Don’t Get Hooked on Phishing

By Andrew Kennedy, BITS-BPI Cybersecurity Advisor to fTLD

Online businesses have been lamenting phishing for decades. Phishing not only harms the direct victims, but also erodes general consumer trust which impacts all online commerce.

The number of fake websites created each month has grown to 1.4M [i]. Over a million phishing campaigns are launched each year[ii]. One in 25 branded emails are phishing attacks[iii]. Phishing accounts for 90% of data breaches[iv].

Despite industry’s best efforts to contain phishing, focusing only on technology solutions continues to fall short. Ultimately, phishing is a ‘social engineering’ exploit, rarely taking advantage of technical vulnerabilities, but rather the flaws we have as human beings.

This isn’t to say we should stop developing technical solutions. In fact, we should press on with more fervor than ever. fTLD Registry Services (fTLD) is leading the charge in expanding anti-phishing technical solutions to the Top-Level Domain (TLD) by creating TLDs free of lookalike domains.

However, the picture has also emerged that augmenting technical solutions with more human focused solutions is required for improved outcomes. Traditionally, these human focused solutions come in the form of education. In the banking industry, employees are required to undergo Security Awareness and Education training programs, but few other industries have such requirements. Meanwhile the general public is typically left to self-educate, often after they become victims themselves.

Anti-phishing education itself is often a Byzantine process involving many steps:

1. Check the URL.
   Ensure the protocol, subdomain, domain name, top-level domain, and file path are all correct. Don’t fall for symbols or unicode phishing that uses characters that appear similar to human beings but are distinct from the perspective of a computer. When in doubt don’t click, but rather using a search engine to find the page you’d like.  Search engines often remove known phishing sites from the request  and elevate legitimate requests.
2. Check for security indicators.
   HTTP websites should be avoided. All legitimate commerce sites use HTTPS which protects data-in-transit with encryption. Look for the ‘padlock’ icon for confirmation. If the website has an Extended Validation (EV SSL) Certificate, the URL bar will be green indicating, it has passed the verification process. Historically, some phishing websites have succeeded in passing this process so HTTPS nor EV alone are enough anymore; take care and only rely on these indicators along with other checks.
3. Check the certificate itself.
   Is it issued by a legitimate Certificate Authority? Does the company information for the website match details of the business, can you independently verify?
4. Look for “Trust Marks”.
   Not all websites have these, but many do. Trust Marks are provided by Third Party-Validators to help users identify higher reputation websites. Typically, users may click through these Trust Marks and verify the website is in good standing with these third-party validators. Some examples of third-party validators providing Trust Marks can be seen in the following image.

   
5. Check the domain using trusted third-party tools.
   If there are no Trust Marks, consider checking the domain or company using Google’s Safe Browsing site status or the Better Business Bureau.
6. Check the domain’s “Whois” data to glean information on the domain owner.
   While Whois data is becoming more obscured from the general public as an unfortunate consequence of privacy regulation, recent registrations or transfers may indicate the site is not trustworthy.
7. Check the website to ensure there are no grammatical or spelling errors.
   Awkward phrasing or a single letter change in a name is also a tell-tale sign of a phishing website.
8. If the website has advertising, how invasive is it?
   Are there popups? Flashing banners? Audio automatically playing? What type of advertising is it? Is it appropriate to the content of the website or your best estimate of your accumulated demographic profile? Phishers may not just be attempting to steal from you, they may be monetizing your attention with aggressive ads.

If you conduct these steps and the website passes, you should have high confidence (but not complete confidence) the website is legitimate. But who are we kidding? Very few, if anyone, is going to rotely follow each of these steps ahead of every online transaction they make.

Most reasonable people check the URL, and hopefully ensure the lock icon exists and, perhaps passively acknowledge a Trust Mark, should one be displayed. That’s it. Is this the best we can hope for from human focused solutions? Let’s hope not. In the meantime, the bank and insurance industries have developed a solution that recognizes the most common approach people take to identifying an inauthentic site. Instead of looking for hints of suspicion, look for what is always in the same place:  the TLD, specifically .BANK and .INSURANCE.

What makes the .BANK and .INSURANCE TLDs so important? fTLD, the registry behind .BANK and .INSURANCE, enforces strict Eligibility Policies that prevent phishers and other bad actors from acquiring these domains. Every domain in .BANK and .INSURANCE is owned and operated by an independently verified and regulated organization.

When consumers confirm the existence of the .BANK or .INSURANCE TLD in their URL bar, or in the ‘from’ address of an email[v], they implicitly know they are in a safe part of the Internet, walled off from the untamed wild west. This is a simple message that customers would love to hear. Instead of a complicated routine to verify authenticity, one simple step would achieve the same goal.

Given trust is paramount for financial services firms and their customers, in the future web browser manufacturers, having seen no abuse in the .BANK and .INSURANCE namespaces, could go the extra mile and develop a native trust indicator built in the browser for these highly responsible domains.

Are you on a safe website?  If the domain ends in .BANK or .INSURANCE, you have the highest assurance you are!

[i] https://www.zdnet.com/article/1-4-million-phishing-websites-are-created-every-month-heres-who-the-scammers-are-pretending-to-be/

[ii] https://apwg.org/trendsreports/

[iii] https://www.avanan.com/how-email-became-the-weakest-link

[iv] https://retruster.com/blog/2019-phishing-and-email-fraud-statistics.html

[v] Applicable to email service providers or clients honoring DMARC records