Last month, a school district in Manor, Texas, was caught in a phishing email scam that cost $2.3 million. An individual at the Manor ISD school district paid money in three separate transactions by responding to a phishing email. The individual didn’t recognize the bank account information had changed and sent the money to a fake bank. According to Ian Baxter, Director of Engineering for IRONSCALES, in addition to a very sophisticated phishing email, perhaps that individual at MISD had inattentional blindness.

Phishing websites, also known as spoofed websites, are a very common deception tactic that attackers rely on to obtain a person’s login credentials to a legitimate website. The operation, known as credential theft, is simple: send unsuspecting recipients an email spoofing a trusted brand and persuade them to click on a link that then takes them to a login page, where they will be asked to enter their username and password. Then, attackers have the information they need to login to a real account and begin illegal activity, such as credit card fraud, data extraction, wire transfers and more.

While fraudulent URLs aren’t new, says Baxter, they are being used more often, and they are especially problematic for companies that rely on rules-based email security such as secure email gateways, multi AV scanners and sandboxing solutions, as such tools and solutions lack visual anomaly detection capabilities required to assess a fake login page from a legit login page in real-time.

For example, IRONSCALES analysts reviewed 25,000 emails in Q3 2019 with verified malicious links and attachments. They found that 23 percent (5,750) included links to active phishing websites. This represents a five-percent increase when compared to the previous 90-day period. Of that, the top five most spoofed websites were:

  1. Microsoft (37 percent)
  2. PayPal (25 percent)
  3. HSBC Holdings (8 percent)
  4. Adobe (5 percent)
  5. Wells Fargo (3 percent)

And a lot has to due to inattentional blindness, Baxter says, which is an individual failing to perceive an unexpected change in plain sight. The issue became an Internet sensation, he notes, in 2012 when a video asked viewers how many white shirted players passed a ball. Focused on the task at hand, more than half of the viewers failed to recognize a woman in a gorilla suit in the middle of the picture.

Adversaries know this, Baxter says, and they now see the importance of creating attacks that deceive the human brain, in addition to defeating technological controls. Yet, he says, there are often clear indicators within phishing websites that can help people identify fake URLS if they know what to look for.

According to Baxter, there are five categories to which each phishing website fell into:

  1. Blurred (45 percent) - When an image appears blurry and out of focus.
  2. Resized (25 percent) - When an image appears stretched or elongated.
  3. Creative (15 percent) - When an attacker tries to make a connection through design.
  4. Retro (10 percent) - When an image or copy uses outdated branding and messaging.
  5. Sense of Urgency (5 percent) - When a copy contains uncommon immediacy and calls to action.

Thanks to inattentional blindness, most people do not immediately see these visual similarity clues, Baxter says, and they wrongly assume the spoofed login page as legitimate and enter their credentials that are about to be used in a cyberattack.

In addition to websites, emails have the same problem, Baxter says. “What better way of making an email seem legitimate when sending a link to a fake login page than to spoof an actual email address such as (, or using an email address from a domain look-alike such as ( Can YOU tell the difference between these two?”

So what’s the solution? According to Baxter, “Visual similarity/computer vision is the best technological answer, as it does not rely on code scanning or signatures to detect fake/malicious login pages, instead, it visually compares the page to known existing legitimate landing pages. For example, if a web page looks similar to a legitimate page while directing them to a non-authenticated/trusted URL, then a phishing attack is most likely underway.”