What is website spoofing?
Website spoofing is when scammers create fake copies of legitimate websites that tend to look very similar to the real version, and often have a very similar website address.
Website spoofing has existed for some time, with ecommerce sites like Amazon, financial services from PayPal to your high street bank, and even social sites like Facebook being primary targets for cyber criminals. Criminals target companies like this due to the sheer amount of traffic going to their sites every day and the nature of information that’s entered by visitors on these sites, chiefly financial and other personal identifying information.
Whilst cyber criminals often opt to make less sophisticated spoofs of large sites with the hopes of tricking less aware individuals, more sophisticated scammers have been turning their attention to smaller businesses in recent years. The benefit for criminals of spoofing smaller sites is that both owners and visitors are generally less aware.
Business owners don’t think they are at risk of spoofing due to their size and their relative importance to huge businesses, but ironically this is what puts them most at risk. It’s harder to make a believable spoof of a large business due to how popular they are – people know their website URLs, know what they look like, and how they work – suspicions are generally raised a lot earlier and there are red flags at every turn. Generally those scammed by large spoof websites are less aware or less technologically proficient. Sophisticated spoofers know that if they spoof a smaller site, so long as they are thorough, they can spoof a far greater number of individuals and fly under the radar for longer.
In this article we’ll go into how and why you should be more aware, what the dangers are, what the cyber security and intellectual property (IP) implications of website spoofing are, and most importantly, how you can prevent website spoofing.
What are some examples of spoofing?
Website spoofing or impersonation
Website spoofing in its purest form is what we laid out in the introduction. This is when scammers study your website, steal all of your IP by downloading and copying everything they can, and put a copy of your website on the internet under a new address.
The aim is to dupe your real users into handing over their personal and financial information. This can then be used by criminals to reap significant rewards, or it can be used to extort you as the legitimate business into paying an even greater sum for criminals to delete or handover this information (which there is no guarantee they will do).
Crucially, your brand reputation is on the line, and how you respond and the efforts you take to prevent website spoofing or impersonation going forward depends on whether you will keep your brand reputation mostly intact. Whilst it’s not your fault that your site has been spoofed, it’s unlikely to reflect well on you, and some may even blame you.
Whilst it may feel like there’s nothing you can do about this, there are measures you can take to prevent website spoofing and ways to cover your back, which we will discuss later.
Domain spoofing
Domain spoofing is inextricably linked to website spoofing. When somebody spoofs your website and puts it online, it’s unlikely they’re going to put it under a random website address. There are two choices that criminals have to spoof your domain.
The first method scammers can use to spoof your domain is by intentionally misspelling it, for example “amazonn.co.uk”. This works well for much larger sites that have millions of unique visits a day, where a few thousand are likely to mistype the website address and land on the illegitimate copycat instead. As this requires a lot of traffic to be successful, it doesn’t work well for smaller sites. For these, scammers use a different method.
To spoof smaller businesses, criminals buy up domain names that mimic your legitimate site more accurately. Scammers will register domain names that have a different suffix to your website, such as .org or .net where your legitimate site is .com or .co.uk. Alternatively, they will change your domain slightly but in a way that makes sense, so instead of “thefinalstep.co.uk”, they may buy domains under “finalstep.co.uk” or “the-final-step.co.uk” for example.
Nowadays, a lot of people find websites they want to access through Google, even if they know the exact address of the website they want to visit. If you’re an established business or your marketing is top-notch, you may not worry about website spoofs because you know your website will appear at the top of Google’s search results. Unfortunately, some criminals use “Blackhat” tactics to appear above you at the top of Google, utilising paid ads to misdirect your traffic and lure your clients into clicking on a sponsored link for a spoofed website.
This is quite a sophisticated tactic and you may never come across it, but awareness is key in finding and stopping these techniques. Criminals may also use a mixture of fake texts, emails and socials to entice you and make you think the spoofed site is legitimate. Whilst people are generally aware of these forms of scam, when it links to what you think is a legitimate site, you’re more likely to be caught off guard.
