What is Website Spoofing and How Can You Protect Yourself from It?

Website spoofing is the act of creating fraudulent websites that look almost identical to legitimate websites. The purpose of these sites, while sometimes political or satirical, is most often malicious. They want you to believe that you’ve arrived at your bank or investment company, so that you enter your login credentials and give them what they need to get into your actual bank or investment accounts and steal your money.

What is Website Spoofing?

Spoofed websites are increasingly common, and new ones pop up every day. They do everything they can to look and feel identical to the website you are used to seeing, so it’s not surprising that people are fooled by them.

Think of it like someone creating a parallel street to 5th Avenue in New York City or Rodeo Drive in Los Angeles. On that street, they’ve put up identical store fronts, and when you walk inside each of the stores look and feel the same as the original. The only difference is, they’re selling knock-offs of everything and stealing your credit card information when you make a purchase. And they’ve set the whole street up just one block down from the actual 5th Avenue or Rodeo Drive. So, a savvy local shopper can probably detect the issue, but someone from out of town may find themselves walking down the street of fraudulent shops, thinking they’ve arrived where they intended to be. After all they are very close to their destination, and they see everything they expect to see.

Why Are We Vulnerable to Website Spoofing?

While it’s true that we can be lured to fraudulent websites through phishing emails, another reason we can be vulnerable to website spoofing is that we often initiate the visit to the fraudulent site without being lured there, so our defenses are not up in the same way they would be with a link in a phishing email.

How is it even possible that we voluntarily take ourselves to these fraudulent sites? There are a few ways that this happens.

It’s rare that any of us are typing in a full URL, like https://sustain-financial.com/ into our browsers these days.  More commonly, we’re typing in the name of a company like “Charles Schwab” or “Sustain Financial” into our search engines, or directly into our browser.

Then, we’re relying on the fact that the browser or search engine is going to bring up what we’re looking for. The problem is that the browser or search engine may bring up something that’s almost, but not quite what we’re looking for. And because no one lured or coaxed us into it, our general defenses about suspicious websites are not heightened as they might be after receiving an email inviting us to click a link.

Even if you are typing in a full URL, you can still be vulnerable, as many of these sites use a technique called typo-squatting, essentially just waiting for you to make a single mistake in how you’re keying in that website name.

How Can We Protect Ourselves from Fraudulent Websites?

Bookmark Important Sites

A great habit to get into is to bookmark your frequently visited sites, especially those related to your finances. Rather than using a search engine or an IP address, push yourself to use the bookmarked sites on your web browser, ensuring you are always returning to the same place.

Use a Reputable Password Manager

In our previous post on password management, we recommended using a strong password manager to create and store passwords for you. Not only does this promote the use of strong, unique passwords, but there’s another huge benefit to this practice: a password manager won’t recognize a fraudulent site, so it won’t autofill your login credentials.

If you find yourself at what feels like a familiar site, but your password manager isn’t automatically filling your credentials, it should be a cue to stop and think, is there a reason that the password manager doesn’t recognize this? Am I really in the right place?

Turn on Two Factor Authentication

Two-Factor Authentication is just one additional step between the bad guys and your accounts. Even if you get duped by a spoofed website and accidentally hand over your username and password for your bank account, if you have 2FA set up on that account, when they go to use it, they won’t be able to get past the 2FA requirement. If you haven’t already been forced to set up 2FA on your accounts, then now is a good time to start!

Keep Your Awareness Up

This is really at the heart of internet safety… if something feels off, it probably is. The problem for most of us is that we’re often emailing, logging in, and doing all of our other internet tasks while we’re thinking about other things, so we can miss small but obvious cues that something is off.

If your password manager doesn’t auto fill your login information, but you simply override it and enter it in manually, without asking yourself whether there’s a good reason it may not be working, then you’ve missed a critical cue.

We know how hard it is to do, but put aside your other tasks before sitting down to log in to your accounts, and make sure you’re paying enough attention to spot the red flags that you may encounter. Usually, there are a lot of small cues that can tell us something is off, the problem for many people who get spoofed by these sites is often that the bad actors are relying on people not paying enough attention to catch them.

What Can You Do If You’ve Been Spoofed?

Don’t panic. If all you’ve done is navigate to a site that’s not legitimate, and you didn’t enter any of your login credentials or download anything from the site, there’s likely nothing to worry about.

If you did enter in your credentials (only to have them rejected a couple of times, which may have caused you to suddenly be suspicious of the site, and now you’re panicking), then stop, take a deep breath, and head directly over to the actual site you were trying to get to in the first place.

Log in and change your password immediately. Remember, as long as you’ve got 2FA set up, even with your username and password the bad actors aren’t going to be able to get into your account immediately (but also remember not to give that 2FA code to anyone asking about it), but you should still change your password as soon as you can.

If you can’t get into your account, though, act fast and call the company immediately to let them know there is a problem. Time is of the essence when it comes to fraud and compromised accounts. If you suspect someone has gained access to your accounts, you need to drop everything and get on the phone with your account provider.

Protecting Yourself and Your Money

We know that cybersecurity isn’t really top of mind for most people, but taking the time to implement even just 1 or 2 of these tips could mean saving yourself from losing thousands of dollars. Website spoofing is just one of the many scams out there and even reading this article means you’re at least more aware (and hopefully a little more cautious) about the ways even familiar internet routines can pose a potential threat to your online identity and log in credentials.