Would You Know If You’re On a Fake Website?
Fake websites are an integral part of almost every phishing scam — and they’re only getting more prevalent. According to the Anti-Phishing Working Group (APWG) [*]:
Nearly 3 million new phishing and fake websites were discovered in the first half of 2023 alone.
Scammers create convincingly fake websites that mirror bank login pages, password reset pages for services like Amazon and Netflix, or package delivery requests. But any information you enter goes straight to the scammers — who then use it for identity theft or financial fraud.
In this guide, we’ll explain how scam websites work, how you can identify a fake website (with examples), and what to do if you accidentally visit or enter information on a scammer’s site.
What Are Fake Websites? How Do Scammers Use Them?
Scammers create fake websites to persuade you into sharing sensitive information, such as account passwords, payment details, or personal information they can use to steal your identity. Some fake websites can even infect your device with malware or trick you into buying non-existent or counterfeit products.
While some fake websites are designed to be found organically while you’re browsing the internet, most are made to be linked to in part of larger phishing scams. Fraudsters send scam emails, texts, or messages with links to websites that may look legitimate, but are designed to steal your passwords, personal data, and financial information.
Here are some of the most common ways that scammers use fake websites:
- Fake online stores with too-good-to-be-true deals. Scammers create fake online stores offering incredible deals, and then run ads for them on social media. These sites either steal your payment information or trick you into buying fraudulent products.
- Fake password login pages. Fraudsters create sites that look like login pages (for your bank, Netflix, etc.) and then include links to them in phishing messages. For example, you may receive a phishing email claiming that your bank account has been compromised and that you should click the link and enter your password and banking details to secure your account.
- Malicious pop-ups that download malware. Hackers create pop-ups on legitimate websites that download malware onto your device. Once installed, they can spy on you or scan your hard drive for sensitive information.
- Fake customer support websites. Scammers pretend to be from technical support companies and get you to give them remote access to your computer.
- Fraudulent Medicare or health insurance websites. Criminals may also target your healthcare information by creating fake websites that ask you to “verify” your Medicare number.
- Fake package delivery websites. With the increase of online shopping, scammers create fake websites that look like they’re from UPS, FedEx, USPS, and others. These fake sites ask you to verify your address and other personal information or try to trick you into giving up your credit card numbers.
- Bogus flight-booking websites. In a recent fake website scam, fraudsters create fake airfare-booking websites that steal your personal information (passport number, credit card, etc.) or sell you fake tickets.
11 Ways To Spot a Fake Website
- Check the domain name closely
- Look for a padlock symbol
- Use a website checker or safe browsing tools
- Look for poor spelling, design issues, and other red flags
- Check the domain age
- Be wary of deals that seem too good to be true
- Look for user reviews, and check for reports of scams
- Read the shipping and return policy
- Beware of non-traditional payment options
- Don’t be conned by “trust signals”
- Run a virus scan
Fake websites are everywhere and they’re getting harder to spot. Here’s how you can make sure that you’re not dealing with a fraudulent website.
1. Check the domain name closely
The easiest way to tell that you’re on a fake website is when the domain name doesn’t match the official website for the company. For example, scammers often use domain names that are similar to — or even contain — the official URL within the fake domain name.
Here are a few examples of how scammers spoof website domains:
- BankoffAmerica.com (adding an extra “f”)
- Paypal.com.secure-site.com (in this case, the domain name is actually “secure-site.com” not “paypal.com”)
- WaImart.com (using a capital “i” instead of a lower case “l”)
- Netflix-support.net (combining a spoofed domain with a different domain extension)
- Delivery.ips.com (adding “delivery” to the URL in hopes that you won’t notice they’ve spelled “UPS” as “IPS”)
The bottom line: Always check that you’re on the right domain before entering sensitive information. Unless you’re sure that you’re on a company’s official domain, you could be dealing with a fake website.
