in the design of a certain bank, to tens of thousands of indiscriminately collected e-mail addresses. A small proportion of those addressed are guaranteed to have an account with that financial institution. The content of these mails usually revolves around the fact that something is allegedly wrong with the e-banking or other account, which is why users should log in to the e-banking or other account immediately to fix the problem. The criminals combine the alleged “importance” of the concern with time pressure, so that the victims could not think too long or research and the fraud could come to the creeps.
In the recently described case of phishing against Raiffeisen Bank customers, it was not mails, but Google ads, which led to equally fake links.
That’s good to know: First, banks don’t actually send you emails. Second, for banking and other accounts (e.g. PayPal, Google, Microsoft, Dropbox, etc.), you may want to enable two-factor authentication.
What if mails still snow in that look real and plausible? In order to distinguish a real link from a fake one, you would actually need to know more precisely how a link or URL is usually structured. Basically like this: After the protocol (https://) often follows a subdomain or a hostname (e.g. “www”), followed by a dot, the domain name (e.g. “pctipp”) and the top-level domain (e.g. “.ch”). This is followed by a slash (/), after which subfolder (e.g. /support/downloads/), direct document or page names (e.g. driver list.html) and other parameters.
When it comes to finding out if the link actually leads to the specified company, most of it doesn’t need you to worry at all! It’s much easier.
With the domain everything stands and falls
The whole thing can be reduced to two rules that allow you to reliably debunk an estimated 95% of phishing links.
Short version for urgent
- Rule 1: The actual domain in a link is always right before the first slash.
- Rule 2: If the actual domain does not belong to your bank, then the link does not lead to your bank.
From this follows this quick guide
In the URL after the https:// from left to right, look for the first slash (/), see A in the following screenshot.
From there, drive back to the left until you reach either the second point meeting or ending up at the protocol (https://), see B. Everything between A and B is the domain name of this link, see C. If this is not the expected domain of that bank or other company, the link does not lead to it.
If the domain determined in the above way is a different one and the expected domain name of the bank or similar only occurs elsewhere in the URL, then it is phishing.
Useful tips: By the way, there is practically never a reason to click on a banking link in an email. A bank will notify you of problems with your account primarily by letter mail or after logging into e-banking. It is best to put the link to your e-banking in the favorites. Or even better: Type the official address including top-level domain (e.g. raiffeisen.choirs instead of just raiffeisen) into the address line. This will open the web page instead of just “googling” for the name of the bank. Once on the bank’s homepage, you will always find a link to e-banking. If you have clicked on the link, continue to pay attention to the lock icon in the browser and check who the certificate is approved for.
On the following page a few examples of the tricks of criminals.
Tricks of the phishers
Of course, the scammers try all sorts of tricks. You put the expected name of the alleged bank domain somewhere else in the link. Sometimes garnished with terms like “admin” or “security”. The following examples are just made up by the author for illustrative purposes; however, they are inspired by actually seen phishing links.
Like this. Which domain does the link lead to?
https://raiffeisen_ch.trallaladomain.ru/hiereinformular.htmlOr something. Which is the domain?
https://admin_secrty.br/raiffeisen_ch.htmlOr something. Even the “.ch” with dot separated. But is raiffeisen.ch the actual domain in this link?
https://bla.lu/raiffeisen.ch_loginSo also the da:
https://raiffeisen.ch.bla.256-101-158-1.hosttech.eu/rbEven more tricks of the phishers
Wrong link behind correct hiding
In mails, on web pages, and even in Word documents, you can use a snippet of text like “www.pctipp.ch ” mark and give him a link like “http://ichbineinphisher.harrharr.example.org ” miss. If you just read the text and click immediately, you may not see that the link leads anywhere else. For example, if you hover over a link in your mail program without clicking on it, the actual linked address will appear either in the status bar or in a small pop-up, depending on the mail program.
The IP Address Trick
Some phishers confuse their victims with links that do not point to a text domain, but to an IP address. This could look like this (and yes, the author knows that it actually only goes to 255):
https://256.45.123.99/raiffeisen.ch_loginhttps://raiffeisen_ch.256.45.123.99/hiereinformular.htmlIf you encounter something like this, it is suspicious anyway and hopefully rattled through you as an attempt at fraud. The procedure is basically the same. Find the first slash and look at what should actually be the domain name. If it’s an IP address, it’s not your bank’s.
The Hex IP Trick
IP addresses can also be written as hex codes, for example like this, here with the IP address of our reputable com colleagues; the link is constructed by the author and of course only leads to a 404 error:
https://0x55c74313/raiffeisen.ch_loginBut again, this is a trick that has already been seen in phishing emails.
