Scam websites are any illegitimate internet websites used to deceive users into fraud or malicious attacks. Scammers abuse the anonymity of the internet to mask their true identity and intentions behind various disguises. These can include false security alerts, giveaways, and other deceptive formats to give the impression of legitimacy.
Although the internet has numerous useful purposes, not everything on the web is what it seems. Among the millions of legitimate websites vying for attention are websites set up for an array of nefarious purposes. These websites attempt anything from perpetrating identity theft to credit card fraud.
Scam websites work in a wide variety of ways, from publishing misleading information to promising wild rewards in a financial exchange. The end goal is almost always the same: to get you to relinquish your personal or financial information.
A website of this nature may be a standalone website, popups, or unauthorized overlays on legitimate websites via clickjacking. Regardless of presentation, these sites work methodically to attract and misguide users.
Attackers using scam websites will typically use these steps to deceive users:
While a given scheme may be more complex, most can be distilled to these three basic stages.
A scam website may lure internet users through many communication channels, such as social media, email, and text messaging. Search results are sometimes manipulated through search engine optimization (SEO) methods, leading to malicious sites appearing in top positions.
By appearing as an attractive offer or a frightening alert message, users are more receptive to these schemes. Most scam websites are driven by psychological exploits to make them work.
Understanding exactly how these scams trick you is an essential part of protecting yourself. Let's unpack exactly how they accomplish this exploitation.
At their core, scam websites make use of social engineering — exploits of human judgment rather than technical computer systems.
Scams using this manipulation rely on victims believing that a malicious website is legitimate and trustworthy. Some are deliberately designed to look like legitimate, trustworthy websites, such as those operated by official government organizations.
Websites designed for scamming are not always well-crafted, and a careful eye can reveal this. To avoid being scrutinized, a scam website will use an essential component of social engineering: emotion.
Emotional manipulation helps an attacker bypass your natural skeptical instincts. These scammers will often attempt to create these feelings in their victims:
Whether these emotions work in tandem or alone, they each serve to promote the attacker's goals. However, a scam can only exploit you if it feels relevant or relatable to you. Many variants of online scam sites exist specifically for this reason.
Scam websites, like many other scam types, operate under different premises despite sharing similar mechanics. As we detail exactly what types of premises a scam website might use, you'll be better equipped to spot future attempts. Here are some common formats of scam sites:
Phishing websites are a popular tool that attempts to present false situations and get users to disclose their private information. These scams often pose as legitimate companies or institutions such as banks and email providers.
Attackers typically bait users to the website with emails or other messages claiming an error or another issue that requires your action to proceed. The scam presents a situation that asks you to provide an account login, credit card information, or other sensitive data. This culminates in the misuse of anything obtained from victims of these attacks.
As one of the most prevalent schemes, online shopping scam websites use a fake or low-quality online store to collect victims' credit card information.
These scams are troublesome as they can sometimes deliver the products or services to create the illusion of trustworthiness. However, the quality is inevitably subpar. More importantly, it is an uncontrolled gateway to obtain your credit card details for excessive and unpermitted use.
Scareware website scams involve the use of fake security alert popups to bait you into downloading malware disguised as an authentic antivirus program. They do this by claiming your device has a virus or malware infection, fear and urgency may drive you to download a solution.
Owning a real internet security suite would help prevent malware downloads, but users who don't have it may fall prey to this.
Sweepstakes scams involve giveaways of large prizes that entice users to engage, ultimately providing financial information to pay a false fee.
This fee may be presented as taxes on the prize or a shipping charge. Users who provide their information become vulnerable to fraud and never receive the prize.
Past internet scams have frequently involved the use of dedicated scam websites in their efforts. To help you spot future attempts, here are some notable examples:
In mid-to-late 2020, reports of false COVID-19 treatments appeared. These COVID-19 scams involve gathering payment information or valuable details like your social security number (SSN) in exchange for an entry into the trial testing of a COVID-19 vaccine.
While authentic vaccination trials may offer payouts and ask for personal information, no compromising information is required to participate. Payouts for clinical trials are often done via gift card, whereas the scam may ask for your card details or even your bank account number. Basic personal information is also commonly provided in real trials but never includes your SSN or other intimate details.
In October 2020, phishing scams have taken advantage of a move to online services by posing as the Department of Motor Vehicles (DMV). Creating websites that mimic legitimate DMV sites has allowed scammers to take fraudulent vehicle registration payments and more.
Fortunately, there are several simple ways to protect yourself from scam websites to ensure your family and your wallet stay safe as you navigate the World Wide Web.
By following the tips below, you can better protect against these threats:
Avoiding scam websites requires moving through the internet with caution and care. While you may not be able to completely avoid these sites, you may be able to behave more effectively to keep them from affecting you. Here are some ways you can stay away from these scams.
Sites set up to spoof a legitimate site often use domain names that look or sound similar to legitimate site addresses. For example, instead of FBI.gov, a spoof site might use FBI.com or FBI.org. Pay special attention to addresses that end in .net or .org, as these types of domain names are far less common for online shopping sites.
If you want to dig a little deeper, you can check to see who registered the domain name or URL on sites like WHOIS. There's no charge for searches.
One good practice is to never pay for anything by direct bank transfer. If you transfer funds into a bank account and the transaction is a scam, you will never get a cent of your money back. Paying with a credit card offers you some degree of protection should things go wrong.
The promise of luxuries beyond your wildest dreams in exchange for a moment of your time or minimal effort is a successful fraudster practice. Always ask yourself if something sounds too good to be true.
Is the site selling tablets, PCs, or designer trainers for what is clearly a hugely discounted, unbelievable price? Is a health product's website promising larger muscles or extreme weight loss in just two weeks? What about a fool-proof way to make your fortune? You can't go wrong if you assume something that sounds too good to be true is not true.
If you still can't make up your mind about a website, do some searching to see what other people on the internet are saying about it. A reputation — good or bad — spreads widely online. If others have had a bad experience with a website, they are probably talking about it online. Look for reviews on sites such as Trustpilot, Feefo, or Sitejabber to see if a site has scammed anyone in the past.
If you can't find a poor review, don't automatically assume the best, as a scam website could be new. Take all the other factors into consideration to make sure you aren't the first victim.
When you visit a legitimate site that asks for financial or secure data, the company name should be visible next to the URL in the browser bar, along with a padlock symbol that signifies you're logged into a secure connection. If you don't see this symbol or your browser warns you the site doesn't have an up to date security certificate, that is a red flag. To increase your level of personal protection, always use first-rate security software to ensure you have an added layer of protection.
Also, take nothing for granted and don't just click links to open a web site. Instead, type in the web address manually or store it in your bookmarks. Malicious criminals will often buy domain names that sound and look similar at first glance. By typing them in yourself or storing the one you know is accurate, you give yourself added protection.
If you fall victim to one of these malicious sites, you'll want to take immediate action. The chance to limit the attacker's ability to exploit you is still within your hands. These are a few ways you can reduce the damage of a successful scam:
When attempting to stop future scams to yourself and others, notifying the appropriate authorities is crucial.
Knowing how to report a website is just as important as doing it, so be sure to information yourself.
Above all else, be sure to report the scamming incident to any affected services like:
Google works to avoid promoting malicious results, but be sure to report the site to help their efforts as well.
Finally, be sure to reach out to your local police as they may be able to investigate locally sourced scams of this nature.
Kaspersky Internet Security received two AV-TEST awards for the best performance & protection for an internet security product in 2021. In all tests Kaspersky Internet Security showed outstanding performance and protection against cyberthreats.