Security Corner Blog

Share:

Holiday Shopping Safety: Spotting and Avoiding Fake Websites

Published: November 13, 2024

Holiday Shopping Safety: Spotting and Avoiding Fake Websites

 

While scammers can use fake emails, text messages, and phone calls to target their victims, almost every phishing scam shares one common element: a fake website.

Scammers set up fake sites to mimic familiar login pages, online shopping sites, and information or payment request forms. Links to these pages are included in scam messages or even posted online to trap unsuspecting browsers. 

In the first half of 2023 alone, the Anti-Phishing Working Group (APWG) discovered nearly 3 million new phishing websites.1

Fake sites can steal your information and your money or infect your device with malware. To stay safe, you need to know what these sites look like and how you can avoid them.  

In this article, we’ll explain the risks of fake websites, warning signs to look out for, and what steps you should take if you fall victim.

What Are the Risks of Visiting Fake Websites?

Fake websites are pages designed to intentionally mislead visitors. These include scam websites with fake goods and services, look-alike phishing websites, and malicious websites containing malware and viruses.  

Links to these scam sites are found in pop-ups and social media ads, as well as in phishing emails and text messages. They may even appear in search engine results for common search terms. 

While visiting a fake site isn't always dangerous, it can still put you at risk. 

Here are some of the risks of visiting a fake website: 

  • You could pay for non-existent goods from a fake e-commerce store. Scammers use ads on social media to promote fake stores with too-good-to-be-true deals. If you try to buy, you’ll either lose your money, receive counterfeit products, or have your credit card details stolen.

  • You could give up sensitive information that can be used for identity theft. By creating sites that mimic legitimate companies, scammers can con personal data out of you. With your contact information or financial information, they can steal your identity and your money.

  • Scammers could trick you into providing your login credentials and passwords. Many scammers set up fake login web pages to trick you into giving up your email address, usernames, and passwords. They can then log in to your accounts, lock you out, and use your information for other online scams. 

  • You could unknowingly download malware, ransomware, or other viruses. Fake sites can hide malware and other viruses in pop-ups, legitimate-looking links, and downloadable files. Some sites even trigger drive-by downloads that infect devices without requiring any clicks at all. 

The bottom line: Fake websites are often a small part of a larger scam. If you’ve visited or engaged with a suspicious site, you should take steps to secure your identity and online accounts.

How To Tell If a Website Is Fake

Fake websites are getting more numerous and harder to identify. Follow these steps to make sure you’re not getting fooled by a fraudulent site:

1. Check the URL closely for spelling mistakes

Many fake websites appear to have legitimate URLs, but actually contain slight variations or spelling mistakes. This may include small misspellings or characters that look similar to others in order to spoof real URLs, such as replacing the letter "o" with the number "0."

For example, fraudsters targeted PayPal customers with the URL, “PayPaI.com” — with the uppercase "I" looking nearly identical to a lowercase "l" on some Windows computers.2

2. Don’t be fooled by legitimate-looking subdomains

Every website has a primary domain name, such as “Amazon.com.” A subdomain is an extension to the primary domain, such as “advertising.amazon.com.” Regardless of the extension, the primary domain always stays the same.  

Some fake websites trick victims by changing the order of the domains, such as in Microsoft.fakewebsite.com (in this example, “Microsoft” is the subdomain, not the official domain). Others use official-looking domain names that are altogether different from the official organization, but most people just don't know enough to question the authenticity. 

Tip: Always double-check the URL. Before clicking or submitting anything on a website, perform a quick Google search to reveal the company's proper URL and domain name to make sure you're going to the right place.

3. Inspect the site’s security certificate

Most reputable, modern-day websites have Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates — which establishes a secure and encrypted connection between your device and the server. While not mandatory for all websites, online stores and retailers should always have SSL certificates to protect personal and financial data.

You can check a site’s SSL certificate by clicking on the icon next to the URL and then “Security.”

Sites with valid security certificates also have “HTTPS” in their URLs, and padlock icons in the address bar. These aren't safety guarantees, however, as many fake sites have SSL certificates as well. 

4. Consider how you found the website in the first place

When in doubt, think about how you initially arrived at the site in question. 

If you typed in the URL yourself, are you sure you entered the correct website address? 

If you clicked on a link, was it from a reputable site or sender? Analyze the sender's email address, signature, and contact details to ensure that they are who they say they are. For example, if the email is supposed to be from Amazon, but it comes from a Gmail address, it’s a scam. 

Tip: Avoid links in most situations. Scammers have become so cunning that all links need to be scrutinized. Get in the habit of avoiding any unsolicited links included in emails and texts. Run a Google search to find the correct address and link, or carefully type in the URL yourself. 

5. Use Safe Browsing tools or a website checker

Most web browsers come with built-in Safe Browsing features that warn you when you're visiting risky sites or downloading something suspicious — including Chrome, Safari, and Firefox. You can also check a website URL before visiting by entering it into Google's Safe Browsing site status checker. 

