Think the objective in the title is easier said than done? Actually, not really. There are some best practices that can help ensure your safety online and this article will mention some of these in detail.
By the end of this article you will know how to inspect URLs for safety when entering your private data, how to recognize and avoid falling victim phishing attempts, and learn the importance of keeping your web browsers and operating systems up-to-date.
To kick us off, let’s first discuss how to inspect URLs.
Inspecting URLs
Before we talk about how to inspect a URL, let’s briefly discuss what a URL is in the first place.
URL is an acronym for Uniform Resource Locator and is defined as a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. In other words, it’s a web address.
Web addresses are used when navigating through the World Wide Web much like physical addresses are used when navigating through the traffic system.
Enough about that, why is it important to inspect these addresses?
One, you want to make sure you’re at the right place and not at an impostor’s place trying to fool you to steal your information (this will be really important for the phishing section of this article).
Two, you want to make sure that if you are in the right place, that this place can protect your private data from being transmitted “in the clear” (that is, where it’s openly visible to anyone who may be snooping for unencrypted web traffic).
And three, you also want to ensure that you can trust the means in which your data is being protected or claiming to be protected namely, by a legitimate website certificate.
Let’s now expound a bit more on the first reason why it’s important to inspect URLs.
Making Sure You’re in the Right Place
To illustrate, let’s say a close relative just moved and they text you their new address. If there’s a typo in the street address, you’ll likely end up at the wrong place..
In the same way if we click a URL that takes us somewhere else other than where we’re intending to go, we’ll end up in the wrong place. That could be VERY dangerous online. Let’s see why.
Imagine that a link we just clicked takes us to the URL www.yo.urbank.com and we were intending to go to the URL www.yourbank.com. We may find that the web page we land on closely resembles the one we’re used to seeing when logging in to do banking.
Now, we enter our www.yourbank.com information into the web page login portal, but we can’t get where we expected to go although we know our password is right. Now what?
Well, now the impostor web page owner has our bank info!!
Let’s see how we could have avoided such an outcome by learning how to find the domain name of a URL.
Finding Domain Names
The domain name is usually the last string of characters that appears before the final “dot”, whether it’s .com, .org, .edu, .biz, etc.
So what was the domain name of the impostor web page that stole our information? If you guessed urbank.com, then you’re CORRECT.
The reason being is that “urbank” is the last STRING of characters before the “.com”. A string of URL characters STOPS at every “dot”.
So now that we know how to properly identify the correct domain of the web page we’re intending to go to, let’s go back and try again.
Now were at the right place, we’ve reset our password to secure our account and we’re ready to put in our login information.
We login, but after a few minutes we’re kicked out of our session because somebody else logged in from a different place…. What??? How??
Well, it seems www.yourbank.com has let us down… They’ve failed to SECURE their web page!!! How could we have known that??
Finding Out if a Web Page is Secure.
In addition to knowing whether we’re on the right domain, we also must ensure that the web page where we’re entering private information (such as our DOB, Social Security Number, passwords, credit card information, or other sensitive data) is secure.
We do this by checking the URL as we did before, but this time we’re looking at the very first string of characters that appears in the address bar, usually located at the top of the web browser.
The difference between a secure web page versus one that’s not is that the one that’s NOT secure will start will http://, and the one that is secure will start with https:// (remember, just look for the “s”).
Also, on some browsers instead of displaying this string of characters at the beginning, it will just simply tell you “Not Secure” or display a lock symbol before where the web address begins in the address bar.
Alright, now that we’ve changed our www.yourbank.com password a couple times, let’s try to login again.
Okay, we’re on the right domain, their web page is now secure as the address bar displays https://www.yourbank.com, but there’s another problem...The web browser is saying that their certificate is not “trusted”.
What should we do??
One, always lookout for browser security alerts. They are usually presented in your browser screen, and there may be a message like, this site’s security certificate is not trusted, or may have another message about the security of a given website.
One of the things you can do is to look at the certificate that’s on that website. Remember, the web address should have a lock icon that has https:// next to it.
