How Do Pharming Attacks Happen? (How To Protect Yourself)

Are You Unknowingly Being Scammed By Fake Websites?

In 2019, the Venezuelian government launched a humanitarian campaign website which requested that volunteers provide their full names and ID numbers [*]. But less than a week later, a second website appeared that was a perfect copy of the first. 

With a sophisticated cyberattack called pharming, hackers then made it so that anyone in Venezuela who tried to visit the legitimate site ended up on the fraudulent duplicate. Any sensitive information that was entered on the second site went directly to a group of hackers. 

Pharming attacks like this are rare. But when they happen, they can be incredibly dangerous. 

In probably the most famous pharming example, hackers created 50 lookalike banking websites and used a Microsoft vulnerability to redirect traffic to the hackers — stealing victims’ banking credentials without their knowledge [*].

In this guide, we’ll explain what pharming is, how a pharming attack works, and what you can do to protect yourself from this threat.

{{show-toc}}

What Is a Pharming Attack? How Does It Happen?

A pharming attack is a type of cybercrime that redirects web traffic from a legitimate website to a fake website designed to mimic the original. Any information that you enter on the fake website — like passwords, credit card numbers, etc. — goes straight to the hackers. 

(The word “pharming” comes from a combination of “phishing” and “farming.”)

Pharming attacks are dangerous for two reasons: 

1. Scammers take an extra step to ensure that the URL of their fake website stays the same as the legitimate one. Thus, the scam happens in the background and is undetectable by most people. 
2. Pharming attacks don’t require you to click on a malicious link (like in other phishing attacks). Instead, these “pharms” exist online, waiting for you to visit them and enter your personal information. 

To understand how pharming works, you need to first learn a bit about what happens in your browser when you enter a website name. 

We remember website domain names (like aura.com), but the actual “location” of a website is an Internet Protocol (IP) address stored as numbers separated by periods (like 12.345.678.90).

When you enter a domain name in the address bar and hit enter, the request is sent to a Domain Name System (DNS) server. This server looks up the domain name (aura.com), finds the corresponding IP address (12.345.678.90), and sends it back to your computer.

To save time, your router, computer, and internet browser may all store previously requested IP addresses in DNS caches and local host files. Pharming attacks replace the linked addresses with malicious sites so that when you enter a familiar web address, it takes you to the fake site’s IP address instead.

There are two main types of pharming, both targeting different steps in the DNS resolution process:

• Malware-based pharming, also known as DNS changers or DNS hijackers, are pieces of malicious code that alter the hosts file or DNS cache in the victim’s computer. Once the malware has infected the system (usually via a Trojan), it modifies entries in the hosts file so that domain names are mapped to pharming websites. 
• DNS Poisoning, or DNS spoofing, is malware that targets the software that controls DNS servers. Here, they are able to alter DNS resolution at the source. Because of this, DNS poisoning is a far more sophisticated and broader attack, and much harder to defend against. Rather than affecting a small number of people who accidentally install malware, it affects everyone who tries to load that website.

What Happens if You Visit a Pharming Site?

Visiting a pharming site can have dire consequences. Because pharming is an advanced type of cyberattack, scammers often target high-value websites, such as your online bank accounts.

Here’s how a typical pharming attack works:

• You accidentally download malware — for example, from a fake website or phishing attack — that works in the background to change the saved IP addresses on your computer. 
• When using that infected device, you try to visit a legitimate website, like Facebook.com.
• Your computer reads the infected IP address and directs you to a fraudulent website that looks exactly like Facebook.com.
• You enter your username and password on the fraudulent site, and that data is sent to a scammer who can now hack into your account.

For example, in 2018 hackers redirected the address of crypto site MyEtherWallet.com to a Russian server hosting a lookalike page [*]. 

Scammers then emptied the accounts of internet users who entered their login information on the fraudulent site — stealing thousands of dollars worth of Ether cryptocurrency before the attack was discovered.

📚 Related: How To Protect Yourself from Account Takeover Fraud (ATO) →

Pharming vs. Phishing: What’s the Difference?

While pharming and phishing are related, they aren’t quite the same thing. 

Phishing attacks are designed to trick victims into handing over personal information (like credit card details or login credentials). Scammers usually do this by sending phishing emails or texts pretending to be from a trusted source, like the victim’s bank.

These phishing emails contain a hyperlink that directs the victim to a fraudulent website, allowing the criminal to steal any data that the victim inputs. The first quarter of 2022 reported over a million phishing attacks, the most ever observed in a quarter [*].

Although pharming evolved from phishing, it is much more sophisticated. 

Instead of tricking victims into clicking on dangerous hyperlinks, pharming attacks trick your device or a DNS server into sending you to a fake website — while still showing you the legitimate domain name.  

Here are the main differences between phishing and pharming.

