Microsoft users need to be on high alert as their accounts are being targeted by hackers using typosquatting to purchase look-a-like sites and email addresses to trick them into handing over their passwords.
Harley Sugarman, CEO at Anagram Security, recently shared a screenshot of an emailhe’d received from using this technique. In the email address, the ‘m’ had was replaced with an ‘r’ and an ‘n’ instead. The effect is subtle and difficult to catch, meaning users may fall for these phishing emails.
Typosquatting isn’t actually a new trick – it’s been used for quite some time by online thieves, hackers and threat actors who want to trick quick typists who might accidentally misspell a website URL or email address. Basically, the scam is to purchase and register an email address or website domain that is remarkably similar to a legitimate one in the hopes that someone will stumble upon it accidentally (or click on it by mistake), and then enter in their credentials thinking they’re on the actual website.
Many people don't take the necessary time to closely examine the URLs of the websites or email addresses that they go to or that pop up in their inbox. If they type in the wrong letters of a website by mistake, or click on the wrong link in an email, this will lead them to a site that perfectly mimics a legitimate site and asks for their username and password. If the victim enters in their information, it gets funneled back to the cybercriminals behind these fake sites and email addresses.
How to stay safe from typosquatting
While it can be very easy to fall victim to typosquatting if you’re not extremely vigilant, there are several ways to protect yourself. For example, using a passkey is a much more secure option than a password. That's why Microsoft and other companies have been encouraging users to switch to that authentication method instead of using traditional passwords.
If you can't use a passkey, then make sure you're choosing a strong, unique password or passphrase, or using one of the best password managers to securely store and autofill your credentials.
There are other ways to stay safe from typosquatting as well. Both Microsoft Edge and Google Chrome can detect typos in URLs, so make sure either browser is set up to assist you with this. Likewise, you can bookmark frequently visited websites so you know you’re going to the correct place. This can be very useful for frequently visited services like you email, banking, shopping, or social sites.
Obviously those phishing rules that we repeat often come into play here: don’t trust any email you receive that says there’s an issue with your account. Always find an independent way to log in to verify a potential problem. Never click on or download anything that appears in an unexpected email, and don’t respond too as doing so shows scammers that they’re interacting with an active phone number or email account.
At the same time, you also want to carefully read every email address to verify its legitimacy while looking for typos. You should also hover over links to see where they redirect to as well. Watch out for phishing lures: if an email is trying to instill a sense of urgency or pressure you to do something like resetting a password or “fixing” a problem with an account. And, of course, make sure you're using the best antivirus software programs to protect you from any malware or viruses you may encounter online.
Typosquatting is one of the oldest tricks in the book but it will often reappear from time to time. As such, you always want to be careful when visiting unfamiliar websites or checking your inbox.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
