A fake or scam website: What it is, and how to know if a website is legit

What are fake or scam websites?

Fake or scam websites are fraudulent websites designed to trick you into revealing sensitive information, making payments, or downloading malware. Scammers make them look legitimate by copying websites of popular brands. Scam websites include: phishing websites that mimic legitimate ones to steal your login details; clone websites that copy real sites to mislead you; and fake ticket sellers that offer nonexistent tickets.

Malware distribution sites may also be disguised as trusted pages to infect devices. Such sites often feature suspicious URLs and fake password login pages. For example, a scam site may appear as an online banking website, tricking you into entering your credentials for scammers to steal.

Copying the content of a genuine website is rather cheap and not very difficult, so no wonder the internet is full of websites scams. In their fake websites, scammers use deceptive scam tactics and all sorts of trickery to exploit unsuspecting users.

Common types of scam websites

You might have already come across some common types of scam websites:

• Phishing websites are fake sites designed to mimic legitimate ones. Scammers use a phishing method called URL phishing to distribute links to their fake sites via email. If you click on the link, you’ll be taken to a phishing website that looks very similar to a legitimate one, such as Amazon or PayPal. The goal is to deceive visitors into sharing sensitive information like passwords, credit card numbers, or personal details.
• Malware distribution sites are malicious websites designed to trick users into downloading or installing harmful software. These sites often appear legitimate but secretly infect your device with viruses, spyware, or ransomware. They spread malware by offering fake downloads, software updates, or through misleading ads and links.
• Clone websites imitate legitimate companies. Posing as banks, health insurance, government, or other authoritative institutions, clone websites ask you to pay made up fines or extend your insurance, warn you about suspicious payments on your account, or rush you into confirming your passwords and other information. Clone websites are a form of online deceit, so everything you submit on them ends up in the hands of cybercriminals.
• Fake e-commerce sites are unreliable online stores that mimic legitimate retailers. They lure shoppers with attractive offers and discounts. However, once you pay for the items, you receive counterfeit goods, low-quality items, or nothing at all.
• Charity scams are fraudulent schemes where scammers pose as legitimate charities to steal your donations instead of passing it on to a charitable cause. Scammers create fake charity websites to play on your emotions and swindle you out of your money or personal information. The number of charity scams and websites typically rises during national holidays, natural disasters, and epidemics.
• Technical support scams trick you into believing you have computer problems. In a technical support scam, criminals pretend to be support agents. They often use fake alerts or unsolicited calls to charge you for unnecessary services or steal your sensitive information.
• Investment scams aim to deceive you into investing in fake or high-risk schemes. Scammers promise high returns with little risk to lure you into giving them money or personal information. Unsurprisingly, scammers disappear with your money, never providing any returns on your “investment.”
• Lottery or prize scams trick you into believing you’ve won a prize or lottery. For example, you could receive a pop-up saying “Congratulations, you’re today’s lucky visitor” upon visiting a suspicious website. In lottery or prize scams, cybercriminals ask you to pay a fee or provide personal information to claim the prize which doesn’t exist. Once they get their hands on your money or data, they disappear into thin air.

How to tell if a website is legit or a scam

Scammers have all kinds of tools to create scam websites, so telling a fake page from a real one can be challenging. It’s easier to spot a fake website if you do the following:

• Analyze the source of the website link. Fake website links often originate from suspicious sources, like unexpected emails or social media accounts with few connections and generic profiles. Always check the source of links, because scammers can buy ads and optimize fake sites to appear in search results, and never trust links from unexpected emails or messages from people you don’t know or services you haven’t used.

PRO TIP: Use a reliable anti-malware tool that alerts you if you’re about to visit a malicious website. Threat Protection Pro detects and blocks access to phishing and scam websites, even the ones that have no visual red flags.

