What are criminal websites?

Dodgy websites come in many shapes and sizes, including:

• Phishing sites that try to steal your identity.
• Fraudulent online shops.
• Tempting sites that contain viruses or spyware.
• Sites that (unexpectedly) contain illegal or pirated content.
• Sites that promote worthless investments or get-rich-quick schemes.

It is very easy to clone a real website and criminals can use virus-infected computers to host a dodgy website so it costs them nothing to put it up. It doesn’t take a skilled developer long to produce a very professional-looking site.

What is phishing?

Phishing is a scam where criminals send emails to thousands of people. These emails pretend to come from banks, credit card companies, online shops and auction sites as well as other trusted organisations. They usually contain a compelling but bogus reason to go to the site, for example to update your password before your account is suspended. Victims click on an embedded link in the email itself which takes them to a website that looks exactly like the real thing but is, in fact, a fake designed to trick victims into entering personal information such as a password or credit card number.

Risks

• Identity theft.
• Fraud.
• Theft from your bank account or credit card.
• Virus infections

How to spot a 'phishing' email

Criminals can make an email look as if it comes from someone else.  Fake emails often (but not always) display some of the following characteristics:

• The sender’s email address doesn’t tally with the trusted organisation’s website address.
• The email is sent from a completely different address or a free web mail address.
• The email does not use your proper name, but uses a non-specific greeting like “dear customer.”
• A sense of urgency; for example the threat that unless you act immediately your account may be closed.
• A prominent website link. These can be forged or seem very similar to the proper address, but even a single character’s difference means a different website.
• A request for personal information such as user name, password or bank details.
• You weren't expecting to get an email from the company that appears to have sent it.
• The entire text of the email is contained within an image rather than the usual text format.  The image contains an embedded hyperlink to a bogus site.

How to spot a fake website

We recommend that you install the latest version of your web browser. Internet Explorer 7 and Firefox 2 both have sophisticated filters that can detect most fake websites.

Here are some other clues that might give away a fake:

• Use your instincts and commonsense. If it smells bad, it’s probably rotten.
• Look for evidence of a real-world presence: an address, a phone number, an email contact. If in doubt, send an email, make a phone call or write a letter to establish whether they really exist.
• The website’s address is different from what you are used to, perhaps there are extra characters or words in it or it uses a completely different name or no name at all, just numbers.
• Right-clicking on a hyperlink and selecting “Properties” should reveal a link’s true destination – beware if this is different from what is displayed in the email.
• Even though you are asked to enter private information there is NO padlock in the browser window or ‘https://’ at the beginning of the web address to signify that it is using a secure link and that the site is what it says it is (see Learn about secure web pages).
• A request for personal information such as user name, password or other security details IN FULL, when you are normally only asked for SOME of them.
• Although rare, it is possible for your computer to be corrupted by viruses in such a way that you can type a legitimate website address into your browser and still end up at a fake site.  This problem is known as 'pharming'.  Check the address in your browser's address bar after you arrive at a website to make sure it matches the address you typed.  Subtle changes ('eebay' instead of 'ebay' for example) may indicate that your computer is a victim of a pharming attack.

Avoid dodgy sites

• Avoid sites that hype investments, whether in shares or alleged rarities like old wine, whisky or property. Do your homework and always get professional advice before making investment decisions.
• Be wary of sites that promise easy profits. If it looks too good to be true, it probably is. Be particularly sceptical of schemes that involve the recruitment of others, receiving money for other people or advance payments.
• Do a web search to see if anyone has had any problems with a suspicious-looking website.
• Don’t judge a website by its appearance. It is easy to create flashy, professional-looking sites and it is easy to steal other people’s web pages and designs.
• Be wary of websites that are advertised in unsolicited emails from strangers.

Other ways to protect yourself

• Never click on a link embedded in an email. Always enter the real address yourself by typing it into the web browser.
• Consider using a spam email filter that will detect and block many fraudulent emails (see Stop unwanted email).
• Be wary of hoax emails and advance fee fraud emails (see Don't fall for online fraud).
• This kind of fraud also takes place over the telephone and in person. Be wary of social engineering in any form (see Don’t let conmen trick you).
• Don’t give out personal information unless you initiated the contact and you are sure you know who you’re dealing with.
• If in doubt contact the bank or website owner direct by telephone or email before proceeding.

More information

• The UK banking industry’s website contains advice and guidance on preventing and spotting online scams.
• eBay's tutorial will help you learn to spot spoof emails.
• The global Anti-phishing Working Group.
• Read CERT's advice about how to contact website owners.