Sites offering goods and services dirt cheap, $100 vouchers for shopping, and iPhone giveaways are a few examples of website scams you’ll encounter online. Some fake websites are obvious, but others may fool even the most tech-savvy. So how do these sites work, and what red flags give them away? You’re about to find out.
Contents
Scam websites are any illegitimate domains and web pages created to steal your money, personal information, or infect your device with malware. Scam sites can look like many different things – a no-name shop with ridiculously cheap goods, or a real company with millions of daily users.
Creating a website scam is a form of fraudulent and malicious activity that most hackers and scammers practice. It’s relatively cheap, and copying the content of a legitimate site is not difficult either.
Usually, scam websites don’t exist independently – they have a phishing, malvertising, or spamming campaign alongside them. Scammers spread links to their malicious websites so they’d appear in:
A more diligent scammer may even use pharming techniques to redirect the legitimate websites to the fraudster’s fake version.
Once you land on a fake page, how the website scam works depends on the type of scam.
Some fake websites imitate a login or payment page of a well-known company or brand, so you feel like it’s the real thing and provide your credentials. Other fraudulent websites try to scare you into downloading malware by warning about viruses on your device and offering software to solve the problem.
A website scam can also look like a typical online store, except when you order goods, the scammers run away with your money, and no delivery ever arrives.
There are different types of scams online, and scam sites also come in different shapes and sizes. Each scam website type has distinctive features that could serve as a red flag for spotting them.
Phishing websites are one type of phishing attack. Fraudsters distribute the links to these websites via email and fake everything from the sender to every part of the website they pose as. Everything but a trivial nuance in the URL makes it look like a real company, usually one with lots of customers, such as Amazon or PayPal.
Fake e-shops look like real e-commerce sites, except they don’t sell anything. They promise you goods or services with discounts or vouchers that sound too good to be true.
You add items to the cart, go to the payment page, and submit your payment information. Scammers get your payment card details while you wait for items that never arrive and find suspicious purchases on your next bank account statement.
Along with the fake online stores, you can find pages that pretend to sell tickets, usually way cheaper than the legitimate seller. In case of ticket fraud, you may even receive a ticket. But it won’t grant you entrance anywhere because the ticket will be as fake as the website.
Clone sites imitate legitimate companies. They pose as health insurance, government, bank, or other authoritative institutions.
Clone websites ask you to pay fines or extend your insurance, warn you about suspicious payments on your account, or rush you into confirming your passwords, bank details, and other information. If you fall for this website scam, everything you submit on such a copycat website ends up in the hands of fraudsters.
Scareware sites are the most distinct fake website type. They use fake virus alerts and misleading buttons to trick you into downloading malware rather than submitting sensitive information.
You can recognize these pages from the clickbaity pop-ups and messages claiming you about viruses on your device, with a convenient button linking to antivirus software that eliminates the malicious software.
Whether they ask you to pay for an antivirus or they give it to you for free, the download is malware in disguise. Instead of removing non-existent viruses, it infects you with real malware. And then it can do as much damage as multiple fraud websites combined – wreck your device, steal your sensitive information, including payment card details, or hold your device hostage and demand a ransom.
Fake sweepstake sites announce you as a winner of a free iPhone or another fabulous prize, even if you have never entered any contest to begin with.
Sweepstake websites may even show you your IP address or the name of your ISP to look more legitimate. To claim your prize, you’re asked to provide your personal information or pay for the delivery, losing sensitive data and money in the process.
Scammers have all kinds of tools to create scam websites, so telling a fake page from a real one can be challenging.
If they impersonate a legitimate website, they can manipulate its URL, favicon, security certificate, and content. You need to be extra careful and pay attention to the smallest details.
Here are some things you can do to identify a fake website.
Most website links come from somewhere – search results, social media sites, friend messages, you name it. Fake website links are no exception. And the source of their links can be the best indicator that the website is a fraud.
Always check the source of links you plan to open. If it’s an email, look at the sender, content, signature, and other phishing email giveaways. Ask yourself whether you expected this email and does it make sense that you’re getting it.
Do the same for other sources too.
Social media posts and comments have authors you can check. If someone with barely any friends and a stock image as a profile icon spreads the link in a robotic manner, chances are, the link will lead to something malicious.
PRO TIP: Never enter sensitive information after following a link or clicking a pop-up. Instead, use your go-to search engine or bookmarks to find the legitimate website manually.
Social media and online forums are full of fake posts and comments written by bots and trolls, so spreading fake websites there is not uncommon.
Other sources may be less evident. For example, you can’t always trust your search engine results. Scammers can buy ads and invest in search engine optimization, so their websites appear at the very top of search engine results.
And even messages from your friends can include links to fake websites if they have clicked on the same link and got their device infected beforehand.
Before opening the link, you should also analyze the URLs and domain names. It’s especially crucial when you receive it from a questionable source, such as spam email or a social media comment.
Some links are different from what they seem. For example, take a look at the following link:
It looks like a link to the Google search engine, but if you check the link destination (URL), you’ll see that it opens the DuckDuckGo search engine instead. You can do it by hovering over the link with your mouse on the computer or pressing and holding the link down until the URL appears on mobile.
