How to recognize secure sites and avoid fake, scam or fraudulent websites

Published by on November 1, 2017 in Information Security

This guide will teach you how to recognize secure websites you can trust and how to spot fake ones run by fraudsters looking to scam you.01

Chrome phishing
As wonderful as the internet is these days (and really, it’s quite miraculous when you think about it), a lot of what happens online is downright
scary. The freedom and anonymity provided by the internet also make it a breeding ground for criminals and thieves, many of which are constantly evolving their methods to steal data. One of the oldest methods in the online piracy playbook is the fake or scammed website.

If you’ve been around the web long enough, you’ve likely seen at least one of these, if not a large handful of them. Fake, scammed, or fraudulent websites are designed to trick you into giving up your valuable user information and in general are designed in such a way that those who are, let’s say, “less attentive”, will fall right into the traps laid out by these sites and their shadowy designers.

Who are the primary targets for these kinds of websites? Anyone gullible enough to fall for them, essentially.

What kind of data gets stolen using scam websites? Everything you can think of, although these websites typically focus on stealing information that allows them to make money, either immediately or in the long-term. As such, the type of data stolen or the traps set typically focus on:

  • Credit card information
  • Bank account information
  • Social security numbers
  • Usernames and passwords
  • Physical address
  • Private and compromising information

As scammers are getting more sophisticated in their tricks, it’s occasionally difficult to tell when a website might actually be a scam or a conduit to fraudulent material intended to steal your information. Here are a few, easy things to look out for when you feel that a website might not be entirely trustworthy.

Check the website address against the page content

Always check the URL if you ended up on that page after you clicked on a link that redirected you there. This is often the case if you receive links in emails, or click on links from advertisements or those hosted on other websites.

This might be the most obvious way to spot a fake. Scam websites often try to spoof real ones, especially from big name websites, in order to collect your username and password from those sites. These websites are often known as phishing sites. The name should help clue you into what that entails.

A phishing website is one that’s designed to lure you in through its design and then catch your private and sensitive information after you hand it right over.

Social media sites are among the most commonly scammed sites for phishing attempts. Here’s an example of what this looks like in an image posted on the Expr3ss blog:

fake facebook site phishing

See the problem? Hopefully you would, even without the helpful arrow pointing it out. The page design looks exactly like what you’d find for Facebook, except for the clearly wrong URL. Unfortunately, this kind of spoofing is not entirely difficult to do, and indeed, the internet is replete with hacking websites providing tips and tricks for how to properly create Facebook phishing sites.

Make checking the URL of websites you visit a common practice, especially if you got to that website from an external link. At times, the link may very similar to the real link, with only some subtle differences, such as www.face-book.com. Look for things such as dashes, underscores or extra words in places where there normally would not be.

See also: How to avoid common phishing scams

Check for an SSL/TLS certificate and padlock symbol

If there’s one thing internet pirates hate, it’s SSL/TLS certificates. Look specifically for the green padlock symbol next to a website address:

Facebook padlock symbol

If you see the green lock symbol, that means the website owners have applied for and received a secure SSL/TLS security certificate from a company authorized to sell them. Some security companies, such as Symantec (makers of Norton Antivirus) issues these certificates after extensive background checks on the and verification of website ownership. While the primary purpose of this security is to prevent hacking, the other benefit is that only legitimate websites can obtain them.

We’ve written in detail about what SSL/TLS security means for websites and consumers. In summary, it means the site is not likely to have been hacked, but in principle, it also means that if a site has this type of security legitimately in place, it’s not likely to be a scammed or fake website. So if you see the lock symbol, an HTTPS in the website address, and everything looks as it should (address matches page content), you’re likely good to go.