So, what’s the most common type of spoofing?
You’re most likely to see spoofed websites, however sophisticated or unsophisticated they are, linked to spoofed domain names. The most likely way of ending up on these sites is by mistyping a common domain name, like amazon.co.uk, so scammers are keen to acquire as many similar domain names as possible to increase traffic to their illegitimate sites. Blackhat tactics are generally uncommon and less successful, but is arguably more likely to hit smaller businesses than larger ones, as even with a “professional hacker” in control, you’re unlikely to outrank the likes of Amazon, Facebook, and PayPal in Google results.
Isn’t spoofing just phishing?
Phishing is where criminals try to get their hands on your data, often from fake texts or emails that appear real, or in the case of spoofing, entering your information into copycat websites. Almost all spoofing has the sole aim of phishing for your data.
With phishing being the ultimate aim, spoof websites can make the entire operation look more sophisticated – those who are unlikely to fall for a fake text from their bank or Amazon spoof emails are more likely to fall for a spoofed website scam. This is only the case for well-crafted spoof websites, as bad copies with fake logos, an obviously incorrect URL, and spelling mistakes all over the page will raise even more red flags.
Creating a good spoof website usually means that more than one law is being broken, notably IP theft or copyright/trademark infringement. The best spoof websites are, as far as possible, identical matches of the original site with a believable URL. Whilst this makes the spoof more believable, it also gives the owner of the legitimate site more power in shutting spoofs down. Don’t be fooled into thinking that big businesses are the only ones at risk of this, as copying a website, downloading all of their IP, and buying up very similar domains is far easier when the target is a smaller website.
How do you prevent website spoofing?
Register your trademarks and intellectual property
As mentioned, there are significant IP implications of spoofing. More than anything else, it can ruin your brand reputation and cause long lasting harm to your clients.
If you’re serious about your business and your brand, you should trademark your assets. That way, if a spoof of your website does appear and you try to take it down, you have all of the necessary documentation fighting your corner and should find it far easier to take these sites down.
Register similar domain names
One of the key factors that makes website spoofing scams so successful is domain name spoofing, as we’ve covered. Registering domain names that are similar to yours is a logical step to deter scammers from spoofing your website, as it not only hinders them in making a sophisticated copycat website, but also shows that you take your cyber security and web presence seriously.
You should start with buying up different popular domain name extensions, chiefly the popular ones like .com, .co.uk, and maybe .net and .org. If you’re a multinational company, consider buying the relevant extensions for where you operate, for example if you’re based in the UK but also Germany, you want to make sure you have .co.uk and .de extensions. If you’ve been spoofed before or are particularly at risk, you may want to buy up similar domain names with common misspellings or abbreviations and have them redirect to your real site.
If you want somebody to register and manage your domains for you, reach out to us for a chat.
Training, training, training
We mention training in almost all of our blogs, and for good reason. Training your users and your clients on how to recognise, report, and deal with cyber security threats is your best line of defence against them. Even with all the technical defences in the world, an attack or a scam is bound to occasionally slip through the net. These attacks often come straight to your users or clients – knowing what to do in these situations is crucial.
Your staff need to know that website spoofing exists and how to identify it, so that they can always be on the lookout. If your colleagues don’t know about spoof sites or what they look like, the signs can often be overlooked. The simple things are double-checking the URL and looking at who owns the SSL certificate, if there even is one. A further meaningful step could be to check paid ads at the top of Google search results every now and again to make sure nobody is trying to divert your clients.
It’s important as well to know who would contact your clients in the event of a website spoof and how best to contact them. Whilst you should contact your clients once you know there’s a spoofed website of yours out there, it’s also important to prime them during onboarding as to what communications they should expect. This can come in many forms, but the two you see most often are: “We will never ask for your password”; and “Emails from us will always end in @company.com”.
If your colleagues or clients are ever uncertain about an email they receive, a site they’re visiting, or information they’re entering, they should always default to calling you to confirm the legitimacy of the request.