Table of Contents:
Website spoofing, also known as domain spoofing, is a type of cybercrime whereby a website is created to mimic that of a trusted brand. The aim is usually to trick someone into giving away their financial or personal details.
It’s a tactic that is steadily on the rise. In 2020, Google reported an average of 46,000 new phishing websites being created every week. While phishing is not exactly the same as spoofing (more on the difference and overlap between the two below), it’s clear that the practice is difficult, if not impossible, to control.
The popularity of website spoofing is no surprise when you consider how easy it is for even the technologically unsophisticated to execute. Some of these fake websites can be easy to spot, while others can go undetected, with disastrous results for both customers and businesses.
A website is a vital tool for any business, so businesses should be aware of how spoofing works, as well as how to prevent it from happening to your brand. In this article, you’ll learn:
Perhaps you’ve landed on a brand’s website before, and felt something was off about it. The grammar was bad, and the quality of the website didn’t match the prestige associated with the brand. The chances are you had landed on a spoofed website.
Website spoofing occurs when a scammer copies a brand’s intellectual property (IP), such as their logos, content, product lists, and domain name, for example. They weave these into a website, so that it looks like the official website of a brand. The aim is to trick the user into believing they are on a legitimate website, so that the user spends money or shares their details, such as usernames and passwords. Scammers may also be out to infect your computer with malware.
It is vitally important that brands don’t allow their website to be spoofed, and take down fake websites as soon as they appear. While spoofed websites are essentially stealing sales that should otherwise have gone to your brand, the biggest impact will be felt by your brand reputation. Once customers begin having bad experiences associated with your brand – even if it was a scammer purporting to be your brand – it’s difficult to undo the damage.
There are very few barriers to entry when creating a lookalike website. All the scammer has to do is copy identifying elements of your brand, such as your logo, tagline, product list, and content, for example. This way, a user will be tricked into thinking they have landed on a legitimate website.
For their scam website to pass as your original, legitimate one, scammers will spoof your domain name. Of course, a scammer cannot simply register the same domain name, but they come up with ways to get around this.
Typosquatting is a method used by website spoofers, where they create typo’d versions of your website address. Perhaps they write amzon.com instead of amazon.com, or they will modify the ending of your domain name, such as by using .net rather than .com. Similarly, cybersquatting is when cybercriminals use slightly altered versions of the domain name, like g00gle.com.
In order for scammers to steal your details or money, they have to first get you to their scam site, and they often do this through phishing techniques. To do that, they may send you a text message or an email with a link to their website, or they may create fake social media accounts leading you to their site. The more sophisticated criminals are capable of manipulating search engine results through black hat SEO techniques so that their website ranks highly.
Phishing and spoofing are terms that are often used interchangeably. Part of the confusion comes from the fact that fraudsters often use both practices in tandem.
According to The Cyberwire glossary, phishing is:
“…the delivery of a ‘lure’ to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information”
Phishing is, in other words, a social engineering tactic used to lure you into sharing sensitive information, such as social security numbers, financial information, login details, and bank account numbers. Bad actors may use emails (as with executive impersonation emails), telephone, or other methods to trick you into clicking on a malicious file or revealing private information.
Spoofing is similar to phishing, but it is centered around communications that masquerade as though they are from a legitimate source. The Cyberwire glossary defines spoofing as:
“…an attack technique that relies on falsifying data on a network in a way that enables a malicious site or communication to masquerade as a trusted one”
The aim is to get users to believe they are interacting with the original, trusted source and to share their personal information. Spoofing often happens in conjunction with phishing. For example, a phishing email may link to a spoofed website. Spoofing is usually weaved into the phishing process in some way, as a means of gaining the user’s trust.
Creating a spoofed website is not illegal if the aim is to parody another brand as long as the comical intention is clear. The kind of website spoofing we have been discussing in this article, however, is in violation of many laws.
As with a lot of digital fraud, there are usually more laws than one that are being transgressed. For example, spoofing a website will always be infringing copyright and/or trademark law, since to spoof a website the fraudster has to copy identifying elements of the brand. If the scammer is to use the information given by the unsuspecting user, then this would be in violation of 18 U.S. Code 1029 – “Fraud and related activity in connection with access devices” if the scam was taking place in the US.
There are plenty more laws that can be broken by scammers who spoof websites; these are just a small selection so that you know your rights as a business owner.
One particularly nefarious example of website spoofing is when a scammer creates a website that impersonates a bank. They will usually draw you to the fake website via phone calls, emails, or screen-sharing software. Once you’re there, they may collect the information you put into the false security checks, install malware onto your computer, or request a bank transfer.
Fake ecommerce websites are popular among spoofers. There are two types of fake online stores: those that aim to harvest details or money from unsuspecting shoppers, and those that pretend to be a legitimate brand but sell counterfeit items. Both are highly damaging to customers and the legitimate business.
How do you even know your website is being spoofed, until it’s too late and a customer leaves you a terrible review? The best way to detect and take down lookalike websites before they start ruining your brand reputation is through automated, 24/7 software. Red Points’ Domain Management Software is constantly scanning the web for any suspiciously similar websites and sending out automatic takedown requests.
While everything you create is covered under copyright or trademark law, you may not be protected in a court of law unless you officially register your business trademarks and copyright your content. Even if you are not registered, you can still legally put the trademark and copyright signs on your website, which might just help to scare off unscrupulous copycats.
It’s important to let your customers know how and when you would ever ask them for sensitive information. For example, many banks have notices on their websites reminding their customers that they will never ask for their card details over phone or via email. Likewise with your employees, you should ensure that certain checks are met before money or information is transferred and that there is a well-established process in place.
Fake websites are being created in their thousands every day. Many of them are spoofing websites whereby lookalike scam sites replicate those of a trusted brand. Being taken in by a fake website is a distressing experience for any customer, and ultimately, this will affect the brand reputation of the original business. This may seem unfair, but as any business owner knows, your brand reputation is one of your most vital assets. Once scammers begin creating lookalike versions of your brand, your reputation is no longer in your control.
Luckily there are preventative measures you can take. The most effective one is to install automated software. You can get a domain takedown service and remove spoofing sites that take advantage of your brand with Red Points’ Domain Takedown service. That way, you can concentrate on improving your brand while Red Points focuses on keeping your brand safe from copycats.