10 Ways To Avoid a Pharming Attack

1. Use anti-phishing software
2. Look for the warning signs of a fake website
3. Don’t open links or download attachments
4. Use a virtual private network (VPN)
5. Change your home router’s default password
6. Protect your devices with antivirus software
7. Update your passwords
8. Enable two-factor authentication (2FA)
9. Use a password manager
10. Consider an all-in-one digital security solution

Digital security is constantly evolving. But despite the growing threat of scams and malware, there’s a lot you can do to minimize the risk of a cyberattack. 

Here are 10 steps you can take to protect yourself from pharming:

1. Use anti-phishing software that warns you of scam websites

Anti-phishing and safe browsing software use AI (artificial intelligence) technology to identify phishing sites, emails, and content. If pharming content is identified, the software will warn you and block it. 

For example, Aura will alert you if you’re entering a potentially dangerous site (such as a pharming or malware-infected website) to prevent your data from being stolen.

How safe browsing tools can help:

Pharming relies on your entering information on a scam website that looks like a legitimate one. If you avoid entering the site, you avoid having your sensitive information stolen. This is where anti-phishing software comes in.

However, fake sites can slip past anti-phishing software as they don’t always contain clear warning signs. For this reason, it’s important to use more than one protection method.

2. Look for the warning signs of a fake website

While anti-phishing software is useful as a last line of defense, being able to identify a fake website yourself can protect you in case a pharming site slips through the cracks. 

How to spot suspicious websites:

• Double-check that the domain name is correct. 
• Look for a padlock symbol and “https://” (rather than “http://”) in the address line — this isn’t foolproof, but it generally signals that the site is secure. 
• To be sure you’re visiting an authentic website (and the one you want to be on), click on the website’s security certificate and check details such as where it’s registered and who owns it. 

• Keep your eye out for bad spelling, grammar, and poor design elements. These are signs that you’re on a copycat site. 
• Use the Whois Lookup domain checker to see how long the site has been active. If it’s brand new or younger than you would assume it should be, these are huge red flags. 

📚 Related: What Can Scammers Do With Your IP Address? (10 Risks) →

3. Don’t open links or download attachments from people you don’t know

Clicking on unknown links and downloading unverified files are surefire ways to infect your PC with viruses and malware. You can’t always protect yourself from DNS poisoning, but you can avoid pharming malware by steering clear of these risks. 

How to avoid suspicious links and attachments:

Never click on suspicious links in emails and texts, even if they are from trusted senders. Attackers often use link shorteners and other tricks to hide the fact that the URL is suspicious. Instead, manually type the domain name into your browser so that you’re sure it’s safe. 

This also holds true for attachments. Unless you’re expecting an attachment (for example, from a work colleague), you should never download one. Even in the case of a trusted sender, you should always scan the file first with quality antivirus software. 

4. Use a Virtual Private Network (VPN) to protect your data

VPNs create an encrypted “tunnel” between your computer and the VPN server, hiding your online activity and IP address. Not only does this protect your privacy, but it also prevents spying attempts and can help protect against pharming attacks. 

How a VPN can protect you from pharming attacks:

A VPN encrypts your traffic, routing it through its own DNS server when you load a website. This protects you from pharming attacks as long as the VPN’s servers are secure. Some VPNs also offer private DNS servers, which increase security and privacy for your internet traffic.

5. Change your home router’s default password and disable “administrator mode”

Routers and wireless access points often include default administrator passwords that are used across multiple devices. This means that hackers might have access to your router password, making it possible for them to access your network devices.

How to secure your home router:

• Replace your router’s administrator mode password (or disable administrator mode entirely).
• Replace your Wi-Fi network password with something that is more secure.
• Keep your router up to date (updates often include security patches).

6. Protect your devices with antivirus software

Antivirus software acts as the immune system of your device. A reputable antivirus solution will protect you from malicious files, scan your device for malware, and act as a final barrier in case you accidentally click on an infected link. 

What to look for in antivirus software:

• The ability to perform periodic scans of your device to ensure that no malicious programs have infected it.
• A scan function to check downloaded files and ensure that they are safe.
• An updated database of known viruses, malware, adware, and spyware so that it can provide protection against the latest threats.

7. Update your passwords

Your passwords are the main line of defense preventing criminals from accessing your accounts. This means that each individual password needs to be strong. 

Here’s how to protect yourself with stronger passwords:

• Use a complex password. The more complex your password, the harder it is to guess. Use a combination of numbers, letters, and other symbols in random order. 
• Use a long password. The longer your password, the harder it is for hackers to successfully use brute-force attacks to steal your information. Aim for 12-15 characters in each password. 
• Avoid using easily discovered personal information. Information like your name or birthday makes your password easier to guess. 
• Use unique passwords. Using different passwords for every account means that if one is compromised, the rest remain safe. 

