While it isn’t new, a from Johannes B. Ullrich, Ph.D. , Dean of Research at , notes that cybercriminals are once again using “com” prefix domains to trick users into visiting malicious websites. For example: “paypal.com-login.something.com.” At a quick glance, especially on mobile devices, these can appear legitimate.
Why “com-” Prefix Domains Work
This method works so well today because it takes advantage of how URLs appear on mobile devices. Mobile browsers often shorten or cut off URLs, making it harder for users to notice they鈥檙e on a fake site.
While a full domain might look suspicious on a laptop, on a phone, users often just see the initial part, like 鈥減aypal.com.鈥 Scammers exploit this limitation to create a simple but effective scam.
Industry Challenges and Responses
Phishing attacks are a major security challenge, costing companies money and damaging user trust. IT professionals face two main issues:
- Human Error: Users are often the “weakest link,” making awareness and vigilance critical.聽
- Mobile Security Gaps: Mobile devices prioritize convenience over transparency, making it harder to spot phishing URLs.聽
Thankfully, there are practical ways to address these challenges.
1. Focus on User Education
Many users still fall for poorly crafted phishing scams, highlighting the need for effective training. Instead of general warnings, teach employees how to spot specific tricks like “com-” prefix phishing.
Key training tips:
- Always check the full URL, especially on mobile.聽
- Use the browser鈥檚 鈥渆xpand URL鈥 feature before entering sensitive information.聽
- Report any suspicious links, even if they seem harmless.聽
2. Address Mobile Browsing Risks
Mobile devices are especially vulnerable to phishing. Provide employees with regular, focused training on how attackers exploit shortened or hidden URLs on mobile browsers. Quick and recurring sessions can go a long way in increasing awareness.
3. Strengthen Security with Technology
While education is crucial, no user is perfect. A layered security approach can reduce risk and provide an extra safety net. Consider these tools:
- Advanced Email Filters: Automatically scan and block emails containing suspicious links.聽
- URL Scanning Tools: Platforms like Google Safe Browsing or VirusTotal can flag malicious domains.聽
- Endpoint Protection Systems (EPS): Detect and block phishing sites in real time.聽
4. Monitor Lookalike Domains
Protect your brand by staying alert to domain spoofing. Use domain monitoring tools to track the registration of lookalike domains. This lets you identify and address malicious domains before they can cause harm.
5. Stay Ahead of Evolving Threats
Phishing tactics are constantly changing. The rise of AI has made it easier and cheaper for attackers to create convincing scams. IT professionals must stay updated on the latest trends and adopt flexible security measures that can adapt to new threats.
How to Protect Against Phishing
Phishing attacks, like the rise of “com-” prefix domains, are a reminder of how quickly tactics evolve. By combining strong user training with robust technical defenses, IT leaders can build resilience. The threat may grow more complex, but a layered defense strategy is the key to staying ahead.
