A scam website is one of the most dangerous places you can get to, online. Because it looks strikingly similar to the website you were trying to reach, it earns your trust. Once you put your trust in a fake website, a lot of bad things can happen to you.
Mostly looking for credential theft, hackers build all kinds of misleading websites. They resort to look-a-like domains, typo-squatting, brand impersonation, or even traffic redirection.
If it’s a social media website, the range of deceitful actions is even more staggering: VIP impersonation, fraudulent profiles, spoofed accounts, false associations, and even fake job posts.
Suffices to say that spoofed websites make a great job of bypassing security controls. They excel at exploiting their users, who unknowingly start sharing information with them.
Of course, if only you’d knew it’s all a big lie, you wouldn’t facilitate any of the above.
But how can you tell if a website is fake or real?
Troubling news is coming from PhishLabs. According to their chief technology officer, John LaCour, in the first quarter of 2019, 58% of phishing sites used SSL certificates! This can only prove that hackers are getting better and bettered at faking aspects that we used to take as proofs on whether a website is a scam or not.
Then again, this doesn’t mean we can no longer trust those aspects. We do have to accept that SSL certificates are no longer an exclusive telltale that a website is secure. But those SSL certificates still pounder in a more complex and complicated process of determining whether a particular website is what it claims.
In a nutshell, there are many more things we need to look into. And whenever we are in doubt, we’re better if we keep pushing and researching until we convince ourselves that we’re in the right place.
What does it mean to keep pushing and researching? For starters, to check as many of the details provided below on how to spot a fake or scam website.
Website phishing ABC – a fake website’s fact-check
All the right answers to the question “Is this website a scam?” can only come if you know exactly what website is that… In other words, a savvy internet user can tell if something is fishy about a website by simply looking at its URL.
As you’ll discover below, there are also a couple of online tools where you can run a check for a particular URL and see what you get. But regardless of whether you just look at the URL and try to analyze it or you copy the URL in a special online analysis tool, you need to know the exact URL.
Feeling confused?
Well, if you look at a simple URL like our website’s home page, which is https://antivirusjar.com/, it’s pretty clear which is the URL of the website.
But how about if, let’s say, you want to renew your antivirus subscription and you end up on a page with a very long URL? Say you’re using Bitdefender and you find yourself on a page with the following link:
bitdefender.com.log.in.renew-your-subscription.com/signing?country.x=Au&locale.x=en_Au
All of a sudden, you’re no longer so sure that you can tell exactly where you are and if it’s safe to put your login credentials in there, are you?
To kill the suspense, our example from above may very well be an example of a phishing site URL. That’s because the whole part with bitdefender.com.log.in. is a subdomain. And the actual domain would be renew-your-subscription. The com is the top-level domain and the signing?country.x=Au&locale.x=en_Au is a path that indicates to load a login page in Australian English.
What we’re trying to say is that hackers can often create websites with subdomains that include the names of some other popular websites. Whether it’s the name of some antivirus software developer or of a big online retailer like Amazon, or even of a payment service like PayPal… Just because you see something familiar in the URL, doesn’t mean you’re on the website you think you are.
The first thing you should look into when trying to decide if a website is fake or real? The website’s exact domain name, along with what other elements it has in its URL!
Begin by checking the website’s digital footprint
Like mentioned, before you even click on that potential scam website, you can run a search for its URL.
Most people would think about googling it, which is OK. Actually, you can look it up with any search engine, not just with Google in particular. What matters most, when you look at the results, is to be sure that the reviews and the feedback you’re seeing aren’t coming from sources affiliated with that website.
But if you want to go the extra mile, there are 3 other things you can do:
- Check the website’s domain on WhoIs– run any domain through https://whois.domaintools.com/ and you’ll get some info on the entity that registered it. Beware if the information is hidden, suspicious or if the domain was recently transferred/registered!
- Check the website’s safety rating from Google– the Google Transparency Report, at https://transparencyreport.google.com/safe-browsing/search , is a great place to check a site’s status. Use the Safe Browsing Site Status function on their website, paste the website’s URL in there, and see what rating it gets.
- Check the Better Business Bureau page– if you go to the https://www.bbb.org/ you have the chance to search for a business and see which is its official website. This isn’t necessarily an indicator of how safe a website is, but it can link a particular URL to a particular business.
Other options of how to spot a fake website
- Look at the website’s connection type– encryption is a sign that it could be a legit website. Without the https, it’s more likely to be insecure as SOME hackers don’t bother getting this security certification. Anyway, it’s mandatory that the payment page has the https in its URL.
- Make sure you also see a green padlock– usually, if a website has an SSL certificate that is correctly installed, it should display in the address bar both the https and the green padlock icon. If you only see the https but no green padlock, it can be a sign that something is wrong.
- Take a closer look at the certificate details – hackers can fake certificates or just buy the minimum-required certificate. Click on the Padlock icon and look for the View Certificate option. The more details you find in there, the easier you’ll tell whether this is a secure or a fake website.
- Consider the domain extension– the .com websites are among the most popular and also the easiest to obtain domain names. A .gov website, for instance, which is a government-specific domain, or a .edu website, specific to educational institutions, is more credible.
- Spot anything weird in the domain name itself– if it tries to imitate the name of an actual, popular business (like WikiH0w instead of WikiHow or AdidasOutlet instead of just Adidas etc.) or if it uses other symbols or multiple dashes it would definitely have to raise a flag to you.
- Take a look at how the website is built– hackers either use one-off sites (very simple pages, with minimal content) or invest a lot of energy into perfectly copying a legit website. If the website doesn’t seem or feel naturally built, with the user’s best interest in mind, it probably isn’t.
- Analyze the advertising profile– all websites have ads but, as a rule, the more invasive the ads are, the more likely it is that you’re on a fake website. Beware of the ads that take up the whole page and force you to click on them or ads that redirect you outside of the website.
- Check if there is any content copied from other websites–the hacker copied another website’s content or put together a network of fake websites all sharing the same content? It’s easy to spot it. Use an online plagiarism service (like duplichecker.com) to test the uniqueness of its content.
- Don’t ignore the bad English– misspelled words and awkward phrases as a norm can and should make you question the reliability of that website. Whether its content was created at high speed or by someone with little interest in providing quality, all these are reasons to be skeptical.
- Check the contact options– it’s a no brainer that legit businesses want to stay in touch with the customers. If the website you’re on lacks a dedicated contact page or provides no contact information whatsoever, it is certainly yet another red flag.
- Check the privacy policy – all organizations are required to detail in one way or another their privacy policies. If something feels shady on that page, keep investigating. Also, don’t ignore the option to check the official list of the Privacy Shield to see if the company behind that website is on that list, which means it complies with the EU’s General Data Protection Regulation.
- Check the payment options– this one applies to websites where you can make payments. The trustworthy websites will facilitate payments via major credit cards and some popular non-payment card options. If all you’re getting is a request to send money through Western Union wiring or a shady PayPal address, you should be skeptical. Payment options that avoid scrutiny and whose transactions cannot be reversed are yet another big flag.
These are the most common aspects you should look into. Not just occasionally, but with any website that raises even the slightest suspicions to you.
Making sure that they have a decent digital footprint and an online history that other users can confirm? Please, do so!
Getting in touch with the team behind that website? Why not, if you need to be sure they’re for real?
If you agree with us that it’s better to be safe than sorry, you’ll find each of these aspects to be worth the time and effort of checking them.
