Guest author Strong authentication doesn’t guarantee safety when phishing sites dominate search engine results
Phishing scams are appearing at the top of search results, even as sponsored content. While strong authentication protects against many threats, users must be more vigilant about which sites they log into with their banking credentials. The author, Henrik Rinne, is a Senior Software Developer working in the financial sector.
We’re moving toward a future where online services increasingly require strong authentication. It’s a good thing – we’re finally moving away from weak passwords used across dozens of services. But we also need to be more cautious when logging in with banking credentials.
A while back, I was looking for an online banking solution for my band, preferably a free one. I remembered someone mentioning a service called Holvi. I Googled it, and there it was, top search result: “Open a free bank account with Holvi,” even sponsored through Google Ads. Surely, if a company is paying for Google ads, they must be legit, right?
Turns out; not necessarily.
As a digital native, I glanced at the URL below the link before clicking. Something felt off: holvi.com.de. It was a phishing site, identical in appearance to the real one. The goal of phising sites is to trick users into entering their login details, which scammers would then harvest.
This made me reflect on how serious this issue is, and how it might get worse. It used to be that if a site had a .fi domain, it had gone through some level of official oversight. But since the change in legislation in 2016, anyone can purchase a .fi domain. In my opinion, that’s a problem.
For example, older generations in Finland are used to everything in our digital world just working seamlessly. All systems are integrated, everything is convenient – maybe too convenient. We no longer type full URLs; we assume the browser or its default search engine knows where we want to go. But does it really?
If a site prompts you to log in and displays a bunch of bank logos, how many of us double-check the URL in the browser or even know what it should be?
We’ve all likely used the OmaKanta service, but do you remember its actual URL? Is it kanta.fi, suomi.fi, suomi-kanta.fi, or something else entirely? And what about your bank, the one you’ve used for years – is it danskebank.fi, danske.fi, danksebank.com, or something different?
Users might face a situation where they must choose between two very real-looking sites. Even if a quick Google search could resolve it, we now know we can’t always trust on search engine results, either.
In the U.S., .gov domains are restricted to official government entities. Why don’t we do the same?
I propose a state-supported service directory where users can search for financial or insurance services with confidence. For example, if suomi.fi expanded its search function, we could search for services like OmaKanta, Kela, or OP and be certain the results are legitimate.
Henrik Rinne
Henrik Rinne on finanssialalla työskentelevä Senior Software Developer, joka aloitti IT-uransa 90-luvulla rakentamalla omia kotisivuja. Hän on espoolainen isä ja St. Felix-yhtyeen solisti.
The author, Henrik Rinne, is a Senior Software Developer in the financial sector who began his IT career in the 1990s building personal websites. He is a father from Espoo and the lead singer of the band St. Felix.