💡 Related: The 14 Latest PayPal Scams (and How To Avoid Them) →
2. Look for a padlock symbol (but don’t trust it as a sole means of verification)
All web browsers (such as Safari, Firefox, and Google Chrome) show whether a site has what’s called a “security certificate.” This certificate — also known as an SSL certificate — verifies that any information you send to the site can’t be intercepted by hackers.
You can check if a site has a valid security certificate by looking for a padlock symbol by the URL in the address bar. (Again, make sure you’re on the correct page first.)
Unfortunately, scammers have started to use SSL certificates to fool you into thinking their fake sites are genuine. If you’re unsure about a site, click on the padlock and then check any additional information about the security certificate.
Look for details like the registered company name, country of origin, province or state, and locality. These are all signs that the website uses a higher level of security — known as an “Organization Validation (OV) certificate” — which is harder for scammers to fake.
3. Use a website checker or safe browsing tools
A website checker helps you answer if a website is safe to visit. For example, it tells you if the site uses encryption to protect your data, along with the site’s level of verification certificate.
There are some good free resources that you can use to check if a website is safe to use.
- Google Transparency Report is a free resource that examines billions of URLs daily to find unsafe or compromised websites. Google reports dangerous or infected sites to their owners and also warns visitors in browsers like Google Chrome.
- URLVoid is another tool that scans URLs for dangerous content and checks them against databases of known scam websites.
- Aura’s safe browsing tools. Aura’s all-in-one digital security solution includes safe browsing tools that scan websites and warn you before you enter a fake site. You also get additional security from powerful antivirus software that blocks malware, as well as a military-grade virtual private network (VPN) that encrypts your data.
Website checkers are a good place to start. But scammers have found ways to work around them. Make sure you don’t only use a website checker. Also look for other warning signs of a fake website.
💡 Related: How To Block Websites on iPhones and iPads [4 Ways] →
4. Look for poor spelling, design issues, and other red flags
Scammers move quickly and often don’t want to take too long building fake websites (which could be identified as fraudulent and get taken down). Similar to scam emails and texts, phishing websites often include basic flaws and mistakes that legitimate companies wouldn’t miss.
Look for these design and content warning signs that typically indicate you’re on a phishing website:
- Poor spelling and grammar. Large companies employ teams of writers and editors who quickly fix spelling mistakes or poor grammar that could slip through the cracks. Don’t assume awkward language is just an honest mistake.
- Pixelated or low-quality images. Scammers don’t always have access to the right sized images or logos. Visual designs and logos on fake websites often look low-quality or blurry.
- Awkward designs and layout. If a site is hard to navigate or is missing sections, that’s a major warning sign that it’s fraudulent.
- No “About Us” page or contact information. Scammers typically include fake contact information (or none at all). If you can’t find information about the company on their website, it could be a scam. Also, beware if the only way to communicate with the company is through a generic contact form. Ideally, you should be able to find the company’s physical address and phone number on their site.
💡 Related: How To Tell If An Email Is From a Scammer →
5. Check the domain age (how long the site has been active)
Fake websites rarely stay online for long. One way to tell if a website is real or fake is to check how long it’s been active by using the Whois Lookup domain tracker.
Enter the website’s URL and you’ll be able to see details such as the owner’s organization name, country of registration, and age of the domain. It’s probably a fake website if the company claims to be registered in the United States, but their Whois Lookup query shows that they’re in another country.
Alternatively, use the Wayback Machine to see archived versions of the website and determine if it’s been used for multiple purposes.
💡 Related: Scammer Phone Number Lookup: How To Find Out Who's Calling You →
6. Be wary of deals that seem too good to be true
Scammers know that you’re willing to set your suspicions aside for a good deal.
When shopping online, don’t be fooled into trusting sketchy websites because you might save money. These fake shopping sites either steal your financial information or send you cheap knock-off versions of the items that you think you’re buying.
