A simple way to defend online accounts against phishing attacks

There are three typical cases when a phishing attack happens.

Case 1. An attacker is trying to convince a user (via e-mail, SMS, or phone call) to visit a fraudulent website, which looks like the legitimate website. If the user follows the directions of the attacker, she/he arrives at the fraudulent website.

Case 2. An attacker sets up fraudulent websites with URLs similar to the legitimate site’s URL. When a user makes an error in typing the URL this user arrives at one of the fraudulent websites.

Case 3. An attacker implants a specific malware on a user’s computer, smartphone or tablet, which redirects web browsers to the fraudulent website when the user is trying to get to the login page of the legitimate website, and after this redirection replaces the URL of the fraudulent website on the URL of the legitimate website. In this case the user will be visiting the fraudulent website, but will think that she/he is visiting the legitimate website.

When the user enters a login name and password on the fraudulent website, this information is transferred to the attacker, who can use it to her/his own benefit.

Current security protocols require that users do not follow directions provided in e-mails, SMS, phone calls, etc. from persons unknown to them. Such security protocols may prevent a phishing attack in case 1, but will be useless in other cases.

The simplest way to prevent a phishing attack in all three cases is to display information that is known only to the user, but is unknown to attackers on the login page. In this case, the user will know if a site she/he is visiting is the legitimate or fake one. The picture below shows a login page on which the previous dynamical password and login date/time are displayed.

By looking at this page the user can easily determine if this is a fraudulent website or the legitimate website.

In the next post we consider a simple way to defend yourself against multiple viruses (including Covid-19).