Scammers use a number of tools to part you from your money, your personal information or both. One of the most common is fake websites, deployed either as a stand-alone scam in their own right or as the “business end” of a phishing scheme. Criminals and scam artists aren’t going to go away anytime soon, so learning how to identify fake websites is a crucial survival skill in your online life.
Three Kinds of Fake (or Scam) Websites
The actual fake websites you’ll encounter might come in thousands of forms, but broadly speaking there are three main kinds.
One type is designed to resemble a site that you might already deal with, perhaps your bank or credit card company or a major company like Amazon or Netflix. These sites are generally used in conjunction with a phishing scam designed to trick you into thinking you need to log in to fix a problem.
While those sites lure you in by trying to imitate a legitimate website, a second type often works by appearing to be a slightly illegitimate website. Typically they’ll offer up the promise of something that’s common but a bit shady: pirated movies or games, sexually explicit material or perhaps something as innocent as a sporting event that’s geo-blocked by broadcasters in your area.
A third type could be described as a hybrid of the two. While the site itself appears legitimate, what it’s offering is juuuuust a bit too good to be true. That might be anything from a sweepstakes you’ve supposedly won to a glittering investment opportunity. Either way, the only opportunity you’ll find there involves you and your money parting company.
A Closer Look at Scam Websites
The actual workings of a scam website can vary depending on the end goal. Sites that impersonate your actual bank or credit card company trick you into logging in with your real credentials. Once you’ve done so, they can log in for themselves at your real bank’s page and proceed to loot your accounts (or even lock you out of them). If it’s a fake login for a major company like Amazon or Netflix, giving them your credentials means they’ll have access to your full account information, which can be a boon for an identity thief.
The second type of scam website has a few angles. Requiring you to open an account with them is a common ploy and puts them in possession of your name and at least some of your personal information, along (usually) with one or another payment option. Some malicious sites will fill your computer with malware, which can extricate the rest of your personal information or perhaps even record login credentials and payment methods from all of your regular sites. Another threat is ransomware, which locks down your computer’s data until you pay the scammers.
The third type of scam site can also exploit you in numerous ways. You might need to “register” or set up an account in order to trade or to claim your prize. Again, this gives scammers access to personal and payment information. You may also need to pay “processing fees” or shipping costs on your supposed prize. Bogus investment and cryptocurrency sites are especially treacherous, taking both your personal information and your money (the purported investment), and then charging you “trading fees,” phony taxes or “early withdrawal fees” in order to cash out your — wholly fictional — gains.
How To Identify Fake Websites
So how can you tell the difference between a real website and a fake? Start by looking at your browser’s address bar, where the URL displays. The URLs for almost all reputable sites now start with “HTTPS” rather than just “HTTP.” The “s” means that the site uses what’s called a Secure Socket Layer (SSL) to encrypt the information moving on and off of a site. Scammers, on the whole, prefer your data to not be encrypted.
Next, look at the actual URL of the site. Look-alike sites often have an easy-to-overlook typo in their name, perhaps two letters transposed or an “m” and an “n” exchanged for each other. They may also have the wrong extension, perhaps ending with .net, .biz or newer top-level domains such as .work or .click. It’s not that legitimate companies don’t use those domains; some do…but they’re not likely to really be Amazon or Netflix.
How To Identify Scam Websites
Many of the same tips can be applied if you suspect you’re visiting a scam website. It’s not that legitimate websites don’t sometimes have typos or bad grammar, but it’s reasonable to expect that a real investment firm, lottery corporation or vacation rental company exercises a higher level of quality control.
If you want to go deeper, you can turn to the internet’s central registry of URLs, the Internet Corporation for Assigned Names and Numbers (ICANN). Anyone can go to ICANN’s domain name lookup page to find out who owns a URL (this is colloquially known as a “whois” search). Just type in the URL of the site you’re looking for and the search result will tell you where it’s registered, how long it’s been registered and (often) who owns it.