That said, some scam sites are even getting tricky with SSL/TLS certificates. Take a look at this scam PayPal site, for example:

Paypay security fake site

It certainly looks legit. It even has a legitimate lock symbol with SSL/TLS encryption. Unfortunately, some certificate issuing authorities are not exactly reputable. In this case, the authority that issued the certificate to this clearly fake website is one of those. This shows that even this method is not fully secure and that you’ll need to stay vigilant by matching on-page content with the URL. If you’re going to a popular, well-known site, always just type in the site address directly before trying to log in.

Look for a site map or website search bar

Nothing says “This website is a scam” than a site that only has one page. Sure, the 90s was full of one-page websites that involved endless amounts of scrolling, such as the infamous Time Cube, but in today’s time, that sort of thing is just not done. An empty website that’s trying to collect your information is one that you simply can’t and should not trust.

Check for an “About” page

Legitimate websites want you to know all about who they are. As such, they’ll have an “About” page at the bottom detailing who they are and usually laying out a pretty standard company or website ethos. It’s a standard practice, and most websites will build their About page in the early stages of website development. If you don’t see an About page, that should raise some serious red flags for you.

Here at Comparitech, for example, you can easily find a link to our About page and many other pages telling you all about who we are at the bottom of every page:

Comparitech about us

Alternatively, if the About page is listed but empty, or the word is there as if it’s a link but you can’t actually click on it, it’s likely a scam.

Check for a “Contact” page or contact information

If there’s one thing that scammers and fraudsters don’t want, it’s you contacting them (unless they’ve gotten you to install a nasty piece of ransomware that you’re trying to pay to get rid of). This is why you’ll almost never see a legitimate Contact page on a fake website. Secure sites will almost always have some type of method for contacting the site owners, even if you have to dig around the site a bit. The most reputable sites have multiple means of communication made available to you, typically including physical addresses, email addresses, phone numbers and online chat systems.

Take the website smallwebsites.co, for example:

Smallwebsites security

The site is extremely small, and for many might raise a few flags just based on overall design alone. However, a quick look shows it has some positive, trustworthy aspects, in particular, a very prominent contact phone number.  The site also includes a small About section at the bottom, as well as multiple pages that outline what they do. I still have many questions about the site’s legitimacy after exploring some other options, such as the fact that you can actually submit a payment without ever actually signing up for any actual service, but the site does make it past the some of the more obvious fraud and scam tests.

If the website you’re on has no contact information or only provides an email address that doesn’t look official, don’t trust it.

Check for proper spelling and grammar

Hoo boy. This is a touchy subject. Does bad spelling and grammar on a website mean that the site is fake? Not necessarily. Many websites that are published in English content writers from countries where English is not spoken as a first language. Couple that with the fact that many sites are really just content mills, pumping out cheap, low-quality material to get a load of money through ads, and you’re likely to find a lot of websites that are certainly not scams or frauds, but that are riddled with poorly written English.

However, websites that are presenting themselves as something legitimate and official, but have poor grammar and spelling should be raising your red flags for you. If that’s the case, go back to the other steps we’ve laid out and do a bit more investigating.

Check for a social media presence

Online fraudsters follow a simple principle: the quickest path with the least time involvement possible. To that end, creating and maintaining an active or even semi-active social media presence sites takes a lot of time and effort, something scammers simply don’t enjoy. Not every website will have a social media presence, and the lack of one is by no means any indication that the site is fake. However, if you do see an active social media presence, the chances that that site is fake go down to zero.

On that end, check for fake social media presence. Some fraudulent sites will have fake social media posts included on the website as images that you can’t actually interact with or will have fake, paid posts to make the site seem more legit. In this case, use your better sense and check for other website features that indicate a secure, real site.

If it’s an online marketplace, look for a returns or refund policy

Similar to the Contacts page, any website that sells goods should have a returns policy that includes information on where and how to return items you’ve purchased. You can see an example of this on the website AliExpress, which has a page called “Buyer Protection”. There, you can find the returns and refunds policy:

AliExpress returns policy

A fake website will likely not have any such page. If it does, it won’t have any actual contact information or any way to actual exercise those policies.