A good rule of thumb is that if a site advertises prices that are all 50+% off, you should take steps to confirm it’s not a fake website. For example, verify it with a website checker, look for spelling and grammar mistakes, and check the domain age and information against what’s listed.
7. Look for user reviews, and check for reports of scams
In an effort to look more legitimate, scammers often post fake reviews on their websites. But at the same time, real customers (who might have gotten scammed) can also write reviews warning you about their experiences.
Read on- and off-site reviews for mentions of fraud, non-delivery, or even identity theft. While you’re checking reviews, see if anything feels off. Scammers often create fake bot accounts on review sites in order to build trust.
Here’s how to spot fake reviews:
- There are lots of similar-sounding reviews.
- The reviews lack details that a real shopper would include (or contain overly specific details).
- The reviewers are all relatively new to the platform.
Be cautious if you run into multiple generic reviews that are unusually positive and lack accurate descriptions of the product experience.
If there aren’t any reviews on the site, you can run a Google search for “Is [website name/URL] real/a scam?” The Better Business Bureau’s Scam Tracker website is also a great place to check for negative reviews about a company.
💡 Related: How To Protect Yourself From Identity Theft →
8. Read the shipping and return policy
Official retailers have a dedicated webpage detailing their shipping and return policy. If the website you’re on doesn’t explain how to return an item, it’s a scam.
💡 Related: How To Shop Online Safely (Without Getting Scammed) →
9. Beware of non-traditional payment options
Fake websites sometimes try to force you to pay for goods using non-reversible or non-traceable payment methods — such as gift cards, bank transfers, cryptocurrencies, or payment apps like Zelle, Cash App, and Venmo.
Legitimate brands will always give you the option of paying with more traditional and safer methods — including credit and debit cards, PayPal, or “buy now, pay later” options, such as Klarna and Afterpay.
💡 Related: 14 Cash App Scams You Didn’t Know About (Until Now) →
10. Don’t be conned by “trust signals” (awards, security logos, etc.)
Scammers know that it’s a lot of work for customers to research a brand to make sure it’s legitimate. They also know that 66% of consumers are more likely to shop on a site that displays social proof of their credibility, such as industry awards, certifications, or security logos [*].
But anyone can falsify these elements on their website. When in doubt, contact the issuing organization for the trust mark to verify the company's legitimacy.
11. Run a virus scan if you experience numerous ads and pop-ups
Sometimes the goal of a fake app or website isn’t to steal your information, passwords, or money — but to infect your device with malware.
Hackers create pop-ups and ad-riddled websites that can infect your phone or computer with viruses that let cybercriminals spy on you, scan your device for sensitive data, or lock your device until you pay a ransom.
If you’ve been to a site like this recently, you need to make sure your device hasn’t been compromised.
Examples of Fake Websites: PayPal, the DMV, and USPS
Scammers are more likely to create fake websites for companies or organizations that you already trust, in the hopes that you’ll gloss over the red flags and enter your sensitive information without thinking.
Here are a few examples of fake and scam sites to help you understand what to look out for:
Fake PayPal website example
How to tell that this is a fake website:
- They use a spoofed domain that looks like the official PayPal website. Scammers create a domain that includes “paypal.com” to fool you into thinking it’s legitimate. The actual domain for the website above is “confirmation-manager-security.com” (if you look in the URL bar, this is what’s immediately before the final “.com” — as opposed to “paypal.com”). It is not a PayPal domain.
- They use PayPal’s official logo and branding. Fraudsters want you to enter your information quickly without hesitating. So they copy the company’s branding designs and create sites that are almost impossible to distinguish as fake.
💡 Related: Scammed on PayPal? Here’s What To Do →
Fake DMV website example
How to tell that this is a fake website:
- They’ve added SSL encryption to fool you into thinking you’re safe. Many cybersecurity experts will tell you to look for the “padlock” symbol by the URL to see if a site is secure (this is called an SSL certificate). Unfortunately, 84% of all phishing sites now have an SSL certificate [*]. So this is no longer an easy way to tell if you’re on a fake website.
