{"id":10014,"date":"2021-05-26T10:20:08","date_gmt":"2021-05-26T14:20:08","guid":{"rendered":"https:\/\/www.cscdbs.com\/blog\/?p=10014"},"modified":"2026-01-15T10:05:59","modified_gmt":"2026-01-15T15:05:59","slug":"phishing-scams-how-to-spot-them","status":"publish","type":"post","link":"https:\/\/www.cscdbs.com\/blog\/phishing-scams-how-to-spot-them\/","title":{"rendered":"Phishing Scams: How to Spot Them and Stop Them"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

By David Barnett, Subject Matter Expert \u2013 Brand Monitoring<\/p>\n\n\n\n

Phishing scams are nothing new in the online security world and show no signs of subsiding. The scam starts when a fraudster sends a communication purporting to originate from a trusted provider and encourages the recipient, often with a conveyed sense of urgency, to click a link. That link leads to a fake site, usually intended to collect confidential login credentials or other personal information. In similar scams, the mail may encourage the recipient to open an attachment loaded with malicious content.<\/p>\n\n\n\n

The communications are often sent to a large list of recipients whose contact details have usually been \u201charvested\u201d from the internet (databases with this kind of information are tradable commodities in their own right). The fraudsters hope that some of the recipients will be genuine customers of the organization being impersonated. In other cases, personal details may be obtained via a breach of a company\u2019s customer database, allowing the fraudster to construct a much more tailored attack.<\/p>\n\n\n\n

The COVID pandemic has provided many additional opportunities to fraudsters through the increased use of online channels by individuals working from home during lockdown. COVID-related lures encourage users seeking information, reassurance, and assistance to click on links. The Anti Phishing Working Group (APWG) found that in just the second quarter of 2020, almost 147,000 phishing sites were detected, with more than 350 distinct brands targeted each month. These sites crossed a range of industry verticals, topped by Software-as-a-Service and financial services[1]<\/sup>. Similar trends were also reported for Q4[2]<\/sup>.<\/p>\n\n\n\n

As long as phishing attacks generate revenue for criminals, the practice will perpetuate. It continues to evolve by using new \u201chooks,\u201d communication channels, and increasingly clever ways of creating convincing fake content. This highlights the need for brands to defend their customer base by using monitoring and takedown technology. Nearly 60% of organizations worldwide reported that they had experienced a successful phishing attack during 2020[3]<\/sup>.<\/p>\n\n\n\n

A recent phishing example\u2014and identification tips for consumers<\/strong><\/h3>\n\n\n\n

Figure 1 shows an example of a phishing communication sent by SMS. Text messaging remains a popular channel for distributing phishing content, with many brands (including numerous examples outside the most-attacked industries) reported as having been targeted in this way during 2021. The U.K.\u2019s Royal Mail, for example, saw an overall 645% increase in phishing activity for March 2021, compared with the previous month[4]<\/sup>,[5]<\/sup>.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1:<\/span><\/strong> Example of an SMS-based phishing attack targeting HSBC customers, received on April 25, 2021<\/p>\n\n\n\n

The example shown in Figure 1, targeting HSBC customers, incorporates several elements making it a relatively convincing example of a phishing scam. The link features a cursory similarity to an official link for HSBC U.K. (whose official domain name is hsbc.co.uk). The link also incorporates the HTTPS prefix, and the communication lacks much of the poor spelling and grammar often present in phishing scams.<\/p>\n\n\n\n

There are, however, many tell-tale elements consumers should look out for. The key point is that the URL is not actually hosted on an official HSBC site. The place to look is in the domain name part of the URL, consisting of a top-level domain (TLD)\u2014or extension\u2014such as .com or .co.uk, and (separated by a dot) the second-level domain name which immediately precedes it. In a URL, this occurs immediately before the first slash (\/) after the initial protocol definition (in this case, https:\/\/), or in cases where there is no slash, at the very end of the URL.<\/p>\n\n\n\n