• Check the domain name and URL before opening a link, especially from questionable sources like spam emails or social media comments. Scammers often disguise fake URLs to look legitimate by altering top-level domains, misspelling names, or using similar-looking characters, for example, “www.faceb00k.com” instead of “www.facebook.com” or “rn” instead of “m.”
• Check if the website is HTTP secure. Check if the site has an SSL/TLS certificate, indicated by a padlock symbol and an HTTPS in the web address bar (“https://” instead of “http://”). Fake websites typically are not authenticated and don’t use the secure HTTPS protocol. You can hover over the link with your mouse to see the destination (URL). If you’re using your mobile phone, press and hold the link down until the URL appears. Or you can simply use our Link Checker tool to see if an URL is legitimate.
• Use a website checker like Google’s Safe Browsing Site Status tool to find out if a site is known for phishing, malware, and other harmful activities, and if it’s listed as unsafe in Google’s database.
• Check the domain age. A real website often has an older domain compared to its fake copies, which usually last only a few weeks or months. So it’s helpful to check the domain age on the Whois Lookup page. It’s easy, too – paste the URL you want to inspect and review the “Dates” in the domain profile details. It shows exactly how many days old the domain is and when it was registered.
• Examine website design and content quality. Poor grammar or blurry images can be red flags. Excessive pop-ups or ads that make it difficult to navigate the website can also indicate a scam. Most scam websites are hastily put together without attention to detail.
• Verify contact information. Look for legitimate contact details and customer support options. The absence of this type of information might indicate the site is unreliable, especially if it claims to provide services or sell goods.
• Read user reviews and testimonials. Search for customer feedback to see if the site is credible. Legitimate websites typically have a healthy mix of good and poor reviews. Be cautious with websites that only have glowing reviews.
• Be careful with unsolicited requests. Avoid sites asking for personal information or payment without clear justification.
• Treat urgency and too-good-to-be-true offers as red flags. Scammers often use urgent or fear-inducing language to rush you into providing information or downloading malware. They might also offer high-quality products at extremely low prices to trigger fear of missing out (FOMO) and pressure you into making a rash decision.
• Use reliable security software like NordVPN’s anti-phishing solution that detects and blocks dangerous phishing websites if you click on an unsafe link. It helps you avoid malicious and scam websites, even the ones that are very well fabricated, such as this example:

Expert analysis of a scam website

We asked our experts at NordVPN to walk us through the process of analyzing if a website is fake. Take a look at how they investigate a website step by step:

Pop-ups and language mistakes

Once you open the quickprofitearners.xyz website, it greets you with a pop-up message:

This message immediately raises a red flag. It’s unlikely a legitimate website would guarantee 100% success, because investing is inherently risky. This site’s eagerness to assert its reliability might be a tactic to earn your trust.

The text of the message is clumsy and grammatically incorrect — “there will be always” should be “there will always be.” And there is no space between the colon and the word “All.” Mistakes like these are common on scam websites.

Too-good-to-be-true offers

Once you press “OK,” another page opens with one more pop-up on the right side, advertising a too-good-to-be-true scenario — “Someone from Austria has withdrawn $51,120,05.” It’s a highly suspicious statement because the website provides no proof to back it up. Scam websites often use fabricated testimonials and grandiose success stories to create a false sense of reliability and lure you into their schemes.

When you scroll down, you find more language and punctuation mistakes such as “[…] which generated by the platform.” Legitimate websites typically invest in high-quality content that they proofread before publishing.

Suspicious sections

The site also includes a section called “What investors say,” featuring stock photos of people claiming to be investors.

A quick Google search reveals that these images are widely used across various scam websites, which means these customers don’t exist and their testimonials are fabricated.

Security certificate

If you examine the website’s security certificate, you see it uses a self-signed Let’s Encrypt certificate. While Let’s Encrypt provides free SSL certificates and enables HTTPS on a website, the self-signed aspect suggests the certificate was issued by the entity that owns the website and not verified by any trusted Certificate Authority.

If you’re using Google Chrome, you can check a website’s certificate by clicking the icon on the left in the address bar, selecting “Connection is secure,” and clicking “Certificate is valid.”

