Hackers don’t steal your information; they trick you into giving it up.
I’ve spent my entire career helping people better understand the domain name space, especially through my work with the Coalition Against Domain Name Abuse. So I know how to spot tricks that aren’t noticeable to the untrained eye. For instance, hackers can create fake websites that mimic trusted sites, even down to the domain name and security certificate, by using non-Latin characters (like Cyrillic) in the address that the browser converts into English.
See what I mean?
One thing I’ve learned, though, is that no matter how much this space and its scams change, hackers continue to use old tactics to steal information from victims. With a little knowledge and a few best practices, you can avoid these scams and keep your data safe.
Even Digital Trap Doors Look Like Real Doors
When you visit your bank’s website or go to your email account, you rarely think twice before entering sensitive information. Some of the most dangerous websites, however, use legitimate-looking login pages to phish users. Thieves are also fond of duping consumers by creating fake brand sites, like discountgucci.com, which sold counterfeit Gucci merchandise.
To the average consumer, this practice may not seem that harmful, but in reality, sites like this can have profound global implications: The goods can be stolen or manufactured by child labor.
Other scams, while perhaps not as malicious, are equally problematic. A common scam involves using a familiar-looking domain name that’s actually owned by a third party to make the domain owner money, something we saw grow rapidly about 10 years ago with a practice known as domain tasting in which people could return domains after five days to get their money back. People would mass-register domain names that were confusingly similar to well-known brands.
Although domain tasting no longer exists due to new internet rules, the practice of cybersquatting — registering a domain name in bad faith that is confusingly similar to a trademark — is still common in scammer circles. For example, typing prudentiial.com into your address bar will take you somewhere other than Prudential Financial. That scam site may look very similar to the real one, just as it’s intended to, but the links on it could deposit malware onto your computer or, at a minimum, create a bad customer experience for someone seeking prudential.com.
Put Up Your Guard
Protecting yourself from all of these scams is daunting. Over the course of 17 years, I’ve seen improvements in the domain space, but you can avoid becoming an easy mark for information thieves by checking these items to ensure legitimacy:
1. Domain Names
Look for extra letters (like prudentiial.com) or words (like discountgucci.com) that indicate this might not be the company’s website. Although wwwpaypal.com looks like the correct domain for PayPal, leaving out the period between “www” and “PayPal” means that after typing that into the address bar, you’ll be taken to www.paypal.com, which is obviously not where you want to be.
Check the sender address of all emails, especially those that are unfamiliar to you. No well-known brand will send you an email from a non-proprietary domain — like email@example.com — so don’t click any links included in such emails. Also, don’t click any links that include misspellings or dubious words.
Anyone can add a hyperlink to text. Scammers trick people by typing out the correct website name, such as Google, but linking it to a different website. If you hover your pointer over the link, you can see whether the hyperlink address matches the website. If you don’t see what you were expecting, don’t click.
4. Security Certificates
You can find the security certificate by looking for the green padlock on the left side of the address bar. If the site shows that padlock, you’re probably in the right place. Some sites can fool this security feature, though this scamming technique isn’t common. In general, if you aren’t sure you’re in the right place, Google the site and then click the link from there. As a fan of the domain name space, I choose to type the address directly into the address bar myself.
The internet is powerful, and power can be wielded in good and bad ways, but it doesn’t have to be scary. Don’t let scammers trick you into giving away your data. Use this information to scrutinize your emails and practice safer web navigation.