What are scam websites, and how can you tell if a page is fake?

Scam websites are any illegitimate domains and web pages created to steal your money, personal information, or infect your device with malware. Scam sites can look like many different things – a no-name shop with ridiculously cheap goods, or a real company with millions of daily users.

Creating a website scam is a form of fraudulent and malicious activity that most hackers and scammers practice. It’s relatively cheap, and copying the content of a legitimate site is not difficult either.

Usually, scam websites don’t exist independently – they have a phishing, malvertising, or spamming campaign alongside them. Scammers spread links to their malicious websites so they’d appear in:

• phishing emails or text messages
• social media posts and forums
• comments on any page online (usually distributed by bots)
• search engine ads.

A more diligent scammer may even use pharming techniques to redirect the legitimate websites to the fraudster’s fake version.

Once you land on a fake page, how the website scam works depends on the type of scam.

Some fake websites imitate a login or payment page of a well-known company or brand, so you feel like it’s the real thing and provide your credentials. Other fraudulent websites try to scare you into downloading malware by warning about viruses on your device and offering software to solve the problem.

A website scam can also look like a typical online store, except when you order goods, the scammers run away with your money, and no delivery ever arrives.

There are different types of scams online, and scam sites also come in different shapes and sizes. Each scam website type has distinctive features that could serve as a red flag for spotting them.

Phishing websites

Phishing websites are one type of phishing attack. Fraudsters use URL phishing to distribute the links to these websites via email and fake everything from the sender to every part of the website they pose as. Everything but a trivial nuance in the URL makes it look like a real company, usually one with lots of customers, such as Amazon or PayPal.

Fake online stores and discount pages

Fake e-shops look like real e-commerce sites, except they don’t sell anything. They promise you goods or services with discounts or vouchers that sound too good to be true.

You add items to the cart, go to the payment page, and submit your payment information. Scammers get your payment card details like the CVV code, while you wait for items that never arrive and find suspicious purchases on your next bank account statement.

Fake ticket sellers

Along with the fake online stores, you can find pages that pretend to sell tickets, usually way cheaper than the legitimate seller. In case of ticket fraud, you may even receive a ticket. But it won’t grant you entrance anywhere because the ticket will be as fake as the website.

Clone websites

Clone sites imitate legitimate companies. They pose as health insurance, government, bank, or other authoritative institutions.

Clone websites ask you to pay fines or extend your insurance, warn you about suspicious payments on your account, or rush you into confirming your passwords, bank details, and other information. If you fall for this website scam, everything you submit on such a copycat website ends up in the hands of fraudsters.

Scareware websites

Scareware sites are the most distinct fake website type. They use fake virus alerts and misleading buttons to trick you into downloading malware rather than submitting sensitive information.

You can recognize these pages from the clickbaity pop-ups and messages claiming you about viruses on your device, with a convenient button linking to antivirus software that eliminates the malicious software.

Whether they ask you to pay for an antivirus or they give it to you for free, the download is malware in disguise. Instead of removing non-existent viruses, it infects you with real malware. And then it can do as much damage as multiple fraud websites combined – wreck your device, steal your sensitive information, including payment card details, or hold your device hostage and demand a ransom.

Scam contests or sweepstake websites

Fake sweepstake sites announce you as a winner of a free iPhone or another fabulous prize, even if you have never entered any contest to begin with.

Sweepstake websites may even show you your IP address or the name of your ISP to look more legitimate. To claim your prize, you’re asked to provide your personal information or pay for the delivery, losing sensitive data and money in the process.

Scammers have all kinds of tools to create scam websites, so telling a fake page from a real one can be challenging.

If they impersonate a legitimate website, they can manipulate its URL, favicon, security certificate, and content. You need to be extra careful and pay attention to the smallest details.

Here are some things you can do to identify a fake website.

Most website links come from somewhere – search results, social media sites, friend messages, you name it. Fake website links are no exception. And the source of their links can be the best indicator that the website is a fraud.

Always check the source of links you plan to open. If it’s an email, look at the sender, content, signature, and other phishing email giveaways. Ask yourself whether you expected this email and does it make sense that you’re getting it.

Do the same for other sources too.

Social media posts and comments have authors you can check. If someone with barely any friends and a stock image as a profile icon spreads the link in a robotic manner, chances are, the link will lead to something malicious.

PRO TIP: Never enter sensitive information after following a link or clicking a pop-up. Instead, use your go-to search engine or bookmarks to find the legitimate website manually.

Social media and online forums are full of fake posts and comments written by bots and trolls, so spreading fake websites there is not uncommon.

Other sources may be less evident. For example, you can’t always trust your search engine results. Scammers can buy ads and invest in search engine optimization, so their websites appear at the very top of search engine results.

And even messages from your friends can include links to fake websites if they have clicked on the same link and got their device infected beforehand.

Before opening the link, you should also analyze the URLs and domain names. It’s especially crucial when you receive it from a questionable source, such as spam email or a social media comment.

Some links are different from what they seem. For example, take a look at the following link:

www.google.com

It looks like a link to the Google search engine, but if you check the link destination (URL), you’ll see that it opens the DuckDuckGo search engine instead. You can do it by hovering over the link with your mouse on the computer or pressing and holding the link down until the URL appears on mobile.

