The statistics on Internet fraud, specifically through phishing attempts, are staggering. Phishing is a method of getting people to reveal their confidential information through fake or “spoofed” emails or websites that look legitimate. Phishers often copy popular sites to trick people into entering their passwords, account numbers or banking information. According to a report by the Anti-Phishing Working Group, the number of phishing websites increased 25 % from 2015 to 2016. This type of Internet fraud costs victims and companies approximately $4.5 billion per year. Scammers are continually devising new methods of preying on Internet users, and while they frequently target sites that deal with financial information, phishers also steal passwords, Social Security numbers and other personal information. Here’s how to recognize a spoofed website and avoid being a victim of fraud.
1. Look for the “s”.
Sites that involve financial transactions such as banking or shopping should use a secure connection to ensure that any information conveyed between the browser and the server is encrypted. Always verify that the site is secure by making sure the URL in the address bar starts with “https://”. The “s” stands for secure and means that the site uses secure socket layer or transport layer security (SSL/TLS). Websites that use SSL/TLS will display a closed padlock in the status bar when they ask for your password or personal or financial information. Spoofed websites don’t have this because scammers don’t need the SSL certificate – they shut their sites down when as soon as they collect the information they want.
2. Check the URL
If a website is unsecured, check the URL in the address bar. All URLs follow a basic format (http://domain.tld/). TLD is the top-level domain, which may be com, net, org, edu or something else. When you type a URL such as “http://google.com“, Google is the domain name and com is the TLD.
The authentic domain name and the top-level domain are usually on the first part of the URL before the single slash. A valid Google URL looks like this:
An invalid URL looks like this:
In the valid URLs, the domain and the TLD is followed by a single slash, and the rest of the address comes after the slash. Note that the second URL does not take you to Google Images. Phishing websites use URLs that sound official or are similar to well-known URLs but are completely fake.
3. Check the contact information.
Legitimate websites for financial institutions such as banks and credit card companies publish their contact information. If you call the phone number on the website during normal business hours and hear an automatic voice messaging system, this should be a red flag. Also, check any email addresses listed on the website – the part of the email address after the “@” should include the proper domain and TLD. Be suspicious of contact email addresses that use free email providers such as Gmail or Hotmail.
4. Check the details.
Legitimate companies are very particular about their public image. You’ll rarely see any grammatical errors misspellings or typos on their websites. For the phishers, it’s all about getting your information. You may see unusual grammar mistakes, oddly formal language or poor-resolution images and logos. While some spoofed sites look convincingly legitimate, most phishers are in a hurry to collect your information and overlook these details.
5. Do your research.
Be suspicious of websites that you’ve never heard of or dealt with before, especially if you get there through an email link. Do a search for reviews on the company name or the URL and avoid sites that have too many negative reviews and comments or that have no other online presence.