Blog Post

How to Spot a Phishing Website

Date Published: Mar 11, 2021

Person working on a computer

A phishing attack is a fraudulent attempt to get sensitive information and steal user data such as usernames, passwords, and/or credit card details. Basically how it works, is an attacker will create a fake email, website, log-in screen, text/instant message with the intent of duping you into opening the message clicking a link and/or entering your personal information.

For example, an attacker might send out a fake email that looks to be from a legit source such as a business, college, or social media site like Instagram, mentioning something about confirming your password, credit card number, or other personal information. The link might then lead to a fake, but realistic, looking web-page that may even mimic a legit web-page asking you to enter your information. The link could also just open a malicious attachment that shoots a virus or malware into your computer.

Malware is a type of software that is designed to cause damage to a computer, server, client, or computer network. Types of malware include viruses, ransomware, spyware, worms, and Trojan horses (allow attackers access to a user's system).

In short, Phishing emails and website are bad mojo that could allow an attacker to steal your personal information. There are ways you can identify a phishing attack and actions to take for when you encounter one. Keep scrolling through to learn how to protect yourself from them.

Phishing Websites

Hackers are getting better and better at developing their phony websites in an attempt to get your personal information. While there sometimes may not be a 100% way to tell if you are on a phishing site, there are some signs and aspects that can help you tell the difference between a real and a fake website.

Here are some tips to help you identify a phishing website:

Visit Website Directly

If you ever get an email, text message, or instant message with a link to a website or web-page, be weary. Instead of clicking the link first, visit the website directly by typing out the URL in an address or search bar or by searching the company name if it is given to you.

The most common way that people fall victim to malicious malware is by clicking a link that looks official, but it really isn't. It is best to get into the practice of using emails and messages as a form of notification and then visiting the site manually if you feel comfortable.

Be Wary of Pop-Ups

If you go to a website or web-page and a pop-up window shows up right away asking you to enter personal information, like a username and password, this is a red flag.

A phishing scam may direct you to a real website and then use these pop-up windows in an attempt to gain some of your personal information. Unless you know with 100% certainty that the site is secure, legitimate, and verified, do not enter your information.

Non-Secured Sites

In the past you may have visited a website where you get a security alert from your browser that your “connection is not secure” or something similar. You get this alert because the website is either a phishing website or the owners of the site have not migrated their site securely.

Before proceeding onto a site that enables this type of warning, click on the padlock icon which appears just to the left of the URL. This should give you information on the sites security certificates and cookies. A cookie is a small piece of data that is sent from a website and stored on your computer by your web browser while you are using the internet.

You also want to make sure that your own connection is secure and encrypted, so the information you search remains private and you are not labeled as a vulnerable target for a scam (Site Uptime).

Pay Close Attention to the URL or Web Address

Just because an address has the appearance that it is legit, doesn't necessarily mean that it is. Links and website addresses that contain malicious content may look almost identical to legitimate sites, normally using slight spelling changes, additional special characters, and/or a different domain (ex: .com instead of .gov).

One thing to do to check for a website's credibility is to hover your mouse over the URL before clicking on them to gain a sneak peek into where it will actually take you. You also want to see a padlock symbol in the address bar and make sure that the URL begins with an “https://” or “shttp://”. The “S” in the web address shows that the website has been encrypted and secured with a Secure Sockets Layer (SSL) cryptographic protocol.

If a website lacks the HTTPS, any data on this site is insecure and could be picked up by criminal third parties. However, this system is not 100% foolproof and there have been a significant rise in the number of phishing sites using SSL certificate, so you will need to look for additional evidence.

Mentioned briefly already, a big sign a website is fake could come in the spelling of a web address. To get users to think they are on an authentic site, attackers will stay as close as they can to a real address, making small and subtle changes to the spelling.

Let's use “” for an example, the letter “I” could be swapped with and “!” or “1” such as “” instead of “”. Fake addresses can also contain extra characters (ex: and symbols that real addresses won't have (Strawbridge, Meta Compliance).

