Note: This article on detecting whether a website is a fraud or scam was first published in Sep. 2013 and has been updated for 2020. The updates reflect recent internet security best practices and emerging threats and trends in the industry.
Fraud on the internet is almost as old as the internet itself. Experts have made several guidelines to detect and identify fake websites and scams, but as the web has evolved, con artists have also adapted to software and common sense safeguards. Here's a guide on how you can identify scams and stay safe online, in 2020.
Website scams come in many shapes and forms - some pretend to be brand they are not and try to get you to make a purchase, some obtain your personal information or passwords to potentially sensitive accounts while others might install ransomware on your computer or even mine bitcoin in the background using your computer.
A day before Christmas 2019, one of the members in our team was looking to purchase jackets from the website of the popular brand NorthFace for his parents who live in India. The following screenshot is of a remarkable scam website that he found at the top of a Google search, which could have hoodwinked most uninformed people!
As it turns out, the brand did not have an e-commerce store that delivered to India but this website did exist. What's more, this particular scam website even passed some popular tests and checks suggested by the experts, including:
- Does the URL match the brand name? The URL of this particular website* matched the brand, and was on a co.in ccTLD, but was quite long (which raised suspicions in the minds of our employee)
- Does the website use HTTPS or an SSL certificate? Yes, it did
- Does the website content appear to be infused with grammar or spelling errors? - Mostly no, in fact it had all the right products, descriptions and photos that mimicked the legitimate brand website, including the website design
- Does a whois lookup on the domain name help prove its ownership? The Whois data for this domain was unavailable due to GDPR laws, but it was registered through a different domain registrar than the one used for the legitimate international website of the brand
- Is the SSL certificate EV or OV Validated? No - this was the first big indication that this was indeed a scam website. Here's a handy explainer on Validation Levels for SSL Certificates
- How many years has the domain been in use? This domain had been registered just a few weeks ago, primed to tap into peoples' shopping urges for the holiday season
- Does the website have reliable contact details and inbound links? For a website which dealt in e-commerce, the absence of a support ticket system and a phone number made it very suspicious. The contact page was a simple contact form rather than a ticketing platform.
- Did the offers, prices and payment methods appear reliable? No. The discounts were way too steep (over 70% for a relatively premium brand) and the prices were oddly specific, such as Rupees 10,843.17 which is quite strange because marketers usually ensure that prices are at or just short of psychological round figures. Payment methods were a giveaway too with credit cards being the only option, whereas India is typically a country that relies on digital wallets and cash-on-delivery models.
*We are refraining from naming the URL in order to not prevent search engines from further increasing the credibility of this fake website
As this example proves, there is a constant need to protect yourself against scammers online, whether you are a business, a corporation or an average person looking to transact or browse the internet. Fraud is on the rise and is predicted to only grow over the next decade.
At the end of 2016, a business fell victim to a ransomware attack every 40 seconds. Cybersecurity Ventures predicts that will rise to every 14 seconds in 2019 — and every 11 seconds by 2021. - CyberSecurity Ventures Annual Report, 2019
While working at Webnames.ca, I have investigated numerous fake, fraudulent or phishing websites, and they usually have a number of common traits to look for. But first, let us try to break down what scammers and con artists are after and what some common types of attacks are.
- Phishing - Emails & websites impersonating a real person or company to gain personal and/or financial information
- Cross-site scripting - A legitimate website with a vulnerability that allows third-parties to redirect you to a different website operated by them
- Content injection - Rogue advertisements or popups that attempt to redirect you or force you to a different website that could lead to ransomware or virus and malware attacks
- Counterfeiting - A website purporting to sell products or services that impersonates a real brand and swindles customers of their money
The above list is by no means comprehensive, but constant vigilance - not just at the first step of an online transaction - is a necessity. To protect yourself against frauds online, you need to know what to look for and we hope this guide helps.
