Online fraud has been a great problem in the past decade. Companies have lost billions of dollars, usually due to human errors; individuals have lost both money and personal information. The total losses from scams in 2023, for instance, are estimated to be more than $10 billion. While there are various techniques that scammers use to obtain sensitive information, one of the most common ones is to set up a fake website that resembles the real website of a service provider, and then trick people into entering their login information.
We have already mentioned what you can do to detect and avoid email phishing. Today, we will look at the things you can do to check if a website you are visiting is legitimate. After all, not all scam links are sent via email, and you can come across such links in search engine results, in instant messengers, or on websites you visit.
- Legitimate vs. fake websites
- Five ways to recognize a legitimate website
- Check the WHOIS information
- Check the SSL certificate
- Look for a seal of trust
- Check industry portals/directories
- Check the domain reputation/status
- I came across a fake website, what should I do?
- In conclusion
Legitimate vs. fake websites
You may wonder how a website can be fake. In fact, there are lots of fake websites being set up every day. These are websites that copy the look of the real website of a service provider. This could be a bank website, an email provider, a streaming provider, a credit card company, a delivery company, and many more. Unsuspecting visitors are prompted to enter their login details, bank account details, email credentials, etc. Scammers are usually pretty quick in using the information they obtain. They can withdraw money, send spam, reset passwords, or do all sorts of other malicious activities.
A fake website can use a newly registered domain, or an older one. In the first case, new domains usually consist of scrambled letters and numbers, but there are still domains that try to imitate the actual domain name of the provider as much as possible. The latter are not that common anymore due to the tightened security of domain registrars regarding such scam domains, but every now and then you can still come across domains that are almost identical to the original. In the second case, scammers can add a fake page to a hacked existing website that uses an older domain. Often, they do not deface the entire website as other hackers sometimes do, but simply add one or a few pages to the existing content. They do this so that they are not detected quickly by the website owners. The longer such fake pages can operate, the more people can become victims of various online crimes.
Some years ago, scammers took advantage of the newly introduced internationalized domain names. They were using letters from different alphabets to create domains that would look the same as the real domains of various institutions. Modern web browsers clearly display if different alphabets are mixed, so such an attack is no longer possible. Nonetheless, scammers find new ways to trick people. Let’s see how you can make sure that a website you are visiting is legitimate, and not fake.
Five ways to recognize a legitimate website
We assume that you have already done some basic checks such as looking carefully at the domain, inspecting the page for grammar/spelling mistakes, or checking if all links on the site work and where they point to (of course, a simple mouse-over is enough, you should not click on links if you are not sure where they will lead you). The options we have listed below may take more time as all of them require that you perform a certain task in your browser or use different online tools. Nonetheless, they can help you to recognize if a website is fake or not much more than the suggestions you will find in most online articles.
Check the WHOIS information
The WHOIS details of a domain name can give you valuable information about the website you are browsing. The first thing you should check is the registration date of the domain name. Scam domains are usually registered recently. They are suspended pretty quickly by the registrar or the hosting provider, so they are not accessible for long. It is extremely rare to find a scam domain that has remained active for more than a few weeks after its registration.
Sometimes, however, regular websites get hacked and hackers replace the real content or add fake pages. If you notice that the domain you are visiting has been registered for a while, check its name servers when you do a WHOIS lookup. Payment processors and most service providers usually use custom name servers. If you notice that the name servers of the domain you are checking point to a shared hosting provider, or especially to a foreign hosting provider, you can be sure that you are looking at a fake page.
Last, but not least, if the domain name is registered to an entity that is not in the European Union and does not use privacy protection, you can usually see who owns that domain. This way, you can quickly see who has registered the domain name. Scammers usually use personal details of individuals (real or fake), not the contact information of the real company they want to impersonate. Using real company details will expose them right away during the registration process.
Check the SSL certificate
These days, most websites have an SSL certificate. A lot of blog articles suggest that the presence of an SSL certificate is a sign that a website is legitimate. This isn’t the case, though. With the emergence of free SSL certificates, the connection to any website can be protected with a few clicks without any checks who is requesting the certificate or what domain/website it will cover. Some years ago, browsers used to display the company name for websites using an Extended Validation certificate. They no longer do that, though, so today all types of certificates are displayed in the exact same way.
