We’ve already covered the most obvious signs that someone is trying to scam you online. But it’s not always easy to spot a scam at first glance. So, before you transfer money or enter card details, it’s worth spending a bit more time and effort on checking e-mails and websites. To help, we’ve compiled eight tips to help you do just that.
1. Check the e-mail address
Before clicking on a link in an e-mail or replying, take a closer look at the letter’s From field. It consists of two parts: one for the sender’s name, one (more importantly) for the actual e-mail address. The sender’s name can be anything, which scammers often exploit by using the name of the company they’re pretending to represent.
But replacing the real e-mail address (the bit with the @ sign) is much harder, so this is where attackers can slip up. In most scam e-mails, the sender’s real address will either have nothing to do with the company being impersonated, or look similar to the real one, but not identical — with one or more characters replaced (for example, the letter “O” with the number “0”), an extra word, etc.
Spotted a typo or inconsistency? Or the sender’s address is utter gibberish? Do not reply or click any links in it, but send it to the Spam folder straight away.
2. Examine the links in the e-mail
If the message contains hyperlinks or buttons like “Get a discount”, “Claim your free gift”, “Read more”, or any other obvious call to action, always check what’s behind it.
If you hover the mouse cursor over the link or button (taking care not to click by mistake), you will see the actual address of the web resource the senders want you to visit. Find the official website of the company in a search engine and compare the URL with the link in the e-mail. If the addresses do not coincide, for example, the link has a different domain (say .org or some .xyz instead of .com), do not open the page.
While you’re at it, go to the official website from the search results and see if it mentions the discount/gift/promotion the suspicious e-mail is telling you about. If it doesn’t, it’s likely a scam.
3. Take a look at the site’s security certificate
Some characters are so similar that the naked eye is easily deceived. Therefore, we suggest another quick way to check who owns the site — after you’ve gone there. Let’s consider the example of Google Chrome (in other browsers the names of menu items may differ slightly).
- Click the padlock to the left of the URL.
- In the window that appears, select Connection is secure.
- Click Certificate is valid.
- Make sure the Issued to field contains the name of the company that owns the site.
The padlock indicates the site is certified by an independent organization and data to and from it is encrypted. We just saw the certificate confirming this. It’s fairly easy to obtain such a certificate, but not, fortunately, in another company’s name. So if the name of the company or organization appears in the certificate, it can usually be trusted (just make sure the name is correct).
What if there’s no padlock? This means that data sent to and from the site is not protected and can be intercepted not only by the site owners, but by third parties also, so entering confidential information there is definitely a bad idea.
4. Check who registered the domain and when
You can view additional information about the site domain using the Whois service. It provides data on all current IP addresses and domain names. Type the URL you want to check into the relevant field and see when the domain was registered and by whom.
The domain registration date is shown in the “Registered On” line. If a site claims to be the official resource of a reputable company with a long history, yet Whois says it’s only a couple of months old, you’re dealing with scammers.
It’s also worth looking at who the domain is registered to. The owner’s contact information can be found in the “Registrant Contact” section. If the company is a serious player, at the very least its name will be shown there, and often also its address, phone number and other details.
If the site purports to belong to a large company, but Whois displays “Private Person” in the owner field, the resource is untrustworthy. Sure, it’s generally fine for a domain to be registered by an individual, but if the site claims to be part of a huge corporation, it’s nothing if not suspicious.
5. Check the site content
Study the site in more detail: if it consists of just one or two pages, it’s very likely to be fake. Cybercriminals use such cheap and easy sites to tout fake Burning man tickets, dupe cryptoinvestors or give away PlayStation 5 consoles. Official corporate sites always have lots of sections with useful information: news, company history, products and services, partners, etc.
6. Bookmark important sites
Add all sites you frequently visit to your bookmarks and open them only from there — that way you eliminate the risk of accidentally opening a fake page. It’s especially important to do this for sites that you enter personal data on, be it social networks, online banks, crypto exchanges or e-mail clients. You can bookmark a site by clicking on the star icon to the right of the address bar.
7. Be extra careful with payments and money transfers
Sure, there’s no need to study a site in such detail if you’re going there just to read an article or watch a video. But if you’re planning to enter payment details, you should do so every time. Does the website address look strange? Does the page contain typos or odd design elements? Does the page have a proper SSL certificate (see above)? Enter your details only if everything is in order.
8. Rely on professionals
Even the most vigilant users sometimes make mistakes. But there’s good news: website verification can be automated by using a reliable solution with spam, phishing and online fraud protection. This will detect and block any threats in real time.