The most frequently missed sign of phishing, was spelling mistakes, which duped 88% of the 2175 adult, UK respondents that took part in VeriSign’s survey. 57% missed the lack of the padlock symbol in the browser address bar, 34% were not warned off by the unspecified, numerical domain name in the URL, and a fifth were not put off by the request of additional account information, despite these being well-known phishing tricks.
“Phishing continues to be a major challenge for online businesses”, said Andrew McClelland, director of business development at the e-retail community body IMRG. “It takes only one phishing attack to dramatically reduce the web browsing public’s trust in an organisation. Once that trust is lost, it is very difficult to regain, and with competition just a click away, something that business cannot afford to lose.”
In order to further validate legitimate websites and to hamper phishing, security vendors and internet browsers have jointed forced to establish the Extended Validation standard for SSL Certificates.
Tim Callan, vice president of product marketing at VeriSign, explained: “By adopting Extended Validation, a site owner makes it easy for web users to see that the site they are on is genuine. When a shopper visits a site secured in this way, a high-security browser will trigger the address bar to turn green. For additional clarity, the name of the organisation listed in the certificate as well as the certificate’s security vendor is also displayed.”
How to spot phishing:
- Https:// - check the site has an ‘s’ after the ‘http’;
- Padlock icon – this should be in the browser interface and not on the actual website;
- Trust marks – look for popular logos that identify the company and indicate that the website is authenticated and secure;
- Web address – be suspicious of unknown domains where the name of the site you think you are visiting is in the latter part of the web address;
- Green address bar – with the Extended Validation, the address bar turns green to show a site has undergone identity authentication.
VeriSign has set up a site where users can test their ability to spot phishing at www.phish-no-phish.com. Infosecurity notes it is perhaps more tricky than first assumed!