In the age of digital transformation, knowing how to identify fake websites is not just helpful; it’s absolutely necessary to protect yourself online. Knowing how to spot a fraudulent website can protect your personal and work identity, your financial information and logins for your email and social media.
COVID-19 scams and identify theft are on the rise. The U.S. Department of Health and Human Services has warned the public about fraud related to the coronavirus, which could come in the form of calls, texts, social media messages or websites. Even as we transition to a new normal, online scams will not stop, and will likely increase. Understanding how to check if a website is authentic will help protect you now and in the future against fake websites.
One key indicator of a fake site is a misspelled URL. Fraudsters may change up a URL name slightly, like using amaz0n.com, or they may change the domain extension — like amazon.org instead of amazon.com.
A site seal signals that the site is authentic, and you can usually click on a site seal to reveal more information about the website and how it was verified. Seals that do nothing when clicked should not be trusted, as they are likely illegitimate copies of seals.
The padlock on a website means that a site is secured by an TLS/SSL certificate that encrypts user data. You can look for the lock on the upper left of the address bar. There are three types of TLS certificates that will each display a lock: Domain Validation, Organization Validation and Extended Validation.
If a site doesn’t have a lock, most browsers will display a “not secure” warning. In the past, simply looking for the lock was enough, but with the increase of online fraud you need to look deeper than the padlock to verify a website.
The padlock means that information on a site is encrypted and browsers will consider it secure. Unfortunately, nowadays, a secure site does not necessarily mean a website is safe to buy from or share information with. Just because a site has a padlock doesn’t necessarily mean that it is not a fake. Research shows up to half of fake sites used for phishing have a padlock now.
Typically, fraudsters use DV certificates: low-level TLS certificates that some certificate authorities offer for free, so that they only have to prove that they own the site to get a lock. With DV certificates, they do not have to prove that the company is legitimate. At times they may use an OV or EV certificate, but because these require more effort to obtain, including proving a business registration, paying with a valid credit card and responding to certificate authority inquiries, most criminals are deterred from using them.
Fake websites using TLS certificates are usually caught, but they might be able to wreak havoc temporarily with a certificate.
You should look beyond the lock by clicking on it once to reveal more information. For the highest level of authentication, if you click on the lock it will display “Issued to: [Company Name]” underneath “Certificate (Valid).” Unfortunately, this functionality only currently works on desktop browsers. But whether you’re on a mobile browser or desktop, the principles of looking beyond the lock to verify if a website is secure remain the same.
When in doubt, use a website checker to verify if a website is secure. A secure website check can let you know any vulnerabilities on the site, if it is using encryption and what level of verification a site has.
Besides checking for a lock, site seal and running the URL through a website checker, also look for the following trust indicators on a site:
In general, avoid any deals that seem too good to be true, because they likely are.
If you’ve landed on a fraudulent site, do not provide any sensitive information like financial details, a log in and password, verification codes, a Facebook login, or even your name and contact information. When in doubt, don’t fill it out. Additionally, do not click on links from unfamiliar emails, online posts or DMs. Knowing if a site is fake will help you know whether or not to buy from a site.
You should report a fake site to Google Safe Browsing and close out of it right away.