Tip: Adjust your Safe Browsing settings to your liking. In your browser Settings, you can choose the level of protection you need and what warnings you want displayed. You'll find Safari's Safe Browsing options in the main Settings page, while Chrome and Firefox have it listed under Privacy and Security.

6. Look for spelling, grammar, and formatting issues

Scammers don't tend to invest the same time and money in creating and editing website content as legitimate site owners do — leading to typos, formatting mistakes, and awkward phrasing. 

The rise of AI content has made it easier for scammers to whip up passable content for sites, so you also need to be on the lookout for anything that doesn't seem authentically human.

Tip: Use an AI checker. While some legitimate companies use AI to create content, few rely on it completely. Though not perfect, AI detectors can help you figure out if website copy was written by a human or AI. 

7. Be wary of poor-quality design or photos

Compared to legitimate websites, scam websites usually look noticeably worse. They tend to feature messy design elements and pixelated images and photos. In addition to their low quality, these sites often use simple website templates with functionality and navigation issues. 

Tip: Pay attention to broken links. Scammers often race through the design process and ignore many of the links on their website templates. If you encounter broken links or sections of a site that don't work, you should think twice about sharing information on that site.   

8. Find Out How Long A Site Has Been Online

In a Google search box, type in “site:example.com“, replacing “example.com” with the URL of the site you’re investigating. You’ll see all of the pages (usually hundreds or thousands) that Google has indexed from the site (because of the billions of websites in existence Google uses an automated process to do this and therefore does not catch fake websites immediately). Next, we want to find out when these pages were indexed, which we can use to find out how long the site has been in existence.  

9. Find Out How Long A Website Has Been In Business Using Google Search

After conducting your search using “site:”, click on “Search tools,” followed by “Any time,” and select “Custom range…” at the bottom. To find out if the website has been around for more than one year, simply go back a year in time (for example, if we are in 2022, you could use the date range 1/1/2021-12/31/2021 to cover all of 2021). If the website existed in 2021, search results will appear. If not, none will. Keep going back in time to find out how old the website is.

10. Check the “About,” “Shipping,” and “Privacy Policy” pages

Scam websites often ignore the finer details that go into a website, such as the “About” page or the legal information included in the terms and conditions and privacy policy descriptions. 

Try to read through the shipping information and return policy to ensure that everything stacks up. If any of these pages are missing or lacking important details, avoid dealing with this website. 

Tip: Verify the contact information. Double-check the company's contact details, such as its phone number and physical address. Verify this data with a Google or map search; or even give the phone number a quick call to make sure it's legitimate. 

11. Research the company’s social media and online presence

Most companies have an online presence that goes beyond  their website. The company should be mentioned in other places online or provide publicly-available information, such as press releases. Companies usually have some sort of social media presence as well, including multiple social media accounts exhibiting relatively up-to-date activity.

Did You Visit a Fake Website? Here’s What To Do

If scammers tricked you with a fake website that prompted you to click on a link or share personal data, you should take immediate action to protect your information and identity. 

Here are the steps you should follow:

  • Review your online accounts for suspicious activity. Log in to make sure you haven't been locked out of your online accounts. Then, look for signs that your accounts might have been compromised — such as unfamiliar login attempts, password reset requests, or sent emails. 

  • Check your financial accounts for signs of fraud. Look through your bank account activity and statements for unauthorized payments. Review your contact information and ensure that nothing was changed. 

  • Update your passwords, and enable 2FA. Update your passwords on all of your accounts, not just the ones that might be affected. Add two-factor authentication (2FA) whenever possible to create an extra security layer for the future. 

  • Freeze your credit with all three major bureaus. Once you request a credit freeze, your credit will be inaccessible to anyone, including yourself. You need to request the freeze with each of the three major bureaus individually — Equifax, TransUnion, and Experian. When you want your credit file opened again, you will need to manually lift the freeze. 

  • Contact your bank and credit card company. Call the fraud departments of your bank and credit card company and inform them of the issue. Depending on the situation, they may either flag your account or close it entirely and issue you a new one. 

  • Reach out to any other relevant organizations. Call any organizations that were affected by the fraud and let them know. In some cases, they can reverse the charges right then and there. 

  • Scan your device for malware. Run an antivirus program on your device to identify and quarantine any malware you might have picked up on the website. If you find and remove malware, restart your device and run the antivirus again to see if the problem remains or returns. 

  • Submit a complaint to the FTC. Depending on your circumstances, you either want to submit a fraud complaint at ReportFraud.ftc.gov or an identity theft complaint at IdentityTheft.gov. The FTC can also help you plan your next steps. 

  • File a report with the authorities. You can file a police report at your local law enforcement office as well. A police report may be required by your bank for some fraud claims. You might also opt to submit a complaint with the FBI's Internet Crime Complaint Center (IC3).

  • Report the scam website. You can report scam websites in several ways — including reporting them to Google, which has a reporting page for phishing sites and malicious software. You can also report page issues with most browsers through their Help menus. 

The Bottom Line: Stay Safe and Avoid Fake Websites

It's very unlikely that you can avoid fake websites entirely. What you can avoid, however, is making a mistake on one of these sites — such as clicking on a link, giving up private information, or sending money. 