- They’ve linked to the fake site from a text message scam. This particular fake website was part of a larger DMV text message scam. Fraudsters sent messages claiming to be from the Department of Motor Vehicles (DMV) and threatened victims by saying their licenses would be voided if they didn’t “verify” their personal information.
Pro tip: Don’t trust links in unsolicited text messages or emails. Always visit the official website directly to make sure you’re not being sent to a fake website.
Fake USPS website example
That’s what happened to Lisa Delaloye when she received a text message claiming to be from USPS asking her to reschedule her delivery. After clicking on the link, she was taken to a website that looked exactly like the official USPS site — but wanted her to input her credit card details to pay a “redelivery fee” [*].
How to tell that this is a fake website:
- They use social engineering to try to get you to act emotionally. Social engineering refers to “human hacking” — scammers use psychology to fool you into doing what they want you to do. In the case of this fake website, they assume you’re waiting on a package and then use the threat of not receiving it to get you to act.
- They use trust signals to lower your defenses. The design, USPS logo, addition of a tracking number, and spoofed domain containing “usps.com” are all legitimate-looking features that scammers include to try and get you to lower your guard.
💡 Related: How To Identify a Fake Text Message Scam [With Examples] →
Did You Give Information or Money to a Fake Website? Do This!
- Call your insurance provider. If you have identity theft insurance (or a digital security service like Aura that includes insurance coverage), call your provider and ask what to do. Aura’s team of U.S.-based fraud resolution specialists are available 24/7 to help walk you through the steps needed to recover from scams and fraud.
- Freeze your credit. A credit freeze stops anyone from accessing your credit file and makes it harder for scammers to open new accounts or loans in your name. Call each of the three major credit bureaus — Experian, Equifax, and TransUnion — and ask for a freeze. You can also lock your Experian credit file with a single tap by using Aura’s app.
- Update your passwords and enable two-factor authentication (2FA). If scammers have access to your accounts (social media, email, banking, etc.), you’ll need to regain control of them. Then, update all of your passwords to be more secure and enable 2FA for added security.
- Notify your bank and credit card companies’ fraud departments. Explain that a scammer has gotten hold of your banking information. They’ll help you close your accounts and issue you new cards and account numbers.
- Try to reverse the fraudulent payment. Reach out to the company that facilitated the payment and ask to reverse it. You can also contact the company from which you bought gift cards and explain the situation.
- File an identity theft report with the FTC. Go to IdentityTheft.gov and file an official report. This is an essential step for disputing fraudulent transactions and fixing your credit after identity theft.
- Scan your devices for malware. Use antivirus software to scan your devices for lingering malware or remote access software that scammers may have installed.
- Consider signing up for identity theft protection with credit monitoring. Aura constantly monitors your most sensitive information, financial accounts, and devices for signs of fraud or hacking. Plus, if the worst should happen, every adult member on an Aura plan is covered for up to $1,000,000 in eligible losses due to identity theft.
How To Report a Fake Website
Reporting fake websites helps make the internet safer for everyone. If you come across a fake website, here’s what you should do:
- Report a phishing site or any malicious websites to Google (this will block them in Google Chrome, Mozilla Firefox, Opera, and other browsers).
- Report the fake site to Microsoft (this will block it in Microsoft Edge and Internet Explorer).
- Report scam sites to the FTC at ReportFraud.ftc.gov or by calling 1-877-382-4357.
- Report the fake site to the FBI’s Internet Crime Complaint Center (IC3).
The Bottom Line: Don’t Get Fooled by a Fake Website
On the surface, it’s difficult to tell a scam website from an official one. But by following a few simple steps and looking for red flags, you can avoid giving up sensitive information or money to scammers.
Consider signing up for Aura to stay safe with everything you do online. Aura proactively protects you against phishing sites, monitors your credit and sensitive information for signs of fraud, and secures your devices against scammers.