A good and easy practice to take to check a website, if you think you are on a phony one that is mocking a real site, is go to the site you know is legit and see if you notice any differences in the URL or site structure. Just because you see a key or lock in the address bar and the security certificate looks good, doesn't mean the site is safe.

Enter a Fake Password

If you enter a website that asks you for your username or password and you are not sure is it is legit, one thing you can try is entering a fake username and password.

If you enter fake credentials and end up being signed in or receive some sort of indicator that you provided the site what it was looking for you most likely wandered onto a phishing site.

However, some phishing sites may automatically display an error message regardless of the credentials you entered. If your fake password ends up being rejected, don't conclude that the site is real (Yahoo).

Evaluate the Content and Design of the Website

When it comes to creating an official website there is a lot of hard work, time, and thought put into it. The graphics will be clean and sharp, spelling and grammar will be well written and on point, and the entire set in general will flow nicely and have a unique, polished look to it.

If you visit a phishing website, it may look legit and/or have similar branding, in terms of color, layout, and font, to a company, but it will feel a little sub-standard. This is a good red flag that you might have ended up on a phony site.

Now, one or two minor spelling errors are something that can be dismissed on a website. However, if the website has overall or common poor sentence structure, grammar, spelling, and poor design that looks incomplete, this website should be labeled as suspicious.

You want to look for basic spelling mistakes, poor use of language, grammatical errors, or low-resolution images. If you notice any of these, it is a good indicator that you are on a phishing site and you should leave it right away.

If it is mimicking a real site, go to the site that you know is the company's official site and see if you notice differences in the grammar, design, professionalism, or even the site address.

Not all phishing websites will look poorly done and some scammers will put in a good amount of effort to make their site look official, going as far as using fake SSL protection shields. So, you may need to look further than just the overall design and grammar.

Try looking for a “contact us” or similarly titled page. Legit websites typically have a page that supplies users with all of the contact details for their company such as postal address, phone numbers, email addresses, and links to social media channel. If a website lacks these details or the details seem off, such as broken links, be very cautious and go to the site that you know is real to see if there are differences.

Refer to Online Reviews

It can't hurt to do some external, internet-based research on the website you visited that seems fishy or the company doesn't seem official, to make sure they are who they say they are or the website is indeed authentic.

The chances that the site has defrauded people in the past or people have already discovered that the site is fake, is pretty good. Victims of scans regularly go online to report and/or share their experience, warning users to avoid the site. If a site has a bunch of negative reviews or reviews that serve as warnings, it is probably best you stay away from that site.

A Website's Payment Methods

Real websites always take credit cards as a payment method or might use a service such as PayPal for online transaction. If you visit a website and the only payment method is through a bank transfer, view it as an alarm.

Official or reputable websites will never ask for you to pay using this method and the fact that a website asks you to pay via a bank transfer shows that no bank has provided any sort of credit card facilities for the website. This means that the site is most likely operated by a scammer (Strawbridge, Meta Compliance).

Phishing Websites

Unfortunately, hackers and scammers like to use their time and skills to take advantage of people and steal information and money by creating fake websites. Luckily though, there are ways to discover if a fake website or authentic looking one is indeed designed for phishing. As long as you follow the tips in this article, the easier it will be for you to tell the difference between a real site and a fake site.

You can also install anti-phishing detection software on your internet browser. Browsers such as Internet Explorer, Mozilla, and Firefox have free add-ons to assist you in detecting phishing sites.

Research has shown that an increasing number of businesses and individuals fall victim to phishing attacks and malicious threats online every year, with majority of the causes being human error and lack of security structure (Site Uptime).

Using caution when browsing the internet and when coming across suspicious links, and knowing how to identify a phishing website is one of the best ways to protect yourself. Staying up to date on cybersecurity, actively educating yourself, and making yourself aware of recent threats and up to date on attacker tactics is key.

You can find news on phishing attacks by visiting the Anti-Phishing Working Group website and you can also sign up to receive news and tips through CISA product notifications.