Many people are aware of email phishing schemes fraudsters use to collect personal information from unsuspecting victims. But many haven’t heard of another phishing method used by scammers, often unnoticeable to the naked eye—spoofed websites. This growing problem isn’t reserved for only banking or e-commerce sites. ARC recently reported two business travel agencies have fallen victim to spoofed websites. With this news, we want to give you the low-down on what a spoofed website is, how to spot one and ways to protect yourself and your company from these scams. With cyberattacks on the rise, it is important to consider phishing as part of your global security plan.
So, what is a spoofed website? In this scheme, a fraudster creates a fake website and/or email domain that looks legitimate, often copying a real website using logos, images and even the layout/content of the site. This phishing tactic usually asks the visitor to enter log-in credentials or personal details in an attempt to collect information used for identity theft. This tactic can also be used for other fraudulent activity. In the case reported by ARC, the fraudster used the fake website to appear legitimate to hotels and book stays using compromised credit cards.
Unfortunately, it can be difficult to spot a spoofed website, but there are a few signs to be weary of. First, check the web address. A spoofed website usually contains a misspelled word, extra punctuation or is excessively long. You should not only check for these signs in a web browser, but also any text linked to hyperlinks—hover over hyperlinked text to see the full URL before clicking. Another sign of a spoofed website is pop-ups. Sometimes spoofers direct victims to legitimate sites and use a pop-up window to collect personal information. Always use the website you are familiar with, have used previously without issues and have bookmarked. Don’t rely on a Google search. Review any results returned by searches and compare the URLs.
Now that you know how to spot a spoofed site, here are some tips to protect yourself if you feel like you may have landed on one:
- If you think you have found yourself on a spoofed site, scan the page for a Trust Seal. Many authentic sites use these badges issued by third-party security companies to show the site is verified, secure and safe. Please keep in mind that not every secure and authentic website, including Travel and Transport's, marks their site with any type of “Trust Seal.” This is just one indicator of authenticity.
- Check the address bar for more details on the site. Oftentimes the company name is shown alongside the URL in the address bar. Another item to look for is a lock showing the site is secure as well as “https” in the URL. This is a good first step, but not always a complete indicator of a “trusted site.” HTTPS certificates are relatively easy for an advanced hacker to obtain.
- Anti-phishing software is another way to arm yourself against scammers. Many browsers have add-ons or plug-ins to help detect phishing sites. You can also utilize the site whois.com to determine when the website was created. This site helps determine if your own site has been spoofed.
- If you are unsure if you are on a spoofed website asking for login information, give a fake password. If you use a fake password and appear to be logged in, you are most likely on a spoofed site. If you’re fake password is rejected, you should still be leery and take some of the other precautions mentioned in this list.
- When in doubt, contact the company directly to verify the website.
- Lastly, if you think you have fallen victim to a phishing site, immediately contact your IT team and report the site to the local police.
With processes becoming more and more automated through digital and web processes, it is important to take a comprehensive look at risk management to include crime and corruption that takes place on the web. As Travel and Transport’s Chief Technology Officer, Tim Krueger, puts it, “In today’s world of an ever changing and increasing threat landscape, user awareness and training are essential elements to any modern security program. Individual diligence in identifying and avoiding potential scams and threats is often the first and last line of defense.” We hope you never have to use these tips, but keep them in your back pocket in case you ever happen upon a fraudster.