Checking the link destination should be the first step before opening any link. But it’s not the only one.

In the example above, it’s clear that the actual link is leading to another site. But if that URL looked more like Google, it would be easy to make a mistake. And scammers have plenty of ways to make the links look similar, especially when the links are much longer than our example.

The scam website could:

• Use a different top-level domain, e.g., .net instead of .com.
• Have extra punctuation in the domain name.
• Have a misspelled original name (a technique known as typosquatting).
• Use a number instead of a letter in the domain name, e.g., a zero instead of an “o,” which would be less noticeable when the URL uses uppercase letters.
• Use a similar letter from a different alphabet, e.g., the letters “о” and “р” here are from Cyrillic alphabets – they could be used to make a unique domain name that looks almost identical to some legitimate sites in most fonts.
• Use the legitimate site name as a subdomain with the actual domain being completely different, e.g., legitimatesitename.com.thescamwebsite.com.

And there are even more URL spoofing techniques out there. So whenever you have doubts about the link, don’t click on it directly. Open the bookmarked version of the page if you have it saved, or look it up on the search engine. However, if you want to save time, enabling an anti-phishing tool can be an efficient move, as it helps automatically identify and warn you about malicious links.

Another thing you should check when looking at the URL is whether the site has an SSL/TLS certificate. It’s indicated by a padlock symbol before the URL and HTTPS prefix in the web address bar.

SSL/TLS guarantees that the information you exchange with the site is encrypted and thus more secure than data you submit on websites without the certificate (those starting with HTTP but missing the “S” at the end). It keeps your information safe from third-party snooping, such as man-in-the-middle attacks.

However, if a site is secure from third parties, it doesn’t mean it’s safe overall. When it comes to fake websites, you need to worry about the party running the site.

Fraudsters can get a certificate for their fake website to look more legitimate. So while you can consider HTTP websites unsafe, don’t let your guard down after seeing that the site runs on HTTPS. Check certificate details on your browser:

• Chrome: padlock icon > Connection is secure > Certificate is valid
• Firefox: padlock icon > Connection secure > More information > View certificate
• Edge: padlock icon > Connection is secure > certificate icon
• Opera: padlock icon > Connection is secure > Certificate is valid
• Safari: padlock icon > Show certificate

The details you get can differ depending on the certificate type. But you’ll be able to see the domain in the certificate details, which would reveal the website’s actual domain, even if the scammers tried to fool you by piling on subdomains.

Meanwhile, the subject reveals to whom the certificate is issued. If the organization is not the company that should be responsible for the website, that’s another red flag.

If you take a real website and its fake copy, another clear difference could be the domain age. Let’s take PayPal as an example. The legitimate PayPal website was created in 1999, while fake copies only survive a few weeks or months. And it’s not just PayPal copies – most fake websites are taken down sooner rather than later.

So it’s helpful to check the domain age on the Whois Lookup page. It’s easy, too – paste the URL you want to inspect and review the “Dates” in the domain profile details. It shows exactly how many days old the domain is and when it was registered.

Sometimes taking a closer look at the content is all you need to spot a fake website. If the website has any of the following, it’s not a good sign:

• Poor language. If the text on the website has plenty of obvious typos, spelling mistakes, and grammar issues, it can be a sign that the website copy was written by a person who is not a native speaker or has no knowledge of web writing. Legitimate sites, especially bigger ones, have writers and editors on staff to prevent poor language.
• Urgency or fear invoking calls to action. Fake websites want you to provide your credentials, download their malware, or submit your financial information before you get any doubts about their legitimacy. That’s why they use social engineering techniques and emotional language to convince you. They may emphasize how urgent something is (your account will be closed if you don’t react immediately, you will be fined if you don’t submit something on time, or similar) or scare you into taking action as soon as possible. They often use clickbait titles and buttons to do it.
• Design issues. Like language, questionable design practices can also reveal a website is fake and not taken care of by a real designer. If the website is challenging to navigate, features low-quality illustrations, and various elements, like logos, look blurry and distorted, ask yourself whether a legitimate site would allow itself to look this way.
• Intrusive pop-ups and ads. Most websites on the internet feature some ads, but if ads are all you can see on the website, you shouldn’t look past them. These intrusive ads can be almost impossible to get rid of as they hide closing buttons or do not have closing buttons in the first place. The websites may also ask you to enable browser notifications; the page may only load if you comply.

• Lack of important pages. Legitimate websites will have an “About us” page, contact information, and privacy policy, all of which you can access from the homepage. Online shopping websites will also include pages explaining shipping, payment methods, or return policy. If the website lacks these or opening such pages redirects to another domain, you should think twice before submitting any information.
• Lack of payment methods. Real e-commerce websites allow you to choose from various payment options – from credit cards to payment services like PayPal. Fake e-shops will have only payment options that are difficult to track for authorities, such as gift cards or cryptocurrencies.

Scam websites tend to reuse their text and images on many domains, so you can use search engines (Google and the like) to look up the content.