With the above in mind, the sole presence of an SSL certificate cannot tell you anything. Nonetheless, we recommend that you check the certificate of the website you are visiting in case that you have any doubts. There are two things you should check. The first one is the Certificate Authority (the issuing company) – if you notice a free SSL authority such as Let’s Encrypt or ZeroSSL, you should be cautious. Such certificates are valid for 90 days, which is something you can see as well. While free certificates are a good choice for personal or small business websites, large corporations (especially banks and payment processors) do not use free certificates for their services (online banking, large online shops, etc.).
The second thing you should check is the hostname the SSL certificate covers. You can quickly see if the domain name is the one you expect. This is an easy way to see if a fake page has been added to a subdomain or a subfolder of an existing hacked website. While you can see the full URL in the browser address bar, longer addresses may be hard to check, especially for people with less browsing experience.
Sometimes scammers use free SSL certificates by CDN providers like Cloudflare. Checking what hostnames the certificate covers will quickly reveal if the certificate is free, as free CDN certificates often cover multiple domains. This is one more thing a business will never do.
Look for a seal of trust
There are different ways that websites can certify they are legitimate and one of them is by placing a seal of trust issued by some organization. For a US-based business, for example, this could be a seal from the Better Business Bureau (BBB) that shows the company has a good reputation. Other examples are SSL seals that show a website has a valid certificate, or a seal that informs the site visitors the website does not have any vulnerabilities.
It is important to note that these should be dynamic seals i.e. they should be clickable, or they should display real-time information about the domain name they were issued for. Some providers offer generic static images that could be downloaded by any person and added to any website.
If a website has a trustworthy seal, you can be sure it is a legitimate one, as the information that is displayed dynamically will mention the exact domain the seal has been issued for. If there is a mismatch in the domains, either the seals on the site will not load properly (if at all), or you will see the difference in the spelling.
Check industry portals/directories
A good place to check if a website is legitimate or fake is an industry portal that lists similar websites that offer a particular service. This could be a list of banks with links to their official websites, or a hotel directory, for example. There, you can see the exact spelling of the domain, so if the one you are looking at has different spelling or additional words, you will know that the website is fake.
You can also use a public resource such as Wikipedia, if you are sure that it is a reliable source. Even if there aren’t clickable links on that resource, the domain of a particular provider you need may be mentioned there, so you can double-check the spelling or copy the domain from that website.
Check the domain reputation/status
Last, but not least, you can use various online tools to check the reputation of the domain name. To make sure that you are checking the correct domain, you should copy it from the browser address bar. Legitimate websites have a good reputation, with lots of backlinks, visitors, etc. A fake website that uses a newly registered domain will have some or no backlinks and no reputation. Such a domain will not be mentioned anywhere if you look it up in a search engine (yes, doing that is something simple, but it can give you valuable information).
Of course, such a check will not help if you are looking at a fake page added to an existing hacked website, which may have a good reputation. Nonetheless, some of the online tools check against multiple lists – reputation lists, malware scanners, phishing and spam databases, etc. If a fake page has been added to an existing website, there is a chance the domain will appear on one of these lists.
I came across a fake website, what should I do?
The short answer is to close it and never open it again. If you want to take some action though, you can report the domain name to the registrar and to the hosting provider. You can easily see the registrar in the domain WHOIS information. Checking the IP address (A record) of the domain will tell you where the fake website loads from. Hosting providers usually have an abuse email address where you can report fake websites. CDNs such as Cloudflare usually have an abuse report form as well.
You can save the links you have come across in a simple text document, or take screenshots of the fake pages, as the service providers may require them to be able to take further action. You can also report the website to popular anti-phishing databases such as Phishtank.
If you have clicked any links or entered any information on the website, you should run an antivirus check on your computer, change your passwords, and monitor your accounts for any suspicious activity.
In conclusion
Millions of people and companies are getting scammed every year; billions of dollars are lost. Even very experienced people sometimes get tricked into submitting personal information or login details on fake websites. If you have any doubts and you are prompted to enter any sensitive information, you should know how to check if the website you are looking at is legitimate or not.
Checking the WHOIS information, the SSL certificate, the seals of trust, and the reputation of the domain name can tell you a lot about that. Even if you have to spend some time doing these things, you can avoid a lot of potential problems that will come up if you enter any sensitive information on a fake website.