Follow these tips to ensure that you’re staying safe online and avoiding fake websites:

  • Visit important websites directly, or save them in your bookmarks. For sites such as your online bank or other sensitive websites, enter the URL directly or keep them saved in your bookmarks to ensure that you don’t end up on a spoofed version of the site. Better yet, use the company’s official mobile app. 

  • Use a password manager to store and enter your credentials. It can be difficult to create and remember unique and complex passwords for all of your online accounts. Rather than reusing or storing passwords in unsafe ways, use a secure password manager to keep track of them all. 

  • Protect your accounts with 2FA whenever possible. Adding 2FA to your accounts puts an additional hurdle in front of hackers and scammers. For access to an account with 2FA, they'll need your credentials and your device. 

  • Check suspicious websites with Safe Browsing tools. Use a web browser or a third-party service with Safe Browsing tools to block or warn against suspicious websites. When in doubt, run the URL through a website checker

  • Don’t use non-traditional payment options. When shopping online, stick to the primary payment options. Scam sites often use non-traditional payment methods because they're harder to track and reverse. 

  • Consider signing up for identity and credit protection. Identity and credit protection providers monitor your information and credit file and notify you immediately if something suspicious is detected. If your data leaks on the Dark Web or someone opens an account in your name, you'll receive an alert. 

With scammers using fake websites in most of the latest phishing and vishing scams, your best defense is simply knowing how to spot and avoid them.

1: Phishing Activity Trends Report, 2nd Quarter 2023 | 2: PayPaI - Wikipedia

This article was originally posted by identityguard.com. Article content and third-party links are provided for information purposes only. 

View all posts

Members' Voice Testimonials

This credit union is the best, I love the customer service and you can't beat the interest rates. I'm happy to be a member of this great credit union.

- James · Locust Grove, GA

The branch manager introduced herself and was extremely helpful. She stated that if there is anything we ever need to please let her know. Very positive experience!

- Larry · Cumberland, MD

Greta was absolutely amazing - as always. She makes me and my parents feel valued and supported. We are forever grateful. [The Credit Union] has been hugely supportive over many years. And we feel known and cared for.

- Eliza · Washington, DC

Long as I have been with the credit union, I haven't had any problems. I also like the protection on my account.

- Charles · Upper Marlboro, MD

My overall experience at the credit union was exceptional. The staff was hospitable offering water, my service was timely and professional and the office was well lit and clean.

- Denise · Washington, DC

As a member for more than 40 years, i have always had great service from the USSFCU and know that they stand behind their great reputation.

- David · Silver Spring, MD

A top rate Credit Union, [I'm] privileged to be part of! Thank you for all you do for our family! USSFCU Credit Union was able to resolve our financial situation - vehicle, personal loans, customer service/recommendations, within 6 months. We belonged to another credit union for over 20 years, with results not even close to comparison. We switched ...

- Manuel · Bowie, MD

Your people and products are amazing. The recent [online banking] overhaul is phenomenal. [I've] been electronic banking since Tele action phone banking - paying bills with my push button landline decades ago. USSFCU is light years ahead of everyone else in terms of ease of use and client experience!

- Misty · Brookings, OR

I have been a member for more than 30 years. I no longer reside in the DC area but continue to bank with USSFCU because of the ease and the customer service.

- Tamra · Denver, CO

I have been a member for over 50 years, and I have always gotten good service with loans, when I had to have service at a branch, and when I needed to have money sent to me from my savings account. The personnel have always been friendly and treated me with respect.

- John · Fort Washington, MD

I especially appreciate being able to quickly speak with someone (not a robot) and that person has always been knowledgeable and helpful.

- Bernard · Richmond, VA

Excellent customer service streamlined and transparent process. The representatives are efficient, knowledgeable, and understanding of the type of loans offered by Credit Union.

- Erwin · Ellicott City, MD

The USSFCU behaves as a credit union ought to behave. The staff works with and for the members, not for a corporate board. Interest rates for a car loan, a home improvement loan, and a mortgage are low and terms are transparent.

- Ruth · Takoma Park, MD

Staff are courteous and friendly to work with. Very knowledgeable about services and products offered or available. Excellent follow-up with customers.

- Jacquelyn · Sanford, FL

I have appreciated USSFCU services for many years since I left my work on Capitol Hill. I have appreciated the occasional webinars on purchasing a home or retirement planning.

- Jamie · Washington, DC

I have been a member since 2006, and have always appreciated the customer service response to any concern or query. In addition, as I have traveled extensively, USSFCU has provided support and access.

- Kathleen · Ukiah, CA

I've had a credit union account for decades, even though I no longer work on Capitol Hill. I now have two accounts. I've been able to do all of our banking remotely, by app or by phone.

- Richard · Washington, DC

I have been a USSFCU member for almost 20 years. There is nowhere else I want my money to be. I always receive excellent service.

- Nicole · Alexandria, VA

I deeply appreciate the stellar service, the proficiency, the professionalism, and the kindness. I am truly honored and grateful to bank with a financial institution that treats customers like family.

- Angela · Alexandria, VA

Read More testimonials.