1. Search for website content online. Copy and paste a few sentences from the website into the search engine. You can also add quotation marks around the text to get results matching this exact text. If you get dozens of websites with identical text or pages suggesting that the text comes from a scam, look no further.

2. Research contact details online. Copy any company information, like name, email, or phone number, and look it up the same way. If other content doesn’t provide much insight, fake company information, emails associated with internet scams, or phone numbers used in vishing attacks might.
3. Check customer reviews and social media presence. If the website contains any reviews, google them. The same reviews repeating on multiple different products and services can be a good indication of a bot’s work. You can also search for genuine reviews about the company and website to get warning signs or confirmation that the site is a scam. Moreover, most brands have a social media following, so a brand-new Facebook page with barely any followers can indicate a fake website.
4. Search for identical images online. If a website contains illustrations that should be unique, such as customer pictures, you can look them up online too. Copy the link of an image and search for similar images online. Does the photo come from a stock image platform or repeat all over the web? It’s not a real customer. And it’s probably not the only fake thing on that site.

Phishing scams and fake websites are a huge problem, so many tools are available to combat them. Therefore, you can always paste the URL of a website to one of the tools, for example, Google’s Safe Browsing Site Status tool.

NordVPN’s Threat Protection feature also keeps tabs on fake websites and helps you prevent landing on them. Its URL scanner checks the websites against its blocklist of sites to see if the website is secure. You can enable Threat Protection on your NordVPN app to have extra peace of mind when opening unknown links.

If you fall for a website scam, you risk losing sensitive information and money or infecting your device with malware. And these outcomes are not mutually exclusive.

Scammers can use your information for identity theft, contacting and fooling your loved ones, taking loans, opening new accounts in your name…the list goes on. If that information includes any financial details or can give indirect access to financial information, you also risk losing money.

The dangers of malware infection depend on the type of malware. If you’re lucky and hackers only install adware on your device, you’ll see many unwanted ads. Annoying but not too threatening. Other types of malware are more dangerous – hackers can hold your device or documents hostage and ask for a ransom payment or log everything you do and type on your device to get personal or financial information.

No matter what risks a fake website brings, it’s crucial to take immediate action if you identify a scam website or, worse, fall victim to it.

If you fell for a fake website, take the following steps immediately:

1. Freeze your payment cards and get in touch with your bank. If scammers have already initiated any fraudulent payment, try to reverse it. Let your bank or credit card company know what happened and freeze your cards, so scammers cannot drain your bank account or open new accounts in your name.
2. Change your passwords. If you thought you were logging into a real website and used your credentials, change your password immediately. Change the passwords of all your accounts if you reuse the same password anywhere else (and avoid repeating this bad internet habit in the future).
3. Enable two-factor authentication (2FA) on your accounts. Even if scammers have your password, they won’t be able to get into your account if you have 2FA set up. Unless it’s malware that a fake website brought to your device. In that case…
4. Use antivirus software to scan your device for malware. A fake site may have initiated a malware download, so running a virus scan before it does any damage is a good idea. You can also start the device in safe mode to remove any suspicious new software yourself.
5. Report the scam website. You can check the following section for various organizations that can help you block and take down fraudulent websites.

Reporting scam websites is the key to getting rid of them as soon as possible. It can help prevent people from falling victim to these online scams.

1. Report the website to Google

Love or hate Google, it can block access to fake websites on its search engine and other products, such as YouTube. It can also stop Chrome and other browsers from loading the website and send emails linking to the website straight to your spam folder on Gmail.

You can report the fake website to Google by submitting its URL on the Google Safe Browsing page.

2. Report the website to Microsoft

Like Google, Microsoft also has a lot of power regarding fraudulent websites. The company can prevent the fake website from appearing on Bing-based and Yahoo search engines and loading on Internet Explorer and Edge browsers. It can also block Outlook emails containing the link to the reported scam website.

You can report the fake website to Microsoft by submitting its URL on the Microsoft Security Intelligence page.

3. Report the website to cybersecurity companies

Similarly to Google and Microsoft, cybersecurity companies also work on cyber threat intelligence and can help take down fake websites. For example, most antivirus companies will accept scam website reports to include the latest scam websites in the blocklists of their software scanners.

4. Report the website to the government

Government institutions can also help you take down fake websites. You can report the scam websites to the government by:

• Filing a fraud report at the FTC website
• Reporting an incident to Cybersecurity and Infrastructure Security Agency (CISA)
• Filing a complaint at the FBI’s Internet Crime Complaint Center

Also, report the website to your local police and authorities, especially if you have already fallen victim to it. Visit our Report cybercrime page to find the links for reporting cybercrime in different countries.

5. Report the website to the company it’s impersonating

Since many fake websites will impersonate a legitimate company, you can also report the scam website to the company it’s impersonating.

For example, if it’s a fake website pretending to be PayPal or Amazon, you can send its link or forward a phishing email to phishing@paypal.com or stop-spoofing@amazon.com accordingly.

If it’s a fake NordVPN website, you can let us know by contacting our customer support.

Likewise, you can warn companies about their impersonators by contacting them directly or finding dedicated report pages with a quick online search.