Look for trust marks and security seals

We cover a little bit about trust marks and security seals in our piece on how to stay safe when paying online. E-commerce trust marks and security symbols will appear at the bottom of web pages and are utilized to indicate that the site you’re on is both legitimate, secure and, of course, trustworthy. In general, these marks and seals are given to a site after that site has been thoroughly reviewed for authenticity and had its security features verified.

Here’s what some of these symbols and marks look like:

seals and trust marks

Many trust symbols and security seals come from the company that issues the SSL/TLS certificate. Others do not.

Either way, you can’t always put your trust in the legitimacy of these marks and seals. In many cases, they’re simply images that you cannot click to bring up any verifying information. It’s good to check to see if a website has them, but don’t place your faith in them as a true security method.

Look for reviews from multiple ranking sites or forums

Most sites, even those with moderate levels of traffic, have been rated and ranked somewhere. You may be able to find reviews from others on just how trustworthy or untrustworthy the site actual is. If you can’t find anything about that site, you should proceed with caution — if you proceed at all.

Avoid sites making claims that seem too good to be true

Everyone wants to get rich quick. It’s just human nature. But if the site you’re on is advertising what seems like a deal that’s too good to be true, trust us: It is. There’s no such thing as a legit get-rich-quick scheme. They just don’t exist. And even those advertisements and sites that try to get you to sign up for what seems like easy ways to make money, such as this:

Imperative fraudulent websites

…well, they’re just not really trustworthy. There’s always more to it, and quite frankly, more than you bargained for. Many fraud sites will rope you right into a nasty pyramid scheme.

On the same token, avoid websites that present offers in an extremely pushy way, or that use fear and scare tactics to get you to sign up. These are almost never real, and your scam meter should be going off like a bell once you read them.  

Reject sites that say you have a virus or that you’re in trouble with the law

These sites are all about fear tactics are always a scam. Whether it’s in a pop-up or on the whole page if the site claims that you have a virus and need to remove it now, or that you’ve been identified by the FBI and you can pay your way out of a crime, don’t fall for it:

fraudulent websites fake virus warning

These sites and messages will play on your fears and attempt to get you to hand over money or personal information. However, your web browser is never going to be the place to find out if your computer has a virus. That’s what virus scanners are for. If you see any such web page or pop-up, ignore it.  

Check the copyright status

Scammers can often be a fairly lazy bunch. In many spoof websites, the scammers forget to include a copyright at the bottom of the page or forget to update it to the current year. No website from any legitimate company will have an out-of-date copyright, and none will fail to provide the copyright on every page. In the earlier example with the fake PayPal website, the bottom of the page includes a copyright that ends in 2016;

Copyright information

This is not the case on the real PayPal website, which includes a fully updated and current copyright:

copyright information

If there’s one thing you can always count on with online scammers is their general lack of complete attention to details. They will always miss something and even when they don’t, there are certain obvious fraudulent features that they can’t avoid.

Is the site asking you for a direct bank transfer? Don’t do it

Unless you’re on an official government website to pay your taxes or a parking ticket, or on a site for paying your rent or loans, avoid direct bank transfers. Giving away your bank account number and routing number is extremely risky, even when you’re entering that information on official sites. If you can avoid submitting this type of information on a website, do so. If those sites get hacked, your sensitive data could get lost.

Legitimate sites will almost never ask for your full social security number

Just take a look at this phishing website designed to look like Wells Fargo:

Wells Fargo phishing

Not only is it asking for your entire SSN, it also wants your driver’s license number, credit card CVV, phone number, and email address and password. The amount of information being asked for here is almost ludicrous. Not even your bank will require this information to verify your identity, and especially not when you’re logging in online. Avoid any site that’s asking for the entirety of your private information. If that site already has your SSN, for example, they will only ask for the last 4 digits to verify the account, not the whole number all over again.

Chrome phishing notification” by Christiaan Colen licensed under CC BY 2.0

Leave a Reply

Your email address will not be published. Required fields are marked *