You've just got an email from your bank informing about a massive breach and a need to change your password. Worrying about your modest savings, you click on the link and end up on their website, which looks a bit different today. Is this a re-design or another version? Is this website legit in the first place?
Although fake websites have become a commonplace danger to internet users, many still have problems identifying them. Fake websites are an important part of so-called phishing scams where fraudsters aim to misguide you into giving sensitive data, such as credit card numbers or account passwords.
This article will help users figure out what’s real and what’s fake on the web to stay out of harm’s way.
Each year, billions of personal data records are leaked or stolen. Learn how to minimize your footprint on the internet and stay secure.Protect your data now
6 ways to tell if a website is fake
If you take a good look at this website, can you tell if it is a secure website? How would you check if a website is safe? Well, if you don’t know the answer to that right now, we’re here to get that fixed.
1. Is this URL safe? Understand how URLs work
One of the most common ways that phishers lure users onto their sites is by adding malicious links to phishing emails. So any time you think about clicking on a link embedded in your emails, be aware that there's a possibility that it could be illegitimate.
It’s not always easy to tell the real from the fake, but there are always ways to do it. Oftentimes, fake sites will impersonate real ones – like your bank’s website. If you look at the URL closely, you may find letters out of place or perhaps they will have the domain name of the legitimate website as a subdomain of a fake one. It's such discrepancies that give the game away.
So, let's say you receive a link which includes the text www.gooogle.com. Would you click it? You probably shouldn't because that's definitely not the link to real Google. But if you just glanced at it on the go, you may not notice the issue.
Here are the elements of a website that attackers can control:
- Content. Anything below the long horizontal line can be tailored to mimic any website. There's no way a browser can warn you that you're looking at a fake page.
- Favicon. Any attacker can take Google's favicon seen at the top left and use it on a fake website.
- Domain. The attacker cannot alter the domain (google) that's coming before the top-level domain (.com). However, as seen in the picture above, it can use a similar domain to trick visitors.
- Subdomain. If you don't look carefully, a subdomain might look like a domain. An attacker can throw google.com.search-source.com at you where search-source is the actual domain of her fake website.
- SSL certificate. Seeing a green padlock beside the address bar often gives a fake feeling of safety. Any website can buy such a certificate unless it's EV (more on that below).
2. Is the website using legitimate SSL/TLS certificates?
Most legitimate websites and practically all of those operated by serious services like banks will have a URL that begins with HTTPS, rather than HTTP. This indicates that the site is using an SSL/TLS layer. It encrypts the communication between you and the server, securing the connection from third-party snoopers.
That being said, while all HTTP websites are unsafe, not all HTTPS websites are safe. That's because a secure HTTPS connection is not the same as a safe website. Luckily, there's a method to check whether you should trust an HTTPS website with a SSL/TLS certificate.
The steps differ a bit depending on your browser, but the following Chrome instruction should suffice for everyone:
- Load the website that you want to check
- Click the padlock icon next to the address bar to view the Site information window
- Click Certificate
- Choose the Details tab
- Check the Subject field
The information you see depends on the certificate type. A domain validation (DV) certificate will show the domain only. While that's not much, you can still see if the domain name is not fake. Also, most reputable companies don't settle for this level of verification.
If the website has an organization validation (OV) certificate, you'll also see the company's name, country, state, and city. In certain cases, the true owner will hide behind the certificate issuer, such as Cloudfare or DigiCert.
The most robust extended validation (EV) certificate adds the company's name to the Site information window and some extra lines in the Subject field. When checking the OV and EV certificates, you should have in mind that it's possible to register PayPal, Inc. in another country and use a fake domain for phishing.
3. What source is the link coming from?
Technically, phishers can and do sometimes hijack email accounts of businesses or individuals to give their phishing emails authority. However, that's not needed to send an email with a "real" address and display name. Using a compromised email sending server, the attacker can alter the "From" field. To make matters worse, not all companies take necessary precautions against this type of spoofing.
Yet this is quite rare, and more often the attackers will use accounts that look similar to those of legitimate sources when in fact they are not. Adding "Customer support" and similar sender names further diminishes user's chances of spotting anything suspicious.
Ideally, dubious messages would head straight to your spam folder, but as we know, that isn't always the case. As a matter of fact, legitimate emails often end up in the spam folder as well, complicating the distinguishing between the real and the fake.
As a general rule, if you haven't solicited an email or the sender isn't known to you, alarm bells should start to ring. It's obviously not gold-plated evidence that the sender is phishing you, but it's something to think about nonetheless.
Having said all that, there's an effective way to check the authenticity of any email. You only have to open the full header ("Show original" on Gmail) and look at the metadata. Has the email failed validating its SPF and DMARC? The domains or IPs of "Return-Path", "Received", and "Received-SPF" don't match? If you've answered "Yes" to one or both questions, then the email is as fake as the Cardiff Giant.
4. Look at the website
Everyone is bound to end up on a fake website once or twice – that much is difficult to avoid. Fortunately, there are ways to tell if a website is fake by the content on it.
For example, pages that are littered with small errors are strong candidates for fake websites. Sure they may be poorly written, but you shouldn't take chances when dealing with online shops and banks. The same goes for intrusive ads – if you have trouble reading the home page, better abort the mission.
