Let’s talk about phishing. Phishing is just like fishing, only your identity is the fish and the bait is an email that looks like it came from your bank, or eBay, or Paypal, or any other legitimate place. The goal is to get you to follow a link to a site owned by the phisher, and trick you into divulging some private information, such as your bank account number, pin, passwords, or social security number.

Some phishing emails look completely legitimate, using logos, links, and text from the real business. Many try to warn you about fraud being committed with your account—the truth is, the senders of the email are the ones trying to commit fraud with your account, if they can trick you into divulging it. These types of emails are almost always fake. When you follow the link in such an email, you’ll usually get taken to a web site that looks exactly like the real web site. But it’s not.

How do you tell the difference between a real and a fake web site?

Stop! Wait! Before clicking any links, go update your web browser. In the past few months, many of the vulnerabilities in both Internet Explorer and Mozilla Firefox have been related to making it harder to tell what web site you’re really visiting.

Figure 1. When Firefox has an update available, it shows a red arrow icon in the upper right corner

A malicious web site could use some carefully crafted web addresses that could lead you to believe you’re really at a legitimate site. What’s worse is that there have been some vulnerabilities in Internet Explorer that could allow these malicious sites to surreptitiously download programs to your computer. This is one of the prime ways you get infected with “spyware”.

For Internet Explorer, go to Windows Update by following the link on your start menu. For Mozilla Firefox, look for a little red triangle in the upper right corner of your window, as highlighted in Figure 1.

Okay, now that your browser is up-to-date, you’re a bit more protected online. There are two basic things to pay attention to, when you’re deciding whether to trust a web site:

1. The web address, or URL. URL stands for Uniform Resource Locater, but it basically just means the web address of the page you’re viewing.
2. The security certificate. Also called the SSL or TLS certificate. We’ll get into this shortly.

By applying what you know about web addresses and security certificates, you’re better armed to detect a fraudulent site. So what do you need to look for?

Anatomy of a web address

One of the biggest tricks of the phishermen is to add more symbols after a normal looking domain name, which makes your browser go to a completely different place than you’re expecting

Bear with me. We’re about to get slightly technical here—but this is basic information you need to know to web surf safely. By now you’ve probably seen thousands of web addresses. There are some very strict rules for web addresses—how they are put together, what each part does, etc. For this discussion, we need to look at two of these parts: the protocol, and the domain name.

The protocol

The protocol is the very first part of the web address. It’s the http:// or https:// part. You generally don’t need to type it in when you go to a web site, because most browsers will add it for you. These are two different protocols used for web pages and several other types of data. A protocol, in this context, is a description of how to introduce yourself properly, the browser equivalent of knowing what words to say to introduce yourself, and ask for a book from a librarian or a fried banana from a Thai street vendor. In the web world, the dominant protocol is Hyper-Text Transfer Protocol, or HTTP. The Hyper-Text is your web page, the transfer protocol tells your browser how to get it. HTTPS is Hyper-Text Transfer Protocol over SSL.

SSL stands for Secure Sockets Layer, and lately it’s been renamed to Transport Layer Security, or TLS. SSL/TLS is an entire framework that provides two things: encryption and authentication. Encryption hides your data between the web site and your browser, preventing anyone from intercepting it along the way. Authentication lets you verify that the server you’re visiting is really the server it says it is, and not some other server taking its place. I’ll get more into this in a moment.

So the first thing to check in the web address is, are you visiting a page that is protected by SSL/TLS? And you can tell this by looking at the protocol in the address bar of your browser—is it https, or http?

The domain name

The other part of the web address to look at is the domain name. The domain name is everything after the https:// part up to the next forward slash (“/”). And that means everything. One of the biggest tricks of the phishermen is to add more symbols after a normal looking domain name, that makes your browser go to a completely different place than you’re expecting.

A domain name is broken up into domain “parts.” The further right you go in the domain name, the more significant the part is. For example, looking at the domain name www.freelock.com, the most significant part is .com. It’s significant for technical reasons, not just for the phrase “dot-com bomb”.(should this be “dot-com boom”)

Ready for another acronym? .com is called the Top-Level Domain, or TLD, of this domain name. Each country has its own two-letter TLD, such as .us, .uk, .au, .tv, and then there are the three-letter TLDs we’re all familiar with: .com, .net, .org, .edu, .gov, .biz and a few other less common ones. These top-level domains are controlled by a designated registry, and copied into what are called the Root Domain Name Servers. There are 14 of them, scattered around the world.

Moving to the left in the domain name, the actual domain we’re looking at is freelock.com. When your browser asks for www.freelock.com, it first goes to the Root Domain Name Servers to ask for where to find the directory for the domain freelock.com. The Root Domain Name Servers tell your browser to go to the IP address 69.55.225.251, which happens to be my Domain Name Server. Your browser then asks my name server where to find www, which could be an actual computer, or it could be another domain part.

But even if the address looks completely legitimate, you still have to be aware—there have been flaws in pretty much all mail readers that make it possible to hide the real destination of a link