Safari users can check a website’s certificate by clicking the icon in the address bar and selecting “Show Certificate.”

Domain age

Finally, if you check the domain age, you’ll see it’s only 19 days old. A short lifespan is typical of scam websites because they frequently change domains to avoid detection.

You can check any domain’s age by visiting the Whois Lookup service.

A quick overview of the quickprofitearners.xyz website reveals a whole bunch of indicators of a scam website: young domain age, self-signed SSL certificate, typos and bad grammar, unrealistic success stories, urgency, and the questionable originality of the content and images. It’s quite clear this website is a scam.

Examples of fake or scam websites

Take a look at some more examples of red flags on websites pretending to be popular brands. Would these signs raise your suspicion?

Fake USPS websites

A fake USPS website is a fraudulent site designed to mimic the official United States Postal Service (USPS) website. Pay attention to these signs indicating that the USPS website you’re on is fake:

• Misspellings in a URL or unusual web addresses like “usps-track.net” instead of “usps.com.”
• Important sections like “About,” “Contact,” or “Privacy Policy” are missing or lead to unrelated pages.
• Logos and branding looks off, or there are grammar mistakes and spelling errors.

One of the ways you can stumble upon a fake USPS website is by clicking a link in a USPS phishing email. But don’t panic because you can still secure your device and information by following our tips on what to do if you opened a phishing email.

Fake YouTube websites

A fake YouTube website is a fraudulent site designed to look like the official YouTube platform. You should be cautions if the content or prompts on a YouTube page deviate from YouTube’s standard streaming approach:

• An unusual web address like “youtube-videos.net” instead of “youtube.com,” or misspellings in the URL.
• Links may lead to videos or pages that demand downloads or additional software.
• Prompts to download video players, updates, or codecs.

Fake Roblox websites

A fake Roblox website is a fraudulent site that mimics the official Roblox platform. Most scammers fail to create an exact replica of the platform, so you might notice the following inaccuracies:

• Suspicious URLs like “roblox-giftcards.com” instead of “roblox.com.”
• Logos, fonts, or design elements are slightly off or look outdated.
• Unrealistic offers such as free Roblox, cheats, or hacks, which legitimate Roblox sites do not provide.

Fake bank account websites

Fake bank account websites imitate the appearance of a legitimate bank’s online portal, but scammers don’t always get every detail right:

• The URL is different from the bank’s official URL, for example, “bank-secure-login.com” instead of “bankname.com.”
• Important sections like “Contact Us,” “Privacy Policy,” or “About Us” are missing, incomplete, or link to irrelevant content.
• Inconsistent layout, low-quality images, or elements that look out of place.

If you enter your credentials on a fake bank account website, scammers might steal your money or commit identity theft to open new accounts in your name.

Unfortunately, some scam websites are very difficult to spot just by looking at them, so you’ll have to go deeper and check their domain age and security certificate, or use reliable threat protection software like NordVPN’s Threat Protection Pro.

Take a look at these screenshots — would you be able to recognize these are fake websites?

Fake Amazon websites

Fake Amazon websites are fraudulent sites that imitate the official Amazon website. Look out for the following red flags to avoid an Amazon scam:

• Misspellings in the web address, such as “www.amaz0n.com” or “www.amazn.com.”
• Offer deals that are too perfect to be true.
• Language that rushes you to claim the deal, like “You only have x minutes to take part.”
• Pop-ups that say you’re a winner or encourage you to take part in a contest or survey.

