Our Blog

The latest news about Internet security and privacy.

How to Spot Fake Websites Easily

Posted by BulletVPN on 22 04 2020.

Online frauds involving phishing are on the rise. That’s mostly because a growing number of consumers are buying products online. Not to mention that the number of online banking transactions between firms is growing.

Methods to lure you into entering your credit card data into a form on a fake site vary. It may take the form of a random email message with an infected link inside, it can be a carefully crafted spearphishing message that looks like the one you expect from your accountant or you can land on a fake website that replaces a specific site when being accessed from certain networks.

Which are the most common attack vectors that involve phishing? How to spot fake sites created specifically for you or for a larger audience? These are sometimes a problem of survival if you are running a business or your job requires the use of numerous services online. In this guide, we’ll be addressing all of the above, giving you tips on how to spot fake websites in the process.

Which Services Are Most Common Targets of Phishing

Evidently, webmail services and SaaS products are the main targets of cyber-criminals as both provide them with valuable login credentials to exploit.

Most websites use your email address as a username and most users keep their passwords for various online services somewhere in their inbox. By getting access to your email login credentials through a website that mimics the original webmail service, an attacker gets access both to passwords stored in your inbox and access to your email account, which can be used to change passwords you use for any service.

Source: Statista
For their part, Software-as-a-Service platforms (SaaS) are mostly business applications. They store sensitive information and also enable an attacker to get access to other linked services such as company databases or accounting software.

The most widespread kinds of phishing emails that want to steal sensitive data from you are trying to make you open a website on which you are asked to enter one or more of the following details:

  • Bank account or credit card numbers
  • Social security number
  • Driver’s license number
  • Insurance policy numbers
  • Date of birth
  • State or employee identification number.

Actually, these fake websites are looking to collect as much personal information as possible. They can use it for identity theft or getting access to bank card accounts or other financial/business accounts. And fake sites are coming to you using various channels.

How Fake Sites Reach You?

Cyber-thieves are taking advantage of each and every online channel to make you visit their malicious website that mimics a legitimate one.

Hackers deliver phishing links to fake websites through email, ads on Google, Bing, and other popular search engines as well as through social media sites.

If you are a C-level executive, business owner, or a public figure, you may get a meticulously crafted fake message. It might replicate a legitimate invoice from a partner. Even worse, it might ask you to log in and change some info in a business-critical application online.

High-level phishing campaigns may involve even phone calls from fraudsters who pretend to be calling on behalf of your banking institution or one of your business partners, also asking you to log in to a website that is being replicated to steal your account credentials.

While mass phishing messages are easy to spot due to bad grammar, poor design, etc., scams that are more sophisticated are harder to identify but there are still clues you should be looking for.

Methods to Spot and Avoid Fake Sites

Modern web browsers have built-in protections against phishing sites and sites that contain malware. But these will not work against a fake site made by a professional hacking group.

A good practice is to always check if you are logging into the correct domain when using business-critical services. These include the likes of webmail, online accounting, and invoicing tools, and any online banking app.

Replicating the design of Google’s login page is easy while tens of thousands of businesses are using Google’s business suite of online tools that comprise corporate emails, office editors, and video conferencing.

Here is how a fake Google business account login page might look like:

As you can see, the letter “O” is replaced by “0”, or zeroes, to mimic the original Google domain address. It is a fake site that, in theory, is easy to recognize but it still might work if you are not checking if you are logging to the correct address.

That is one of the reasons for Google to redirecting you to their correct address if you type “Gogle.com” in your browser’s address bar and warning you if you type “Gooogle.com”, which is also a domain registered by Google.

What You Should Do

You should make the checking of the address of the website or the online service you are accessing a habit. However, there are more routines you should develop in order to avoid fake sites and online scams.

  • Never respond to messages asking for sensitive information. We’re referring to your bank account information, credit or debit card details, social security number, or ID number. Banks, utilities, and government agencies do not ask for such information online. No to mention that no website requires such info as part of their standard login process.
  • Always check if you are login to and entering info on a secure website. Most browsers now check and show if you are using a secure HTTPS connection. However, it’s always worth looking at the address bar to verify it is secure.
  • Examine any link you are getting as a method to visit any given website. You might find suspicious elements such as additional domain addresses. For instance, “account.google.com” is a valid address while “account.google.business.com” is not a legitimate one.
  • If you suspect that a link is malicious, just copy and paste it into a new browser window to check what it opens. Investigate the link to the website further. How? Check the domain name registration for this address to see if it is a legitimate one. Actually, you can do this for any random website for which you are not sure who owns it and where it is registered.
  • Use a Virtual Private Network to anonymize your internet browsing and encrypt your data.

Finally, use common sense when browsing the Internet. Think twice when following links you receive in your inbox or another communications channel. Your bank will not ask you to confirm your account credentials online once you have opened an online banking account with them.

Concluding Words

Most of the time, the average user should fight with fake websites and phishing messages himself. Enterprise-grade antivirus suites and some advanced VPN apps are very good tools for protection. They are able to detect malicious links and sites but not all of them and not all of the time.

Developing strong habits to check whether you are visiting the right (original) website and not reveal sensitive information online is your primary line of defense against online scams and bogus websites. Enhancing your device’s security measures is yet another way to protect yourself. Don’t take the threat lightly; You’re risking your private information without taking proper precautions.

Leave a Reply

Your email address will not be published.