Checking the link destination should be the first step before opening any link. But it’s not the only one.
In the example above, it’s clear that the actual link is leading to another site. But if that URL looked more like Google, it would be easy to make a mistake. And scammers have plenty of ways to make the links look similar, especially when the links are much longer than our example.
The scam website could:
And there are even more URL spoofing techniques out there. So whenever you have doubts about the link, don’t click on it directly. Open the bookmarked version of the page if you have it saved, or look it up on the search engine.
Another thing you should check when looking at the URL is whether the site has an SSL/TLS certificate. It’s indicated by a padlock symbol before the URL and HTTPS prefix in the web address bar.
SSL/TLS guarantees that the information you exchange with the site is encrypted and thus more secure than data you submit on websites without the certificate (those starting with HTTP but missing the “S” at the end). It keeps your information safe from third-party snooping, such as man-in-the-middle attacks.
However, if a site is secure from third parties, it doesn’t mean it’s safe overall. When it comes to fake websites, you need to worry about the party running the site.
Fraudsters can get a certificate for their fake website to look more legitimate. So while you can consider HTTP websites unsafe, don’t let your guard down after seeing that the site runs on HTTPS. Check certificate details on your browser:
The details you get can differ depending on the certificate type. But you’ll be able to see the domain in the certificate details, which would reveal the website’s actual domain, even if the scammers tried to fool you by piling on subdomains.
Meanwhile, the subject reveals to whom the certificate is issued. If the organization is not the company that should be responsible for the website, that’s another red flag.
If you take a real website and its fake copy, another clear difference could be the domain age. Let’s take PayPal as an example. The legitimate PayPal website was created in 1999, while fake copies only survive a few weeks or months. And it’s not just PayPal copies – most fake websites are taken down sooner rather than later.
So it’s helpful to check the domain age on the Whois Lookup page. It’s easy, too – paste the URL you want to inspect and review the “Dates” in the domain profile details. It shows exactly how many days old the domain is and when it was registered.
Sometimes taking a closer look at the content is all you need to spot a fake website. If the website has any of the following, it’s not a good sign:
Scam websites tend to reuse their text and images on many domains, so you can use search engines (Google and the like) to look up the content.
Phishing scams and fake websites are a huge problem, so many tools are available to combat them. Therefore, you can always paste the URL of a website to one of the tools, for example, Google’s Safe Browsing Site Status tool.
NordVPN’s Threat Protection feature also keeps tabs on fake websites and helps you prevent landing on them. Its URL scanner checks the websites against its blocklist of sites to see if the website is secure. You can enable Threat Protection on your NordVPN app to have extra peace of mind when opening unknown links.
If you fall for a website scam, you risk losing sensitive information and money or infecting your device with malware. And these outcomes are not mutually exclusive.
Scammers can use your information for identity theft, contacting and fooling your loved ones, taking loans, opening new accounts in your name…the list goes on. If that information includes any financial details or can give indirect access to financial information, you also risk losing money.
The dangers of malware infection depend on the type of malware. If you’re lucky and hackers only install adware on your device, you’ll see many unwanted ads. Annoying but not too threatening. Other types of malware are more dangerous – hackers can hold your device or documents hostage and ask for a ransom payment or log everything you do and type on your device to get personal or financial information.
No matter what risks a fake website brings, it’s crucial to take immediate action if you identify a scam website or, worse, fall victim to it.
If you fell for a fake website, take the following steps immediately:
Reporting scam websites is the key to getting rid of them as soon as possible. It can help prevent people from falling victim to these online scams.
Love or hate Google, it can block access to fake websites on its search engine and other products, such as YouTube. It can also stop Chrome and other browsers from loading the website and send emails linking to the website straight to your spam folder on Gmail.
You can report the fake website to Google by submitting its URL on the Google Safe Browsing page.
Like Google, Microsoft also has a lot of power regarding fraudulent websites. The company can prevent the fake website from appearing on Bing-based and Yahoo search engines and loading on Internet Explorer and Edge browsers. It can also block Outlook emails containing the link to the reported scam website.
You can report the fake website to Microsoft by submitting its URL on the Microsoft Security Intelligence page.
Similarly to Google and Microsoft, cybersecurity companies also work on cyber threat intelligence and can help take down fake websites. For example, most antivirus companies will accept scam website reports to include the latest scam websites in the blocklists of their software scanners.
Government institutions can also help you take down fake websites. You can report the scam websites to the government by:
Also, report the website to your local police and authorities, especially if you have already fallen victim to it. Visit our Report cybercrime page to find the links for reporting cybercrime in different countries.
Since many fake websites will impersonate a legitimate company, you can also report the scam website to the company it’s impersonating.
For example, if it’s a fake website pretending to be PayPal or Amazon, you can send its link or forward a phishing email to phishing@paypal.com or stop-spoofing@amazon.com accordingly.
If it’s a fake NordVPN website, you can let us know by contacting our customer support.
Likewise, you can warn companies about their impersonators by contacting them directly or finding dedicated report pages with a quick online search.
Want to read more like this?
Get the latest news and tips from NordVPN.