How scammers use fake web addresses
Which companies do you think own these web addresses?
If you said HSBC, Paypal, and British Airways - you'd be wrong!
The above are all examples of how attackers can use little tricks to try and fool us into visiting the wrong website. For these examples, the first address has nothing to do with HSBC (it goes to security.com instead), the second uses the number 1 instead of the letter l, and the third uses a Cyrillic "A" instead of a Roman letter "A". Not easy to spot, ay?!
To find out how to spot these scams, read on.
How to read a web address
Identifying the 'domain name'
Domain names are a critical aspect of any web address, as they are the bit that determine which website your computer will connect to. Examples of these include amazon.com and becybersafe.com.
This is important - being able to identify the domain name from within a full web address is part of the key to knowing if you're visiting a genuine company's website - or one run by criminals instead.
The tricky bit however can sometimes be knowing how to identify the true domain name from a web address - criminals try allsorts of tricks to make you think you're going to one website when actually they're taking you to another.
But once you know how to recognise domain names, then it's actually quite straightforward.
Extracting domain names from web addresses...
Web addresses are made up of lots of elements to help your computer find the website and page you're looking for. In addition to the domain name, they may also include the communication method used (eg https or http), any subdomains (where you normally see the www), the pages requested, and other parameters as well.
The steps to identifying the domain name from a web address are:
- Start from the far left of the address and read right. Ignore the http:// or https:// (if there is one) and simply read everything up to the next "/" character.
- What you have now is the part of the address that locates the website, being made up of several text labels seperated by dots (each of these are more specific the further left it is). You can think of these as being a bit like a postal address in the structure of:
- So, for www.becybersafe.com, you have:
- www - This is an example of what is known as a 'subdomain'. www is extremely common but it can actually be anything (or left out altogether), and there's no limit to the number of elements that can be used. You can ignore this label - it has no bearing on who really owns the domain name.
- becybersafe - This is the main domain name. Together with the next element (the 'Top Level Domain') this is the bit you should be interested in.
- com - This is the 'Top Level Domain (TLD)'. There are many of these TLDs, such as .org or .net, as well as many that are country specific like .co.uk.
For example from the web address:
You'll be left with:
In the above example then, "becybersafe.com" is the domain name and tells you which website you're visiting.
Criminals will often try to add lots of other text into a web address to try to confuse you, for example putting legitimate brand names into the sub domain in the hope that users think this is the domain name.
Extracting domain names from email addresses...
In an email address the process is much easier - take everything to the right of the @ symbol & read from right-to-left as above. Along with the top level domain, the next label to the left is the domain name.
So how about these?
In all the examples below, only the part in bold represents the domain name. The other parts are often padding that is intended to try and fool you - only the core domain name should be used when assessing if a website is genuine or not:
- Web addresses:
- Email addresses:
As you can see there's a few ways in which criminals try to fool us with domain names. These could include:
- Using the company name elsewhere in the full URL (such as "www.amazon.order-updates.co.uk"),
- Missing dots between labels (eg in the above examples, "wwwamazon"),
- Splitting company names up with dots ("bank.ofamerica.com"),
- And putting the genuine domain name to the right of the domain name ("mywebsite.com/home.php?www.hsbc.com").
They may also just simply use something that sounds similar to a genuine company ("facebook-security-alerts.com").
Other tricks used
In addition to tricking people into focusing on the wrong part of the address, fraudsters and other criminals have a few extra tricks up their sleeve.
Would you be fooled by the link:
This actually uses a capital i in place of the letter l in 'paypal'. In the browser it's extremely difficult to spot (try it, type it in!) and was a trick successfully used by a fraudster as early as 2000. The font that you view a domain name in can be critical - if you're ever unsure about a link simply copy it to a simple text editor (such as Notepad on Windows) as this will almost always show up any suspicious characters.
Some criminals are less subtle, relying on us quickly reading web addresses to miss obvious mistakes. wwww.bank0famerica.com anyone? Or maybe www.h5bc.com?
Websites can now also be created using letters other than Roman (the alphabet used for English) - this can lead to problems with some characters looking visually very similar to English letters. Some browser makers are now trying to develop features that will alert users to these websites automatically, but until then the best defence is to simply stay alert.
Change of top level domain
Another trick sometimes used is to swap out the top level domain, for example showing www.amazon.uk instead of amazon.co.uk, or www.facebook.uk.com instead of www.facebook.com.
Most tricks like this are very shortlived as the targetted company quickly hear about the attack and ask the internet authorities to take the spoofing domain name down, but criminals only need a few people to fall for it in that short time for it to be profitable for them.