How to Spot a Fake Website: 7 Ways to Tell if a Site is Malicious
With modern technology and services, it’s pretty easy to make a website. That’s great for those of us who need or want to create one. But that also means scammers can make websites really easily, too. And since so much of our lives – work, school, banking, shopping, and more – is done online, if they can trick you into putting your credit card number, personal information, or password into a fake website, they can access your money, hold your accounts hostage, steal your identity, and more. Fraudulent websites are great for scammers, and they’re everywhere. Knowing how to spot a fake website is essential to using the internet safely.
What Makes Fake Websites So Dangerous
Fake websites can look like anything, claim anything, and even imitate legitimate websites astonishingly well. If you don’t know how to spot them, you may give your information to a fake website and have no idea until you spot suspicious charges or the signs of identity theft. That may be weeks or even months down the line. That gives the criminals time to do a lot of damage with your information.
Fake websites can also show up in many different guises. Sometimes they are fake online stores, where your order never shows up or your card is used fraudulently. They can imitate real businesses and organizations that have a legitimate reason to ask for your identifying information, but putting it into a fake site gives scammers everything they need to steal your identity. Sometimes they trick you into giving up your login information with a fake login page for a real website, or they pretend to be a Medicare or health insurance website to commit medical identity theft. They may pretend to be a travel agency or travel booking site to get your money or your passport information (or both). Still others set up their fake sites to download ransomware, malware, or viruses to your device so you don’t even have to enter anything to become a victim.
These are just a few of the ways fake websites can target you. Scammers are creative and always coming up with new tricks and schemes. But when it comes to websites, they can’t hide everything. If you know how to spot a fake website, one of the following tips should help you identify them.
Method #1: Verify Site Security
If a scammer told you they were telling you the truth and not trying to steal from you, that wouldn’t make them any less of a scammer. That would just be one more lie they’re telling. The same thing is true for websites. Some fake websites may put up awards, sections where their fake product or fake website have been featured in well-known publications, or security logos to try to look legitimate.
Don’t trust what the website says about itself. It’s easy for criminals to copy and paste logos and claim awards that they haven’t really won. Instead of believing its claims, verify! One thing you can check is the website’s security. Secure websites have something called an SSL certificate. SSL stands for Secure Sockets Layer, and it protects people who aren’t you or the website owner from seeing data you put into the website.
You can easily check if a website has a valid SSL certificate. Most modern browsers have a padlock symbol next to the address bar. If the symbol is a closed padlock, the website has an SSL certificate. If the padlock is open or there’s an exclamation point next to it, there is no SSL certificate. Websites with SSL certificates will also use HTTPS instead of HTTP. That means if you look at the address bar at the top of your browser screen and see an address that starts with “https://”, that site has an SSL certificate.
SSL does not mean it’s legitimate! Over 80% of fake sites have SSL certificates these days. So this tool to spot a fake website isn’t foolproof. You definitely don’t want to trust a website that doesn’t have an SSL certificate. But if it does, don’t trust it just because of that.
Method #2: Check the Domain
To understand how to spot a fake website by checking the domain, you have to understand a little bit about how domains work. But don’t worry, we won’t get too technical. (If you do want to get techincal, check out this article.) The main things you need to know are three parts of a web address: Top-level domains (TLDs), domain names, and subdomains.
You’re probably already familiar with top-level domains: It’s the .com, .org, .net, or other part with a dot and then two to four letters on the end of a web address. This can actually tell you something about the website’s trustworthiness, too. While anyone can purchase TLDs like .com or .org, some can only be used by certain institutions (only the government can use .gov and only educational institutions can use .edu, for example). So irs.gov is the real IRS website, but irs.net could be anybody.
The domain name is the part that comes before the TLD but after any other dots in the address. The domain name is the actual website you’re on. So for the IRS example above, the TLD is .gov and the domain name is “irs”. And for www.WhatIsMyIPAddress.com, the TLD is .com and the domain name is “WhatIsMyIPAddress”.
The final important thing to know is subdomains. Subdomains come before the domain name, aren’t “https://” or “www,” and have a dot between them and the domain name. Let’s say you see “https://forums.whatismyipaddress.com/viewforum.php” in your address bar. We know .com is the TLD and “whatismyipaddress” is the domain name. There’s a dot before the domain name, and the part between the domain name and “https://” says “forums.” So in this web address, “forums” is the subdomain. Not every address has a subdomain, so it’s important to know how to spot them.
How to Tell if a Domain is Suspicious
Now that you know how to identify the parts of a domain, you can analyze the domain in the address bar at the top of your browser. It could be something as simple as “https://samplewebsite.com” or as complicated as “https://site.website.com/apage/morepage/?utm=224557ae27wte7e25twge”. But don’t be intimidated. Ignore the “https://” part and everything after the third slash. Then use what you’ve learned to determine if you’re looking at a suspicious or untrustworthy site.