What to do if you become a victim of a scam website

If you fell for a fake website, take the following steps immediately:

1. Freeze your payment cards and get in touch with your bank. If scammers have already initiated a fraudulent payment, try to reverse it. Let your bank or credit card company know what happened and freeze your cards so scammers cannot drain your bank account or open new accounts in your name.
2. Change your passwords. If you thought you were logging into a real website and used your credentials on a fake one, change your password immediately. Change the passwords of all your accounts if you reuse the same password (and avoid repeating this bad internet habit in the future).
3. Enable two-factor authentication (2FA) on your accounts. Even if scammers have your password, they won’t be able to get into your account if you have 2FA set up. Unless it’s malware that a fake website brought to your device. In that case…
4. Use antivirus software to scan your device for malware. A fake site may have initiated a malware download, so running a virus scan before the malware does any damage is a good idea. You can also start the device in safe mode to remove any suspicious new software yourself.
5. Report the scam website. You can check the following section for various organizations that can help you block and take down fraudulent websites.
6. File a claim with your cyber insurance provider. Some cyber insurance providers might cover the losses you’ve incurred as a result of data breach or scam. If you are a NordVPN user who lives in the EU or the US and subscribes to the Ultimate plan, you might be eligible for NordVPN cyber protection benefits in the United States and some European markets.

How to report and take down a scam website

Reporting scam websites is the key to getting rid of them as soon as possible. It can help prevent people from falling victim to these online scams.

1. Report the scam website to Google

You can report the fake website to Google by submitting its URL on the Google Safe Browsing page.

Google can block access to fake websites on its search engine and other products, such as YouTube. It can also stop Chrome and other browsers from loading the website and send emails linking to the website straight to your spam folder on Gmail.

2. Report the website to Microsoft

You can report the fake website to Microsoft by submitting its URL on the Microsoft Security Intelligence page.

Like Google, Microsoft also has some power over fraudulent websites. The company can prevent the fake website from appearing on Bing-based and Yahoo search engines and loading on Internet Explorer and Edge browsers. It can also block Outlook emails containing the link to the reported scam website.

3. Report the website to cybersecurity companies

Similarly to Google and Microsoft, cybersecurity companies also work on cyber threat intelligence and can help take down fake websites. For example, most antivirus companies will accept scam website reports to include the latest scam websites in the blocklists of their software scanners.

4. Report the website to the government

Government institutions can also help you take down fake websites. You can report the scam websites to the government by:

• Filing a fraud report at the FTC website or by calling 1-877-382-4357
• Reporting an incident to Cybersecurity and Infrastructure Security Agency (CISA)
• Filing a complaint at the FBI’s Internet Crime Complaint Center

You might also want to report the website to your local police and authorities, especially if you have already fallen victim to it. Visit our Report cybercrime page to find the links for reporting cybercrime in different countries.

5. Report the website to the company it’s impersonating

Since many fake websites impersonate legitimate companies, you can also report the scam website to the company it’s impersonating. For example, if it’s a fake website pretending to be PayPal or Amazon, you can send its link or forward a phishing email to phishing@paypal.com or stop-spoofing@amazon.com accordingly.

If it’s a fake NordVPN website, you can let us know by contacting our customer support.

Likewise, you can warn companies about their impersonators by contacting them directly or finding dedicated report pages with a quick online search.

FAQ

Who is responsible for regulating scam websites?

Regulating scam websites is typically the responsibility of government agencies such as the Federal Trade Commission (FTC) in the United States, cybersecurity authorities, and international organizations like Interpol, along with internet service providers and domain registrars.

Is there a fake Shein or Temu website?

Yes, there are fake Shein and Temu websites. You might recognize them from suspicious URLs (“shein-sale.com” or “temu-offers.net” instead of “shein.com” or “temu.com”), poor design or unrealistic discounts. To learn how to be safe while using Shein and Temu’s services, check out our blog posts on Sheins safety and Temu.

Where can I find resources to educate myself about cyber scams?

There is a lot of information on cyber scams, but always look for reliable or official resources, such as well-known organizations, government agencies, or recognized experts in cybersecurity.

1. Government websites: FTC, CISA, IC3

2. Educational platforms: Coursera, Udemy, Khan Academy, edX

3. Security blogs and hubs: NordVPN Blog, Cybersecurity Hub

4. Non-profit organizations: APWG

5. Tech news sites: TechRadar

6. Podcasts: Security Now, Darknet Diaries

7. YouTube channels: Computerphile, Security Weekly, NordVPN Youtube channel