What is a Phishing Site?

Without exception, all Internet security experts agree it is important to know what is a phishing site. Phishing is the biggest online threat to individuals and businesses. It can be used to commit fraud and identity theft, or to install malware and ransomware onto computer networks. More than 90% of all cyberattacks begin with a phishing email because it is easier for cybercriminals to take advantage of human weaknesses than it is to hack into a well-protected network.

A Brief Explanation of Phishing

To answer the question what is a phishing site, it is best to start by explaining what phishing is. Phishing is usually associated with email fraud. A cybercriminal will send an email that appears to come from a legitimate source and that will ask the recipient to perform a specific action. In most cases of successful phishing attacks, the requested action involves clicking on a fake link in the body of the email in order to visit a phishing site, or opening a malware-infected attachment.

Individuals fall for phishing emails because they typically use urgent or exciting language to encourage the recipient to act without thinking. The emails may warn of unusual activity on an account that needs to be investigated, or alert the recipient to a time-limited offer. In many cases the cybercriminals have used social engineering techniques in order to tailor the phishing emails to the recipient´s specific interests or role within the workplace.

What is a Phishing Site Used For?

This depends on the objective of the phishing attack. In the majority of cases, a phishing site will have been carefully constructed to resemble the legitimate site the intended victim believes they are visiting. When he or she arrives at the phishing site, the next request often involves entering log-in credentials – for example the username and password for a bank or PayPal account, or an email account. Once the data is entered, it is recorded by the cybercriminal and used to commit financial fraud or identity theft.

The alternative objective of phishing is to install malware onto a corporate network. As mentioned above, malware can be deployed via an infected attachment; but, as many online security solutions have safeguards against users opening certain types of files, it is more effective for cybercriminals to redirect the recipient of a phishing email to an infected website. Once the web site is opened, the malware starts downloading onto the victim´s computer automatically without any further user interaction.

How to Identify a Phishing Site

Identifying a phishing site is not as straightforward as it once was due to the increased level of sophistication used by cybercriminals. Secure websites (those displaying a padlock or using the prefix https://) are no longer a guarantee a website is not a phishing site due to some encryption agents providing SSL certificates for free. In early 2017 more than one thousand “secure” websites were identified with the word “PayPal” in their ULR – most created for the purpose of phishing.

Unfortunately, by the time a recipient arrives at a phishing site, it may be too late to prevent a malware download from starting. Therefore, rather than provide tips on how to identify a phishing site, it is more beneficial to provide tips on how to avoid clicking on a link to a phishing site. These include:

  • Never click on a link if the email has come from a bank, from PayPal, Amazon, the IRS or any apparently trusted source without checking with the source of the email first.
  • Alternatively, it only takes a second to open a web browser and log into an online account. This ensures you are on a legitimate site and not a phishing site.
  • Treat internal emails containing a link with suspicion. It may have come from a compromised email account due to the account holder divulging their login credentials.
  • Never open unexpected attachments. Most businesses now use secure file sharing tools to eliminate the need for attachments, and no legitimate site ever sends attachments.
  • Be alert to unusual formatting or design. Although cybercriminals are becoming more sophisticated, there are often tell-tale signs that a phishing email is a fake.
  • Never respond to a request for urgent action. Emails can sit in an inbox for days without being read, so if something was genuinely urgent, the entity trying to get hold of you would have used another channel of communication.

Phishing Prevention for Businesses

As mentioned above, phishing is the biggest online threat to businesses, and it is important employees are not only aware what is a phishing site, but also that they know the potential consequences of visiting a phishing site. There are various tools that can help businesses falling victim to a phishing attack (for example email filters with SUBRL filtering), but the most effective is phishing awareness training that uses phishing simulation to prepares employees to be more resilient against phishing emails.

Ongoing phishing awareness programs provide tools with which employees can quickly question the legitimacy of a suspicious email, or report they have opened one in error. These tools prevent IT teams being overloaded with potentially harmful emails, and enable swift and effective responses to breaches of security. With phishing awareness training, the human weaknesses on which cybercriminals rely for their phishing attacks to be successful can be eliminated, and employees turned into one of your most robust defenses against phishing.