\n\n\n\n
\"\"<\/figure>\n\n\n\n

In the HSBC scam here, the domain name is actually \u201cuk-account.help,\u201d a domain name wholly independent of anything owned by HSBC and under the control of a third-party fraudster. The owner of this domain can create whatever subdomain string (the part before the domain name) they wish, and so has constructed the fake site at \u201chsbc.co.uk-account.help,\u201d which superficially appears very similar to \u201chsbc.co.uk\/account\/help,\u201d a URL which would be part of the official hsbc.co.uk site.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In other cases, scammers may register domains that use the actual brand name of the targeted organization but weren\u2019t included in the brand owner\u2019s domain portfolio (e.g., using a version with additional keywords or a different domain extension). The phony domain could feature a brand variant or misspelling as a way of creating a convincing URL. <\/p>\n\n\n\n

Phishing communications that use \u201cricher\u201d formatting (e.g., HTML emails) can construct a message where the visible link may be a URL from the brand owner\u2019s official site, but the destination URL accessed by clicking the link is a distinct and fraudulent address. In these cases, users should hover over the link with a mouse, which usually shows the actual destination URL.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2:<\/span><\/strong> Example of HTML email showing the actual destination URL (highlighted in red) revealed by \u2018mouse-overing\u2019 the link<\/p>\n\n\n\n

In addition to the non-legitimate domain name, other factors in the HSBC SMS scam\u2014such as the message originating from a standalone mobile number and the communication text including all of the textbook elements of a phishing scam (e.g. a legitimate service provider would almost never send an unpersonalized communication to a customer)\u2014should also raise red flags.<\/p>\n\n\n\n

This particular scam also incorporates a couple of additional interesting elements. First, the fraudulent domain is hosted on the .help extension, one of the newer gTLDs launched in 2014[6]<\/sup>. This may be less immediately recognizable as an extension\u2014and therefore part of the domain name itself\u2014to users more familiar with the traditional extensions such as .com and .co.uk.<\/p>\n\n\n\n

\n\n\n\n

Second, the embedded link uses the secure HTTPS protocol, frequently tipped as a point to check when verifying a link\u2019s authenticity. Although it generally indicates that the web traffic is encrypted during transit, it doesn\u2019t guarantee that the destination site is genuine. There are many budget providers of digital certificates (which enable a site to use the HTTPS protocol), that will sell them without any checks on the legitimacy of the site in question. In fact in Q2 2020, 78% of phishing sites were found to be employing digital certificates, up from 5% at the end of 20161<\/sup>.<\/p>\n\n\n\n

The final notable element of this scam is that the domain in question (uk-account.help), despite only being registered on April 25 (see Figure 3), had actually been deregistered by the following day (and accordingly no longer resolved to any live site). Although the brand owner (or an associated brand-protection service provider) may have quickly taken the site down, the use of a domain and related phishing site that is so short-lived is typical of fraudsters hoping to generate quick revenue before the brand owner can discover the scam.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3:<\/span><\/strong> Extract of the WHOIS (ownership) record for the fraudulent domain, showing that it was registered on April 25 (the same day on which the SMS was received), and using a privacy-protection service provider<\/p>\n\n\n\n

Actions for brand owners: Detection and enforcement\u2014and how CSC can help<\/strong><\/h3>\n\n\n\n

CSC works with a number of brands to guard against this type of scam using advanced detection capabilities to provide early warning of active campaigns, and a range of enforcement options to ensure rapid takedown. This provides protection for customers and mitigates reputational damage and financial losses for the brand owner.<\/p>\n\n\n\n

Fraudulent content can be identified in a number of ways. With a \u201cclassic\u201d brand detection service, fake sites are found through internet metasearching or domain-name monitoring using zone-file analysis. For those organizations where phishing is a particular issue, a dedicated anti-fraud service can make use of a range of additional phishing detection techniques to maximise the likelihood of early detection. This may involve the use of:<\/p>\n\n\n\n