First, look very closely at the actual characters in the domain name to make sure they’re accurate. Did you mis-type something and end up on yourbamk.com instead of yourbank.com? Is there a lookalike character, like a 1 instead of an L, turning realsite.com into the fake rea1site.com? If you find the domain name is close to, but not exactly, the site you wanted to visit, you’ve spotted a fake website.
Next, check the TLD. Were you expecting to end up on the Social Security Administration’s website (ssa.gov), but the TLD is .com? You’re on a fake site. We all know Facebook’s web address is “facebook.com”. On a website that looks like Facebook but the TLD is .net? You’ve spotted a fake website.
Finally, look at the subdomain and domain name to see if the fake website is hoping you won’t spot the difference between the two. Say your address bar reads “https://amazon.customer-support-now.com”. The TLD is .com. Everything between the TLD and the next dot is the domain name. So the domain name is customer-support-now. It may say “amazon” in the address, but because there’s a dot between it and the rest of the address, it’s a subdomain. This website is hoping you see “amazon” in the address bar and assume you’re on Amazon’.com’s website, even though you’re not. That’s a fake website!
Method #3: Look for Info and Policies
Legitimate websites, especially legitimate online stores, should have information available about them on the site. One of the ways you can spot a fake website is by looking for physical addresses, phone numbers, and an About or About Us page or section. Fake websites often skip these, though not always.
Another check you can do is actually calling the phone number or looking up the address. If you look up the address on Google Maps or Apple Maps, does it exist, and does the location make sense for the type of business? A website that claims to be a large online retailer probably doesn’t operate out of a downtown apartment or a house in the suburbs.
Also check the website’s policies. If it’s an online store or other site that sells or ships physical items, it should have a return, refund, or shipping policy available somewhere – ideally all three. And almost every site should have a privacy policy. You can usually find links to these policies at the very bottom of the website. If you do find the policies, copy and paste them into a search engine to see if they were stolen from another website. If they were, that’s a warning sign that the site may be fake.
Method #4: Critique the Design
Scammers are trying to make as much money as they can with as little effort as possible. And in their ideal world, you’re only on their site long enough to hand over your money or personal information anyway. So they generally don’t put a lot of effort into making their fake websites look good. That means you can often spot a fake website by looking for issues with the design itself. Here are just a few things to watch for:
- Photos that are blurry, pixelated, or badly photoshopped
- Strange or irrelevant image choices or overly cartoonish graphics
- Buttons, links, or menus that don’t go anywhere or take you to an error page
- Strange or confusing layouts
- It looks outdated or like it was made by a child or an amateur
- Overly simple or lacking navigation buttons
Any of these design issues in a website could mean it was created in a hurry by a scammer who didn’t take the time to make sure it looked good or functioned properly. But the biggest red flag is if it doesn’t look like you’d expect. The United States Postal Service is a huge organization that employs professional web designers to make a large, useful, functional, well-designed site. So if you’re on a website that’s just white text on a plain blue background, that’s not a legitimate USPS site. This is true for any company or organization that’s large, well-known, or trying to look legitimate in any way. Don’t trust a site that doesn’t work or that looks cheap, rushed, outdated, overly simplistic, or just plain bad.
Method #5: Read the Text
Legitimate websites go through many levels of proofreading before they get put out into the digital world. While a typo or two may slip through, they’re not common. So one way you can spot a fake website is the same method you can use to spot a fake email, text message, or letter – read the text and look for errors!
Look for typos, misspellings, grammar issues, missed words, homonyms (“their” instead of “there,” for example), strangely-worded sentences and phrases, and missing or misplaced punctuation. It’s not impossible for a few of these to slip through on a legitimate website. But if the site is riddled with issues, you’ve probably found a fake website. At the very least, you’ve found a site with a creator who didn’t care enough to proofread their work, which means you probably don’t want to give them any of your information anyway!
It’s important to note that absence of errors doesn’t mean a site is legitimate. Especially with artificial intelligence tools these days, it’s extremely easy for a scammer to create a fake website with perfect, error-free text. If you spot a bunch of errors, you’ve probably found a fake website. But if you don’t spot any errors, that doesn’t mean it’s legitimate. Use one of the other methods to verify it.
Method #6: Check the Whois
When you buy a house, the record of your ownership of that house goes on file with your local government. In the same way, when someone buys a domain name, the record of their ownership gets filed online. Whois is a tool you can use to look up that ownership. You can run a Whois search by going to whois.com and typing or pasting the web address into the search box.
The very first pieces of information you’re going to get are what company is currently being used to register the domain and when the domain was first registered. This is an easy way to check how legitimate a website is. If the site claims it’s been around since 1996 but the Whois information says it was just registered last month, you’ve spotted a fake website.
Another thing the Whois might give you is the name and contact information of the owner. However, that doesn’t always happen. There are tools people can use to have their real information hidden by a proxy on the Whois search. This makes sense. Nobody wants their name, address, phone number, and email publicly available on the internet. It’s a risk to your privacy and your safety, and it’s good that these tools are available. However, that means that many scammers know how to set up proxies, too, and you may not get additional information. In some cases, you may be able to spot a fake website because it claims to be based in the United States but the Whois address is in Southeast Asia. But most often, it will be hidden.
