How to identify and avoid fake websites?

A

Arnold Lorinda

Guest
You've just got an email from your bank informing you about a massive breach and a need to change your password. Worrying about your modest savings, you click on the link and end up on their website, which looks a bit different today. Is this a re-design or another version? Is this website legit in the first place? Although fake websites have become a commonplace danger to internet users, many still have problems identifying them. Fake websites are an important part of so-called phishing scams where fraudsters aim to misguide you into giving sensitive data, such as credit card numbers or account passwords.

One of the most common ways that phishers lure users onto their sites is by adding malicious links to phishing emails. So any time you think about clicking on a link embedded in your emails, be aware that there's a possibility that it could be illegitimate. It’s not always easy to tell the real from the fake, but there are always ways to do it. Oftentimes, fake sites will impersonate real ones – like your bank’s website. If you look at the URL closely, you may find letters out of place or perhaps they will have the domain name of the legitimate website as a subdomain of a fake one. It's such discrepancies that give the game away. So, let's say you receive a link that includes the text www.gooogle.com. Would you click it? You probably shouldn't because that's definitely not the link to real Google. But if you just glanced at it on the go, you may not notice the issue.

Most legitimate websites and practically all of those operated by serious services like banks will have a URL that begins with HTTPS, rather than HTTP. This indicates that the site is using an SSL/TLS layer. It encrypts the communication between you and the server, securing the connection from third-party snoopers. That being said, while all HTTP websites are unsafe, not all HTTPS websites are safe. That's because a secure HTTPS connection is not the same as a safe website. Luckily, there's a method to check whether you should trust an HTTPS website with an SSL/TLS certificate.

The information you see depends on the certificate type. A domain validation (DV) certificate will show the domain only. While that's not much, you can still see if the domain name is not fake. Also, most reputable companies don't settle for this level of verification. If the website has an organization validation (OV) certificate, you'll also see the company's name, country, state, and city. In certain cases, the true owner will hide behind the certificate issuer, such as Cloudfare or DigiCert. The most robust extended validation (EV) certificate adds the company's name to the Site information window and some extra lines in the Subject field. When checking the OV and EV certificates, you should keep in mind that it's possible to register PayPal, Inc. in another country and use a fake domain for phishing.

Technically, phishers can and do sometimes hijack email accounts of businesses or individuals to give their phishing emails authority. However, that's not needed to send an email with a "real" address and display name. Using a compromised email-sending server, the attacker can alter the "From" field. To make matters worse, not all companies take necessary precautions against this type of spoofing. Yet this is quite rare, and more often the attackers will use accounts that look similar to those of legitimate sources when in fact they are not. Adding "Customer support" and similar sender names further diminishes the user's chances of spotting anything suspicious.

Ideally, dubious messages would head straight to your spam folder, but as we know, that isn't always the case. As a matter of fact, legitimate emails often end up in the spam folder as well, complicating the distinguishing between the real and the fake. As a general rule, if you haven't solicited an email or the sender isn't known to you, alarm bells should start to ring. It's obviously not gold-plated evidence that the sender is phishing you, but it's something to think about nonetheless.

If you’ve taken all the above steps into consideration and still have doubts, try running the site through a Website Scam Checker. Review Nav tool is the best option here. Just paste in the suspect URL and the checker will determine whether it's safe to visit.