Phishing Attacks: Does a ‘Wrong Password’ Trick Work?

TL;DR

No, deliberately entering an incorrect password on a suspected phishing site does not reliably protect you and could even be harmful. It might give you a false sense of security while still exposing your credentials or infecting your device.

Why the ‘Wrong Password’ Trick Doesn’t Work

1. Phishing sites don’t always check passwords: Many phishing attacks aren’t even trying to log you in. They might be after other information like security questions, addresses, or dates of birth. The login form is just a way to trick you into providing data.
2. Modern Phishing is Sophisticated: Attackers are getting smarter. Some sites will simply display an error message regardless of the password entered, making it impossible to tell if they’re checking anything at all.
3. Credential Stuffing: Even if a site *does* check your password and rejects it, that doesn’t mean your username isn’t captured. Attackers use ‘credential stuffing’ – trying stolen usernames and passwords on many different websites. Your information could be used elsewhere.
4. Malware Risks: Interacting with a phishing site can download malware onto your device, even without submitting a password.

What to Do Instead

1. Examine the URL Carefully: Before entering any information, check the website address (URL). Look for misspellings, extra characters, or unusual domain names. Hover over links before clicking to see where they lead.
2. Check for HTTPS and a Valid Certificate: Ensure the website uses HTTPS (look for a padlock icon in your browser’s address bar). Click on the padlock to view certificate details; verify it’s issued to the legitimate organisation.
3. Never Click Links in Emails or Texts: Go directly to the official website by typing the address into your browser, rather than clicking links from suspicious emails or text messages.
4. Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security, even if your password is compromised. Use an authenticator app whenever possible.
5. Report Phishing Attempts: Report phishing emails to the relevant authorities (e.g., Action Fraud in the UK) and the organisation being impersonated.
6. Use a Password Manager: A good password manager can help you create strong, unique passwords for each website and automatically fill them in, reducing the risk of typos or using the same password multiple times.

Checking Website Security (Advanced)

You can use online tools to check a website’s security:

• VirusTotal: https://www.virustotal.com/gui/home/url – Scans URLs for malicious content.
• Google Safe Browsing Site Status: https://transparencyreport.google.com/safe-browsing/search – Checks if Google has flagged a site as unsafe.

Important Note: These tools aren’t foolproof, but they can provide additional information.