Imagine scrolling through the web and seeing a link for www.rnicrosoft.com. If this caught the corner of your eye, you may be inclined to click the link due to its close resemblance to the correct web address for Microsoft. But if you look closely, you will see a scammer used the letters “r” and “n” to form a fraudulent domain. This is just one of many examples of a cybersecurity threat known as a “spoofed,” or fake, website set up with one purpose: to take advantage of visitor data.
Spoofed sites often mimic legitimate ones, such as your financial institution or cell phone provider, but may have letters mixed up in the web address or list a faulty domain name. On a site, hackers can manipulate:
- All content below the web address bar.
- Icons, favicons, which are company icons displayed next to a browser’s address bar, and images.
- Similar domains and subdomains as real companies to trick visitors.
- The allure of safety given by a Secure Sockets Layer (SSL), or the padlock image to the left of an address bar. This is often understood as a green light to pursue a site without worry, but an SSL certificate can often be bought.1
While attackers may be able to alter content and images on a website, there are a few giveaways to a fraudulent site:
The first step to verifying the legitimacy of a site is to check the domain name and ensure it is your intended destination. To get you to visit a fraudulent site, hackers may use phishing or typosquatting. Phishing involves baiting a link through an email which, when clicked, redirects to a spoofed site where hackers “phish” for your personal and financial data. Make sure to know the source of an email before opening or clicking on anything. As a rule of thumb, an unsolicited email from a stranger is likely a scam.
Typosquatting tricks users into thinking they entered the correct URL, such as www.apgfcu.com, but it is actually a misspelling, such as www.apgfou.com. Always check the spelling of the URLs you are visiting, as the dupes can be quite sneaky.
Poor Spelling and Grammar
One of the most obvious red flags of a scam is frequent spelling and grammar errors. These sites may be run by individuals in other countries, so a lot of mistakes, as well as frequent and intrusive ad pop-ups, are a dead giveaway of fraud.
Privacy and Return Policies
Oftentimes, a spoofed website will not bother completing extensive, low-trafficked pages, including the privacy and return policies. While legitimate sites like Amazon and Microsoft have in-depth information about their policies easily accessible to every customer, fake sites may have poorly written or no policies available – or worse, content taken directly from other sites.
You can also check out the Contact section of the website to investigate for a physical address, phone number and FAQ information. If there is none listed, the site may be fraudulent.
Legitimate e-commerce sites typically accept mainstream forms of payment, including major credit cards. If the only options to pay are gift cards, cryptocurrencies or a wire transfer, do not enter any information and close the tab.
If you identify a spoofed website, you can report it immediately to Google Safe Browsing or the Internet Crime Complaint Center (IC3). For scams outside of the U.S., report information to econsumer.gov.
Monitor our Security page for the latest information on scams and ways to safeguard your information.