Careful What You Click On – Avoiding Online Phishing Scams

Domain Masking

Does the URL in the address bar say “covid-stimulus.icu”? (Edit: I no longer own that domain so this is no longer applicable.)

If so, you have probably been linked here from a social network post claiming you needed to submit information to request your government stimulus checks. If it doesn’t show that domain name, go ahead and click on it and see what happens.

In reality, that’s not really the root domain of this web page. In fact, I’ve merely masked the actual URL of this page by simply buying the “covid-stimulus.icu” domain name for $2.48 and having it forward to this page using domain masking.

Now, anytime someone links to “covid-stimulus.icu” on social media or on the web, they’ll actually be redirected to this page. Unfortunately, due to URL masking, they won’t actually realize what the real URL is.

To make it more tricky to tell whether you’re on the legit page or not, scammers will often use subdomains in a way that makes it look like the actual website.

For instance, “www” is a subdomain of “covid-stimulus.icu”. I could also make the subdomain be “gov” or even “fema.gov” resulting in “gov.covid-stimulus.icu” or “fema.gov.covid-stimulus.icu” which makes it increasingly difficult to extrapolate the root domain. You can usually tell by what prefixes the “/”.

And always remember, official government websites will always use “.gov”.

Additionally, not only can domains in browsers be masked, but emails can also be spoofed. This means I could send an email that makes it look like I’m sending it from “[email protected]” when in fact, it is coming from “[email protected]”. This is problematic because if you were looking at your email, you would believe you were seeing an email from a legit “IRS.gov” address, click reply and then click send. Unfortunately, I could tell it to send from one spoofed address but reply to a second address.

Legitimate use cases are situations in large companies where newsletters might be sent out from a generic “[email protected]” but reply back to “[email protected]” or “[email protected]” based upon the content of the email. Unfortunately, scammers often use this to send out an email with a legit PayPal domain, but that responds back to a Gmail address they use.

Spoofing The Page Social Media

In addition to masking the actual URL, I also changed the type of information that social media sites would receive about the page in a way that doesn’t accurately reflect the actual contents. If you came here from social media, you’ll probably notice the image attached to the post isn’t actually anywhere to be found within this post.

When creating this page, I can give different information about the content to search engines versus social networks. In this case, I went into my settings for this page and gave it a title, description, and image that would lead you to assume you’re heading to page-titled “Request COVID-19 Stimulus Package” with a description on requesting stimulus checks.

Since I’m not a scammer, I’m showing you how to keep yourself safe, but a scammer would likely go to the extent of building a page that looks like a government website, potentially right down to using federal government logos.

Some people might ask “could people really be that dumb?”, but it really isn’t difficult to create a website that looks similar to a Federal government website if you aren’t afraid of the law.

Be Aware of Urgency

Many scammers use a sense of urgency to pressure individuals to react. At its simplest, it might be using an unbelievable price that you believe others will jump on if you don’t buy it first or in the case of a stimulus package, the urgency that if you don’t give the information needed now you’ll miss out.

This sense of urgency causes you to not process your thoughts completely, so whenever you click a link (no matter how urgent it might seem) take a second to verify authenticity.

Importance of HTTPS

Whenever you access a website, you’ll either end up on a secure site or an unsecured site. Secure sites are those that have SSL certificates to encrypt data that is passed to the site. Sites with SSL certificates will either show up in the browser with “https” instead of “http” or will be denoted as secure or not similar to below.

It’s important to note that just because a site is not using HTTPS doesn’t mean it is illegitimate. Instead, all it means is that information submitted to the site is sent via plain text. This especially important to understand if you use public wifi – such as at the local coffee shop – because anyone on that network and in fact anyone with access to intercept that data can see what is being submitted.

In the case of a password field for instance, if your password was “515hosting”, your browser would send exactly that to the server and anyone that could intercept that data could read it in plain text as a middle man before sending it along. In the case of SSL certificates, the browser would generate encryption keys, so instead of someone reading your password in plaintext, they would just see a random string of numbers and the only one capable of un-encrypting would be the server that has the keys.

It’s important to note that scammers can also use SSL certificates, but a good rule of thumb in avoiding scams is to immediately distrust any site not using one that requests your personal information using forms.

Be Aware of Images Giving the Illusion of Content

One of the tools scammers use is attempting to give the illusion of authenticity by taking actual screenshots of the real websites and using those in place of the actual content.

For instance, rather than rebuilding the actual footer of the FEMA website, a scammer might simply take a screenshot of their website’s footer and insert it at the bottom of their fake website. In this way, at first glance, you’d see a website that looks exactly like the real deal, but rather than having multiple footer links, text, and separate images the footer is just one big image that looks like individual text links.

Government Entities Use Snail Mail

I know this is sort of a grey area as the US Census Bureau recently had everyone submit their information online; however, the initial contact with the code to submit online came in the US postal mail.

The IRS, the Federal Government, etc are not going to contact you for your stimulus package information online. In fact, more than likely, they will use their records of you from recent tax returns (including bank accounts for direct deposit of refunds) to send the money. They’ll also use those most recently submitted tax returns to figure out who qualifies based on income, dependents, or whatever factors they use to determine the amount.

Verify Charities

In times of turmoil and disaster, scammers begin using people’s compassion to steal money by setting up disaster relief funds that are neither legitimate charities, but also have no intention of using the funds for anything other than themselves.

Donating to well-known charities is always a good concept; however, if you question an organization’s 501(c)(3) status, you can use the IRS Tax-Exempt Organization Search.

Limit Your Exposure to Scams

One of the best ways of avoiding getting scammed is just limiting your exposure to them. Taking proactive efforts to not overshare email addresses or give out personal information when it isn’t necessary is one step.

The other is just by increasing the knowledge of phishing to those around you so that they aren’t sharing it in the first place in ways that might lead you to click – a sort of herd immunity.

Did you get fooled into clicking on this page and it wasn’t what you expected?

Do you have some friends that might be helped with this information?