Take a good look at the link a stranger just sent you. Notice anything wrong with it? You might not at first glance, but the second you open it and look a little deeper, you’ll likely see that the webpage is a little off. That’s because it’s probably a spoofed website instead of the real deal. In other words, you’ve just been targeted by a scammer trying to trick you into giving up your sensitive information or downloading malware on your device. Lucky for you, there are several tell-tale signs that will let you know if you’re safe to browse or if you need to jump ship and get off a site as soon as possible. Also lucky for you, we’ve laid out all the information you need to better understand website spoofing and keep yourself protected from scams.

What is website spoofing?

Did you know that websites can also be the victims of identity fraud? Website spoofing occurs when a scammer creates a fake website, usually imitating a company or organization that you’re already familiar with, and attempts to pass it off as legitimate. The reason why is to trick consumers who think that they’re logging in to their usual online banking portal or accessing their favorite shopping site into entering their credentials so the scammer can steal their information. Other times, these sites will coax users into clicking on links that instead infect their devices with malware. Either way, falling victim to a spoofed website could mean becoming a victim of identity theft and suffering potential financial loss.

What to Look Out For

On the surface, it can be tricky to tell the difference between a fake site and the original since scammers are careful to copy the true site’s content and branding perfectly. Or at least, almost perfectly, as there are a few common red flags that will help you know when the website you’re on has been spoofed:

  • Check the URL
    Knowing that a website is secure starts with the link itself. One of the main ways that scammers create a spoofed website is with URL masking, where they hide the true URL of a website behind a different one. In order to be sure that a URL is real, remember to hover over a link before clicking on it to make sure that the website you’re heading to is the same one you think it is. Additionally, check that the URL for a website starts with https, as the s stands for secure and will let you know whether a website is safe or not.
  • What’s the Domain?
    The start of the URL isn’t the only thing you should pay attention to in the address bar. You’ll also want to look carefully at the end of the URL, also known as the website domain. Pay attention to whether the domain common, such as .com, .org, or .net, or if it is something else. This might not always be an indicator that a website is illegitimate but seeing that there are multiple domains in one web address can be, such as ffbbank.com/bank/account.ffb.org. In addition, beware of subtle errors throughout the entire web address as well as the domain, like using a zero instead of the letter “o.”
  • Look for an SSL certificate
    An SSL, or Secure Sockets Layer, is a digital certificate letting users know that a website is not only real, but its connection is secure and encrypted. In other words, the SSL certificate means that your personal information & financial data will be safe while browsing a site. To find the SSL certificate, you’ll want to look for a lock icon on the far left of the address bar and click on it for details about the site’s security. If the lock is there, you can rest assured knowing that this website is trustworthy!
  • Is there a contact page?
    If the website you’re on is for a legit company or organization, then there should be contact information provided on one of the site’s webpages or in the footer at the bottom of the website. If you scour the whole site and can’t find contact information anywhere, or you’re being directed to a different site, then this is a red flag that something is wrong. Remember, if a company is real, they will not hide contact information from you.
  • Find the privacy policy
    By law, companies are required to list their privacy policy and data collection policy on their website – and you can usually find them in the bottom footer. If there is no privacy policy to be found, then this is another tell-tale sign that the website is suspicious. Even if there is a privacy policy, you’ll still want to consider reading through it carefully, paying attention to whether the language is clear and transparent about what information is being collected from you as well as if there are options for opting out of data collection.
  • Spelling and design matter
    One small typo on a website might not set off sirens, but if you notice multiple spelling and grammar errors then this is a warning sign. Legitimate companies will have a team of people reviewing their website to ensure that there aren’t excessive mistakes – especially on a homepage. Similarly, if you notice that a website has various design errors – for instance, it isn’t functioning normally, is laid out differently than usual, or if the pictures on the website aren’t great quality – then you’ll want to double check that the site you’re on is official.
Image shows the real FFB Bank website with a correct URL and an SSL certificate. Image shows a spoofed version of the FFB Bank website with an incorrect and unsecure URL.


When in Doubt, Head Out

If you notice that a website is acting suspiciously or has any of the warning signs listed above, then it’s best to exit immediately. After visiting a site that you think may have been spoofed, take care to clear your browser’s history, cookies, and caches. You can even run a virus scan for extra protection just to be completely sure that your device is not infected. For future browsing, consider using a VPN to double-check that your connection is secure and make sure to update your software regularly to ensure you have the latest protection.