Method #7: Do a Search
If you’ve gone through all the other methods and you’re still not sure, or if you haven’t seen anything that particularly looks suspicious but you have a gut feeling something is wrong, you can do a search. Type the web address into Google and add the word “scam” to see if anyone has posted about the website being fraudulent. Especially if it’s a new website (check the Whois!) no one may have reported it yet. But chances are good that if it is a fake website, someone will have spotted it or been a victim of their scam and said something online.
Another place you can search is the Better Business Bureau’s Scam Tracker at bbb.org/scamtracker. Paste the web address into the search bar and set the type of lookup to “website”. If someone has reported the website as fake to the BBB, it will show up in this search.
What to Do If You Spot a Fake Website
You’ve gone through some (or all) of these ways to spot a fake website, and you’re pretty sure you’ve spotted one. First of all, congratulations on learning how to spot a fake website and successfully applying that knowledge to identify something dangerous! That’s a great skill to have.
Your next step should be to report the site. You can do so from your browser. In Chrome, click the three dots in the top right, hover your cursor over “Help”, and select “Report an Issue”. Add any details to your report that you want, then click “Send”. In Firefox, click the three lines in the top right, click “Help,” then select “Report Deceptive Site”. Add comments if you want, then click “Submit Report”. In Microsoft Edge, click the three dots in the top right, hover your cursor over “Help and Feedback”, and select “Report Unsafe Site”. Check the boxes relevant to the type of site, fill out the captcha, and submit.
You can also report fraudulent websites to the BBB’s Scam Tracker at bbb.org/scamtracker and to the Federal Trade Commission at reportfraud.ftc.gov.
Steps to Protect Yourself if You Went on a Fake Website
The downside to knowing how to spot fake websites is that only checking the domain, checking the Whois, and doing a search can be done without actually going onto the fake website. And not every fake website requires you to do anything to make you a victim. Sometimes just vising the sites can be dangerous.
If you went to a scam website at any point, your first step should be to run a scan with your antivirus software. (If you don’t have one yet, check out this article for our recommendations.) Follow the software’s recommendations to deal with anything that looks suspicious or malicious. You should also assume that your device may have been compromised. Update all your passwords for all your accounts (a password manager can help) and turn on two-factor authentication where you can. Also review all your financial accounts for warning signs of fraud. It’s also a good idea to freeze your credit.
If you put your card information into a fake website, immediately contact your bank or financial institution. Tell them the card was compromised and request they cancel it and issue you a new one. Watch those accounts closely for transactions you didn’t make and report them immediately.
If you gave a fake site your personal or identifying information, freeze your credit immediately. Call all your banks and financial institutions and let them know they should be on the lookout for fraud in your name. You can also visit identitytheft.gov for more tips and ways to report it.
You should always report fake websites as we suggest above. But if you actually lost money or had your identity stolen because of one, you can also file a report with your local police and report it to the FBI at ic3.gov.
Always Be Suspicious to Spot Fake Websites
Websites are easy to make and scammers are creating fake websites all the time. It’s good to always be suspicious of every website you visit, and even more so if you will be putting in payment information, logging in, or giving it any of your personal information.
Always beware of links that are sent to you, whether they’re sent by email, text message, social media message, or anything else. Scammers are really good at making obviously fake and suspicious links look legitimate. To test a link before you click, you can hover your mouse over it, and the real domain will show up in the bottom left corner of your screen. Then you can analyze the domain and check the Whois like we talk about above. On mobile, you can press and hold and the real domain will show up.
It’s always better to type web addresses into your browser yourself rather than click on links. But don’t necessarily trust a link just because you typed it. Did you type in .com even though the real address is .org? Did you mis-type a letter? All of these are easy to do but give scammers an opportunity to create fake sites with a very similar domain or a different TLD. Check everything before you put in any information.
Once you master these ways to spot fake websites, they will become second nature. Most of the time, it only takes a few seconds of looking at the domain, design, or text of a site to know if something is fishy and it needs more investigation. Knowing how to spot a fake website will help you stay safe online.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Protect Against Ransomware by Planning for Ransomware
Ransomware is a huge cybersecurity threat, and it’s only growing. It’s especially a risk for businesses, but…
[Read More]PIA: Private Internet ACCESS
The Private Internet ACCESS VPN will deliver the security, performance, and online access most users want. Behind...
[Read More]Everything You Need to Know about Spyware, the Malware that Stalks Your Online Activity
Spyware may sound like something James Bond or another secret agent might use in the latest spy…
[Read More]Easy, Non-Technical Ways to Protect Your Privacy Online (And Why You Need To)
We all use technology at some point in our lives. Sometimes that technology is as simple as…
[Read More]ExpressVPN
ExpressVPN has long had the reputation of being one of the best, fastest, and most secure VPNs…
[Read More]Gmail Confidential Mode: Useful but Imperfect for Email Privacy
Email is a tool that most of us use every day – sometimes all day. And while…
[Read More]