If you're visiting a new website and have some suspicion, check out the contacts section. If there's no physical address or no phone number to complement the email address, you should better look further into this. If the website is big, it should also have a FAQ or some sort of knowledgebase.
In case you have doubts about an online shop, make sure to check its shipping and return policy. While reading it all is probably too much for most, everyone can copy a paragraph or two and see if they haven't been taken from another e-commerce site.
Payment options is another important thing to check. Legit online shops accept major credit cards, usually in addition to other payment options. However, if all you see is PayPal, Western Union, gift cards, or cryptocurrencies, close this tab immediately, shut down your computer and don't use it for three days to avoid losing money.
Finally, your browser might be the one that analyzes the website and determines whether it's safe to use. While sometimes you may end up with a false positive, that's better than risking your personal data or belongings.
5. Look for online reviews and references
Legitimate services will have many reviews on sites like Trustpilot. If the site you’re browsing doesn’t have any (or if they say the website is fake) – you should probably stay away. Whenever you order online, it's a good idea to check whether a company is listed there. If not, that's a major red flag.
Even so, sometimes phishers manage to build up an online profile. In those cases, reading the reviews should be enough to identify fake sites. Fake reviews tend to be generic, lacking in detail about what was good or bad about their experience. If they feel robotic or shallow, you've got reason to be sceptical.
The best way to search for reviews is to use "[brandname] + review" – this way you should also find those written on less popular websites. Checking "is [brandname] fake" or "[brandname] scam" can also lead to devastating results. Again, if these reviews and posts don't feel genuine, chances are the creators of the fake site are trying their best to look legit by targeting such keywords.
You can also run a WHOIS check to see the registrar's name, contact info, domain's age, and other data that may help find the truth. In the example above, we checked gooogle.com and found it's registrar to be MarkMonitor, Inc. It turned out to be a well-known company that fights cybercrime and brand abuse. The registrant and the IP further confirms that it's safe to browse gooogle.com, which actually redirects to google.com website.
6. Use a fake website checker
If you’ve taken all the above steps into consideration and still have doubts, try running the site through a fake website checker. Google's Safe Browsing tool is the best option here. Just paste in the suspect URL and the checker will determine whether it's safe to visit.
That's not the last word, though. Suspect websites pop up constantly. But the register is pretty up to date nonetheless and also gives warnings in Google Search results and web browsers.
Why should you worry about fake websites?
Fake websites are sites that have only been set up for one reason: to fool unsuspecting web users into thinking that they are legitimate. When done right, fake websites look and act almost exactly like the real thing. So they may mimic your bank or cellphone company, making you think that it's OK to act normally while you use them.
There are at least a couple of ways fraudsters use them to rip you off – primarily, they either lure you into divulging personal data or exploit various vulnerabilities to put malware on your system. They can only be successful by remaining unidentified, which is why knowing the telltale signs is so important.
How to report a scam website?
You’ve found a trap – great! The first thing you should do in such a case is report it so that others don’t fall for the scam. In most cases, the best course of action is to enter the URL into Google's reporting tool. This will result in Google adding the website to its list of reported “attack sites,” saving many people an unnecessary headache.
Most web browsers, excluding Safari and Opera, also have the option to directly report a fraudulent page. Here's how to do that on some of the popular browsers.
Report a scam website on Google Chrome
- Click the three dots on the top-right
- Hover over Help
- Choose Report an issue
- Optionally, edit the fields and click Send
Report a scam website on Mozilla Firefox
- Click the hamburger menu on the top-right
- Select Help at the bottom of the menu
- Choose Report Deceptive Site
- Optionally, add comments and hit Submit Report
Report a scam website on Microsoft Edge
- Click the three dots on the top-right
- Hover over Help and feedback
- Click Report unsafe site
- Tick the right boxes, select Language
- Enter the captcha and click Submit
But if you're worried that the site is stealing money (or you've already accidentally handed details over to the site owners), you need to know how to report a scam website to law enforcement authorities. In that case, head to the FBI's Internet Crime Complaint Center and file a complaint. It takes a bit of time, but if it helps to prevent crime, it's worth it.
What to do if you've been scammed
In case of such an unfortunate event, you must react quickly to prevent or minimize the possible damage. Here are the ten guidelines we recommend following:
- Inform your family and friends – they might be the next target
- Do not contact the scammer – there's no way you can make things better
- If you lost money, call 911 and report the case
- If your banking details might have been stolen, contact your bank immediately to block credit cards and accounts
- If your personally identifiable information has been stolen, report the police, your bank, credit bureaus, SSA, FTC, SAO, and other institutions
- If your password was stolen, change it to a new and strong one
- If the scammer accessed your device, change your passwords, inform the bank, and scan for possible malware
- Gather proof – emails, bank statements, and other information is vital in catching the scammer and possibly getting your money back
- Even if you didn't lose money or data, always report the scam to stop it from spreading
- Seek emotional support – chances are that the scammers will try contacting you (again) – this shouldn't lead to extorting (more) money
If you follow the following guidelines, you will be able to fight back the scammers and avoid severe casualties.
More from CyberNews
- We helped a retiree win back her money from a PayPal-UPS scam – and uncovered a network of 39 scam sites
- Best website builders for your online ventures. See if Wix or Zyro might be a good choice for you
- We've put a list of this year's best web hosting providers. For example, Bluehost or HostGator - read the reviews and make your choice