University of Wisconsin–Madison
Phishing scam

3 ways to fillet your phish

Phishing campaigns have grown steadily in sophistication. Phishers employ a variety of techniques with different objectives. Some may be employing modern, legitimate-seeming pretenses to entrap you in a variation of a 419 scam, aiming ultimately to persuade you to send them money via wire transfer. Others simply want you to click a link that will download malware to your computer.

While some phishing emails can still be recognized by poor English grammar, spelling, and punctuation, many cannot; phishers have adapted and many now send very legitimate-seeming emails, some even tailored to the recipient’s area of work or expertise.

Even hovering over links to confirm the destination URL may not be effective with all phishing emails as malicious URLs within phishing emails have become harder to spot, containing as they may “https” or even, apparently, trusted domain names.

In the face of such sophisticated phishing campaigns, how can you protect yourself?

Inspect URLs closely

Don’t be fooled into clicking legitimate-seeming phishing links by those who use techniques such as typo-squatting or foreign characters.

Typo-squatting is the practice of registering domain names similar to legitimate ones, and using them to host websites with fake logins, malicious downloads, or other threats. Some phishers employ this technique in conjunction with phishing emails to trick users into visiting legitimate-seeming sites. For example, unless you look closely, you may not immediately recognize the typo “netfliix” in the context of a URL.

Foreign characters allow phishers to use “IDN homographs”, i.e., foreign language characters that look like English ones to create legitimate-looking URLs that aren’t what they seem.

To inspect URLs, hover over the link without clicking it – most email clients will display a popup showing the destination URL. If in doubt about an email, close the message and contact the purported sender via a new email message, by phone, or by visiting their website via a familiar, known URL and making use of the customer service tools there, whether a contact form, or live chat.

You may also be able to identify email by checking mail headers, though again, with sophisticated techniques masking malicious phishing domains, you can still be tricked.

Don’t assume that all HTTPS URLs are safe

You can no longer trust a link simply because it contains “https” in the URL — all that means is that traffic to the site is encrypted with SSL. Once, SSL Certificates were costly enough that phishers wouldn’t bother spending the money to buy them when there were less costly ways to fool people. However, certificates can be had for free today; while generally a good thing for the web and its users, the downside is that scammers can use these certificates and the resulting HTTPS URLs to lull users into a false sense of security.

Report suspected phishing emails

To report general phishing emails, go to www.antiphishing.org. To report phishing emails that appear to be from within the UW–‍Madison campus, go to Report an Incident or forward the email to abuse@wisc.edu. You can also submit offending email using the report spam feature within the Outlook web or desktop email client.

Updated on 2/4/2019