On most desktop and laptop browsers, you can click that lock and look at the certificate for the web server and examine information about what it says the server name is, what the dates are for the certificate, as well as other details.
For mobile browsers, you may have to consult your browser manufacturer's help guide for how to do this.
If the date shows that it’s expired or it shows a different domain name than what you visited in your browser, then you’ll probably get a message about the certificate not being trusted. The browser in most cases, won’t trust the certificate.
It may say that the certificate itself is invalid, or it may show that the signature on the certificate is invalid. It may be the certificate was signed by a certificate authority that is not trusted by your browser, so you should contact the owner of the website to get more information on the certificate.
Now that we know what to do to inspect URLs for our safety, let’s move on to talk about protecting ourselves from more direct attempts to trick us into giving up our login information also known as phishing.
Recognizing & Resisting Phishing Attempts
Phishing is defined as the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
There are different types of phishing attacks (broad net, spear, whaling, etc.)
The one we’re going to focus on in this article is the most common type of phishing attempt, broad net phishing.
This is where the attacker is trying to get ANYONE to respond to an e-mail or request.
For example, you may receive a notification from a friend on social media asking to check out a photo or video, when you click on the link to the photo or video you’re asked to sign into your social media account.
The page you’re signing into isn’t a legitimate website, but is a fake. Once you sign in, the attacker has your login information. Once they login to your account, they send the same message to all your friends and since your friends trust you, they get phished too.
Did you notice how it all started though? Likely, our "friend" who sent the message to us originally was phished in the same way and that starts a whole chain of subsequent events.
BUT since we learned earlier in this article how to identify a fake domain from a real one, we’re not fooled by that attempt.
In addition to checking for fake domain URLs what else can help us spot a phishing attempt?
There are usually plenty of red flags in a phishing e-mail or message. For instance, there may be misspelled words in the body of the e-mail, poorly formatted content, and an extremely high urgency to comply (phishers want you to act, not think).
But even the most well put together phishing attempt will fail the domain inspection we expounded on earlier.
For a real life example of a phishing e-mail, see our blog post How to Verify E-mails as Legitimate or Fraudulent.
Now that we know what to look for when it comes to illegitimate URLs and phishing attempts, let’s talk about taking a more proactive approach to protecting ourselves online by means of security updates.
Keeping your computers and devices up-to-date
Updates are frequently done automatically whether it’s a browser, operating system, or security patch update.
However, this is not always the case. This is especially true in more controlled environments such as devices belonging to workplaces, schools, and other organizations. These are usually handled by the IT department in these fields.
Updates at the end of the day are optional. It’s up to the user whether or not to update the software of their computers or device.
Operating System & Patch Updates
Some reasons why users may be reluctant to upgrade to the latest OS release or patch can be completely legitimate. Such reasons may involve use of particular software that’s central to the user’s everyday operation that would become incompatible in the event of an update.
In such a case it may be wise not to go online using a system that is completely out-of-date, unless it’s somehow still supported by OS manufacturer.
In most cases though, user’s wont have to worry about clinging to an older OS version and upgrading can have security benefits that help prevent Cyber attacks.
Refer to your operating system manufacturer’s help guide for how to perform these updates. The updates themselves at the time of their release usually come with a description outlining all the specifics of features as well as security vulnerability patch information.
Browser Updates
Browser manufacturers push updates for their browsers as well. Third party web browsers usually auto-update, while operating system specific browsers often get updated with the rest of the operating system.
These updates are critical for the security of your system as some malware specifically target the browser itself in order to give you a maliciously altered browsing experience, this is known as browser hijacking.
This isn’t the only type of browser security concern. Browser manufacturers constantly look for ways to ensure your online privacy and these updates help with that as well.
In Conclusion
Hopefully the methods touched on in this article has helped in some way contribute to a safer online user experience.
If you’ve learned at least one new thing about being safe online, please feel free to share with someone who you know can benefit from the advice mentioned here.
As always, feel free to post to your favorite social media platform.
Thanks for reading our blog post!