How do you spot a phishing site on today's Internet?

Phishing has been around for a very long time on the Internet; it refers to certain techniques that criminals use to steal passwords, credit card information, Social Security Numbers, and other valuable information.

One common technique lures unsuspecting users to a domain that looks like the destination they want to visit; Facebook's login page, a bank's website, PayPal, eBay, Amazon, or any other eCommerce site or high profile target.

The links are distributed via email campaigns, on websites, or in chat rooms.

Users were asked to look for a green padlock icon in the browser to make sure the connection to the site was secure and to verify the address of the site as well.

The padlock icon is no longer a good indicator; in fact, it never was one to begin with on its own as it merely indicated that the connection to the site was secure. Identification only worked in combination with a site's URL.

More than half of the phishing sites on today's Internet use SSL according to a new report. The rise of HTTPS, in no small part thanks to Google's pushing in Chrome and the introduction of Let's Encrypt, a service to generate free SSL certificates, forced the hand of website owners and criminals alike. Chrome flagging all HTTP sites as "not secure" played a part in that.

How do you identify phishing sites on today's Internet then?

1. The website address (URL)

The number one option to identify a phishing site is to verify its URL; this works only if you know about the address in first place.

If you don't know the URL, then you will have to research it. One option that you have is to run a search for the site name and use a trustworthy resource to make sure it is the right address for the site or service.

Some search engines, e.g. Microsoft's Bing, highlight the official site of popular companies and services when you search for them.

Tip: Firefox users should make a change to the configuration of the browser to make sure that internationalized domain names are always shown as their punycode alternative as you may not be able to distinguish domain names otherwise.

Once you have verified the address, verify that the connection is secure by checking the padlock icon and/or the protocol (it should read https://).

2. How you go there

The majority of phishing attacks start with a link most often, e.g. in an email or a chat message. One of the easiest options to avoid most phishing attacks is to never click on links in emails or chat interfaces.

While website links may point to phishing sites as well, links in emails or messages are probably more common than those.

Here is what you can do: instead of clicking on a link in an email that claims to be from PayPal, you could visit the site manually instead if you think it could be urgent.

Phishing links may also come in form of online advertisement and it is harder to detect. Content blockers help in this case.

3. Research

Browsers may display additional information about sites you connect to. A click on the icon in front of the address displays a screen with information usually.

Google Chrome displays whether the connection is secure and the certificate is valid. A click on certificate opens information about the certificate including the entity it was issued to and the certification authority that issued it.

4. Indicators that are not accurate enough

Many articles and tutorials that offer advice on phishing sites suggest to check the content and visuals of a site. Their reasoning is that phishing sites often contain spelling or grammar errors, or may use a different layout or design when compared to the original.

While that may very well be the case, phishing sites often copy content from the original site. Emails that include phishing links may be easier to spot but even there it is not a 100% way to determine whether a site is a phishing site or not.

The same is true for trust signals on a site, e.g. trust icons, a "star-rating", or third-party reviews on other sites. All of these signals can be faked quite easily.

Now You: How do you make sure that a site is legitimate?