Here are some easy steps on how to determine if a website is a fake, fraud, or scam:
- The Domain Name or URL - A lot of fraudulent websites will use a domain name similar to a brand name. I have seen fake sites related to Calvin Klein, Nike, Buffalo, and more recently, Salomon. These domain names might be www.nikesuperdiscounts or www.buffalocollection or www.salomonshop (these are not real sites, but examples). If a company has a trademark on their name, their website and the domain name usually match the company name.
- No Contact Information - If the website does not have a contact us page, or it if does and it only offers a form to fill out, with no location or other identifiable coordinates, this is a strong indicator of fraud. Any company offering products or services, should have a place of business (location) as well as a phone number and email to contact them. If none of this information is available, then they likely just want your credit card info. Here is an example I found from a fake website that does not have any contact details.
Scammers have gotten wiser to these checks as time has gone on, they now copy the location and contact details, down to a embedded maps and Facebook, Twitter links from the website they are pretending to be. So we recommend that you exercise caution - remember, anybody can link to the correct Twitter handle or Facebook page. However, a verified Twitter profile or Facebook page (which many large brands have) is likely to include the link to the legitimate website. If in doubt, look for other markers before sharing personal information.
- Check the Grammar and Spelling - If the fake website is attempting to present itself as an American or Canadian business, they will usually use English text. However, there will quite often be horrible grammar and spelling mistakes on the website. Many of these mistakes would be obvious to a native speaker of English; excessive use of poor grammar and spelling should be an instant red flag.
- Check the WHOIS - Do a domain WHOIS lookup to see who owns the domain. The result will tell you the registrar (company that the domain was purchased through), when it was created, when it expires as well as contact details. Although the fraudulent website did not tell me their contact details on the website; using the Webnames WHOIS lookup, I was able to confirm that the domain was owned by a company in China, not the running shoe company located in the U.S. Another key observation to look for is how long the domain has existed. If it has been active for less than a year, then it is most likely a scam website. In the case of my example below, this fake site was setup less than four days ago and I was directed to it through a Facebook ad two days ago.
- Test the Contact Information - If the website does list contact information, call, write or email the site, using their contact details, to check if it works. If you get an automatic voice messaging system, the number is not in service, or no one answers during business hours, then exercise caution.
- Check if website is SSL Secured and if it is OV or EV certified - Many fake or fraudulent sites will not bother to buy an SSL (Secure Sockets Layer) certificate. SSL certificates secure the transfer of your data when you submit sensitive information (creating an account, or submitting payment info) and cost money. A scam site, quite often, won't bother with an SSL certificate, as the site will likely be shutdown within a couple months after the fraud has been reported.To assess the type of SSL certificate, click on the padlock icon in the address bar of your browser and investigate the details in the popup. Enterprise Validated certificates will list the name of the brand as well as a certificate authority on this window (the appearance of this information could vary from one browser to another).If the website is legitimate and secure, like Webnames, they will have HTTPS on the URL and a lock icon and in some browsers, even the company name as shown below.
- Check the Shipping and Return Policy - If the website is selling a product over the internet, they will have a shipping and return policy listed on their site. If it is a real company, they should tell you how and where to return a defective product. If they are shipping a product, they should give you an idea how long it will take to arrive. If they have no return address and a vague shipping policy, do not shop at that website.
- Check the Domain Name in Google - If you type the domain name into Google, if it is a real site, there should be links to that website from other websites. If only the domain comes up and no other search result appears for that domain name, then it is very suspicious.
- Check with the BBB - Go to the Better Business Bureau website and see if the company has any reviews. Doing business with a site that has good or no reviews is better than one with many negative reviews. Like always though, buyer beware.
- Check Other People's Reviews - Type the website's domain name, followed by "reviews", into a search engine. Ideally, you will discover search results for other people's experiences in dealing with the website. If there are many negative negative customer reviews, then you will most likely want to avoid the site altogether.
Being a victim of a scam is never a pleasant experience. Follow these simple guidelines to protect yourself online and create the best possible shopping experience. If the site you're viewing feels suspicious, take a moment to research and investigate it before making a purchasing decision.
Cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015 - CyberSecurity Ventures Annual Report, 2019
Note: Our writers Julianna and Karthik contributed to updates to this article in late 2019 and early 2020.