How to Avoid Being Scammed by Fake Web Pages

Frederick Scholl, Ph.D., Cybersecurity Program Director, Quinnipiac University
Quinnipiac University’s Cybersecurity Program Director, Dr. Frederick Scholl.

We’ve all read about people losing money, personal information and more, by going to fake web sites. No wonder-- there are over 1.8B web sites now and it costs less than $11.99/per year to register a new site An easy way to start a life of online crime. These days, it is easy to stumble across a fake site. According to ZDNet, there around 1.4 million new phishing sites launched per month; of those, tens of thousands are devoted to new COVID scams. Because we are all online more these days, it becomes even more important to spot fake sites1. This blog post will outline some ways to surf safely. There are two categories of cyber threat: technical and human. There are also two categories of cyber defense here: technical and human. The human defense is you.

On the technical side you should look for suspicious domain names and missing padlocks. On the human side, you need to engage your reasoning and critical thinking skills to evaluate the website’s content. Technology will generally keep you away from questionable domains, but hackers are always able to game the system. It is readily possible for your computer to be infected just by surfing to an infected web site. This is the so-called “drive by download”. Reputable sites to everything they can to prevent themselves from being malware spreaders; less reputable sites may be less diligent.

Suspicious Domain Names

Suspicious domain names come in different guises, like the proverbial wolf in sheep’s clothing. They have in common the goal to fleece you.

    1. One type imbeds a real domain moniker, in order to entice you. Example yahoo.us3.list-manage.com, which has absolutely nothing to do with Yahoo.
    2. Mass produced domain names. A real domain will have a memorable URL (Uniform Resource Locator) like www.quinnipiac.edu or www.ibm.com. Mass produced URL’s set up by fly by night scammers look like this: s2144943590.t.en25.com. Of course, the en25.com domain name registrant is hidden.
    3. Link substitution. Kpmg-office, instead of kpmg.com cost a midwestern company $15 million in losses through a Business Email Compromise attack.
    4. Using similar letters and numbers to fool your eyes. Example h1.hilton.com (see image). Is this legit or not? One way is to go to www.whois.com/whois and check the domain registration. Scammer sites will always hide any real owner. In this case the owner is shown to be Hilton, Inc. so the email was real, thank goodness.

Popular brand's url is created by scammers to cause confusion.

    5. Pretty much every web site these days uses secure communication (i.e. HTTPS instead of HTTP). This keeps your information secure while using that web site. However, scammers may not use this method, since it requires them to register their site to get an SSL security Certificate. Although the certs can be obtained for free, it is still a hassle for a crook to constantly be registering new fly by night sites. So, if you see a site—like the one below-- that does NOT have a padlock, I would stay away.

Popular brand's url does not show it is locked. This is an example of a cyberscam.

Suspicious Content

On the human side, you need to constantly be on the lookout for fraudulent, suspicious or illegal content. Here are a few examples:

    1. Email that does not have unsubscribe link. Since the CANSPAM act of 2003, all email must have a way for you to unsubscribe from more email. Here’s an example of an email message footer without such a link. It may be from a legitimate firm. But I’m not doing business with a company breaking the law at the outset.

An email without an unsubscribed button may be legitimate, but not good business practice.

    2. One of the most dangerous web sites to visit is a “phishing site”. This type of site aims to collect confidential log in information. Such sites may be embedded in “come on” emails enticing the reader to “click here”. They try to look like real sites, with stolen logos. An example of a live phishing site (as of October 5, 2020) is shown here:

Scammers brand with just a logo to tempt people to click to a fraudulent site.

It’s minimalist, with only the AT&T logo to identify itself. You can check out whether a site is a phishing site, by going to https://www.phishtank.com/phish_archive.php.

    3. Is the offer too good to be true? The example below might raise some questions. Everyone wants a way to cut the cable bill. Free HDTV is a great idea as well in this pandemic time. These “to good to be true” observations trigger some others like strange sending email address; unusual URL (sevelop.eu2 ) used for the “Order Now” link; suspicious “unsubscribe” addresses on West 45th Street, NYC and in Eygelshoven, Netherlands. This may be a great offer, but I’m staying away.

Suspicious offer is too good to be true.

    4. Check the reviews. You might think this protects you, but reviews can and are faked. I recently purchased a book (on cybersecurity of all things!) on Amazon because of its glowing reviews.

Online Reviews

After receiving the book, I decided it had been computer generated and had no value. Looking more carefully at the reviewers I saw they were all fake. I then went to www.fakespot.com to doublecheck and my suspicions were confirmed. The book and its reviews were totally bogus.

Fakespot.com evaluates online reviews.

In summary, you need to be constantly vigilant. Why? Scammers are aware of technical countermeasures and are constantly seeking and finding ways around them. They will continue to mutate their tactics, always going to where the money is. There is no other silver bullet to protect you.

Quinnipiac University’s online MS in Cybersecurity program trains technically proficient security defenders. Learn more about how the MS in Cybersecurity degree can give you the necessary skills to pursue a career in the security vendor space.


References

1www.which.co.uk “How to spot a fake, fraudulent or scam website”.

2Checking sevelop.eu on whois.com shows a hidden registrant name.

Related Articles