If the site was only recently registered or registered in a country other than its claimed location, and if its ownership information is redacted or hidden behind an anonymous numbered company, those are all red flags. If there’s any contact phone number or address, you can use Spokeo’s people search tools to try and find out who’s behind the site. Again, if your search comes up empty or points to a geographic location that doesn’t correspond to what you’ve been told, that’s a red flag.
One final test is plain ol’ common sense. As generations of parents have pointed out, if it sounds too good to be true…it probably is.
Reporting a Scam or Fake Site
If you’re confident you’ve uncovered a scam or fake site, the first thing to do is break off contact and reach out to law enforcement. The best place to start is the FBI’s Internet Crime Complaint Center, or IC3. Send them all the information you’ve got, from the original contact (phone call, web search, phishing email) to the URL (screenshots are good too, if you have them) and any details of the scam itself.
If you believe the scammers have successfully stolen your identity, go to the FTC’s IdentityTheft.gov website and file a complaint. The site will walk you through creating a point-by-point plan to minimize the damage.
You can use other platforms to spread the word as well. The BBB’s interactive Scam Tracker
provides a venue where you can share the details of the scam, to help others avoid falling for it. If the scammers initially made contact with you on a social media site, sharing your story on the same site might help someone else avoid getting burned.
Protecting Yourself From Scam/Fake Websites
There are several steps you can take to protect yourself from these websites. One of the first is simply to cultivate an attitude of healthy skepticism about any incoming calls, letters, emails or texts that you suspect might be phishing attempts. If they purportedly come from a friend, reach out to that friend using another method. If they’re supposedly from a company you do business with or a government agency, reach out to that company or agency directly through a published phone number. Never click a link until you’ve verified it.
The tone and style of the scammer’s pitch is often a giveaway as well, because they’ll usually show one or more common characteristics. One of the biggest is that there’s always pressure to act now, whether it’s in the form of a carrot (“Prize must be redeemed within 24 hours!”) or a stick (“Failure to respond will result in termination of your account.”).
Software can also play a significant role in helping protect you from malicious sites. There are dozens of respected, legitimate companies making apps that can protect all your devices, from antivirus and anti-malware scanners to firewalls (which can prevent malware from doing its job, even if it sneaks onto your computer). Some malware prevention apps, and most modern browsers, can warn you against certain types of malicious sites. Scammers can glean some information about you right from your browser, so you might even consider using a virtual private network (VPN) to keep more of your identity safe from prying eyes.
Don’t Overthink It (but Don’t Under-Think, Either)
It’s important to remember that, despite all the headlines, fake and scam websites account for a tiny, marginal fraction of the internet. You can go years without encountering even one. That’s not to say it can’t or won’t happen — being struck by lightning or winning the lottery are vanishingly rare as well, but they both happen every day to someone — but normal life online quickly becomes impossible if you compulsively attempt to verify every site you visit.
Instead, stay informed about what scams are the biggest threats at a given time (forewarned is forearmed, right?). The FTC’s Scam Alerts page is an excellent resource for scams of all kinds (the pandemic spurred a rise in unemployment scams, job scams, stimulus scams and COVID-related scams in general, for example). The SEC’s Investor Alerts and Bulletins page is the equivalent resource for investment and cryptocurrency scams.
At the end of the day, you don’t need to live your online life in fear. You just need to understand where and what the risks are, and act accordingly.
- Cloudflare – Why Is HTTP Not Secure? HTTP vs. HTTPS
- Krebs on Security – Bad .Men at .Work. Please Don’t .Click
- ICANN – Domain Name Registration Data Lookup
- U.S. Federal Bureau of Investigation – Internet Crime Complaint Center (IC3)
- Better Business Bureau – BBB Scam Tracker
- National Cybersecurity Alliance – Spam and Phishing
- AT&T Security Essentials – Firewalls Explained: The Different Firewall Types and Technologies
- IdentityTheft.gov – File a Complaint
- U.S. Federal Trade Commission – Scam Alerts
- U.S. Securities and Exchange Commission – Investor Alerts and Bulletins