8. Enable two-factor authentication (2FA) on all of your accounts

Even if you use the strongest passwords, they can still be leaked or phished. Using two-factor (2FA) or multi-factor authentication (MFA) adds another layer of protection when you sign in to your accounts.

Here’s how 2FA and MFA protect your accounts:

With 2FA enabled, when you sign in using your password, you will be sent a code to your second-factor device (for example, your email address). You will need to submit this code to prove that it’s you trying to sign in. 

For high-risk accounts, MFA introduces multiple layers of security. For example, you may need to use biometrics (like a fingerprint or voice recognition) in addition to the 2FA code. 

📚 Related: Have I Been Hacked? Warning Signs & What To Do →

9. Use a password manager to stop you from entering passwords on fake sites

If you find it hard to remember all of your passwords, a quality password manager can keep them safe. 

How a password manager can protect you:

Included in every Aura plan, Aura’s password manager stores all your passwords so that you don’t have to commit them to memory. On top of this, Aura’s identity theft protection service keeps an eye out for leaked data and will alert you if any of your credentials have been compromised.

Password managers can also auto-fill your username and password fields when it recognizes a saved website. This can help protect you against pharming attacks because the manager will be much harder to fool than the human eye. If it doesn’t recognize the site, it won’t auto-fill your data. 

10. Consider signing up for an all-in-one digital security solution

The consequences of a hack can be serious. To avoid falling victim to a pharming scam, consider signing up for an all-in-one digital security solution like Aura. You can try Aura free for 14 days to see if it’s right for you →

With Aura, you get:

• #1-rated identity theft protection. Aura monitors your account logins and sensitive information (credit card numbers, SSN, etc.) for signs of fraud. If we find anything suspicious, you’ll be alerted in near real-time.
• Proactive device protection. Aura combines powerful antivirus software with a military-grade VPN, safe browsing tools, and more to keep your computer, phone, and home network safe from cybercriminals. 
• Financial fraud protection. Aura monitors your bank and credit accounts in near-real time and will alert you if anything suspicious is detected. 
• Instant credit lock. If you’ve fallen victim to a scam, quickly lock your Experian credit file with one click from the desktop or mobile app.

📚 Related: Is Identity Theft Protection Really Worth It? →

How To Tell if You’re the Victim of a Pharming Attack

The quicker you respond to a cyberattack, the more you’ll be able to do to minimize the damages that a hacker can inflict. 

Here’s what to look out for if you think you’ve been “pharmed”:

• You are signed out of your online accounts. When you try to log in, you discover your passwords have been changed and someone has taken over your account. 
• Unexplained charges. There are suspicious charges to your bank account, credit card, or PayPal that you can’t explain. 
• Suspicious logins. You receive texts or emails informing you of login attempts, 2FA codes, or password resets that you didn’t request. 

• Identity theft. Your identity has been stolen, and someone has opened a bank account, issued a new credit card, or taken out a loan in your name. 
• Cryptocurrency theft. Your cryptocurrency account is suddenly missing a sum of money. 

Did You Give Up Account Details on a Scam Website? Do This

If you see any signs that you’re the victim of a pharming scam or hack, you need to act quickly. Don’t give the hackers an opportunity to steal from you, extort you, or take your identity.

Here’s what to do: 

• Force any unrecognized sessions to log out of your online accounts. If you find evidence that someone has taken over your accounts (or is lurking in them), you can force a sign-out on each of the unauthorized devices. Then, recover your account and change your passwords.
• Update your passwords and use a secure password manager. Start with the accounts that are most at risk. Make sure every account has a strong and unique password, and store these in a password manager. Finally, enable 2FA or MFA on all of your high-risk accounts.
• Do a full antivirus scan on all of your devices. If you’re the victim of a pharming attack, chances are that you have been infected with malware. Use an anti-malware and antivirus solution to scan, quarantine, and remove infections. Aura offers powerful antivirus software that you can use immediately (even during your 14-day free trial). 
• Check your credit report and bank statements for signs of fraud. If you see suspicious charges or accounts that you don’t recognize, freeze your credit and contact your financial institution.
• Reset your router and update your network passwords. To secure your Wi-Fi network, update all of the administrator and Wi-Fi passwords. Then, do a factory reset of your router to remove any malware infections and altered settings. 
• Report the fraud to the relevant authorities. If you’re the victim of fraud, you need to file a report with the relevant agencies. This will help protect you and others from becoming victims, and is essential if you’re going to dispute fraudulent charges. These authorities include the Federal Trade Commission (FTC), Internet Crime Complaint Center (IC3), and the police. You can also submit a report to your internet service provider (ISP) so that they can block the pharming website.

Secure your digital life. Try Aura free for 14 days →