Internet Safety: Your Guide to the Most Important Concepts and Practices of Avoiding Identity Theft and Fraud

Previous Lesson
Next Lesson

Website Adressess and Spoofing

Internet Safety: Your Guide to the Most Important Concepts and Practices of Avoiding Identity Theft and Fraud Website Adressess and Spoofing

Your home has a unique address consisting of a street, city, state, and zip code that distinguishes it from any other home. Every website also has an individual address we usually call a URL or a web address. (It is technically known as a Universal Resource Locator.) The critical thing to remember is that each URL is unique and can only take you to one website. This information is vital because spammers sometimes spoof URLs to trick you into going where you don’t want to go! Let’s look at the parts of a web address.

Anatomy of a URL

Protocol—Tells the computer what kind of information is coming so that it knows what to do with it. Some browsers don’t show this part of the address. You won’t be concerned with this except in the case of HTTPS as we will discuss shortly.

Host name—This is the human-readable part that you will usually know by name for your favorite site(s). There may be a “www” in front of the hostname.

Domain extension—Usually an indication of what type of site it is.

  • .com—Business and commercial
  • .edu—Educational institutions
  • .org—Nonprofit and community organizations
  • .gov—Government sites
  • .net—Informational
  • .biz—Business
  • .us—Company based in the USA

There are many other domains than those listed above and with recent changes, you can expect to see many more, but these are still the most common.

Anyone can buy a website address (except those ending with “gov”) if it isn’t already owned by someone. Most addresses only cost a few dollars a year.

Spoofing URLs with misspellings

Spoofing a URL is a deceptive tactic directing users to a fake website. Spammers often use a web address that is a common misspelling or a close construction of a real website. Spoofed websites are used extensively in spam emails (phishing emails) and to trap users who accidentally misspell a website in a browser.

Recently someone paid several hundred thousand dollars for a series of URLs that were close to, but with slight misspellings of, cryptocurrency sites. Why? Because we, as internet users, sometimes misspell the sites we are trying to reach. A scammer can create websites with common misspellings and make money. Or worse, they can use the sites to initiate fraud or download viruses.

Internet addresses are exact. One letter off, additional characters, and a different domain name all send you to a completely different website!

In November 2020, the FBI issued a PSA warning the public of dozens of sites that spoofed the FBI. Yes, even the FBI isn’t immune. The PSA included a long list of spoofed URLs scammers were using to pose as the actual FBI. It is informative to look at a few of the entries on this list remembering that the FBI’s URL is “fbi.gov” exactly. The following list shows how scammers used the official “fbi” in a series of constructions that were designed to look official.

  • cyber-crime-fbi.org
  • fbi-intel.com
  • fbi-ny.com
  • fbi-official.com
  • fbiusgov.com

Note that none of the addresses in the list end with “.gov”. That is because the “gov” ending is reserved for legitimate government websites. Anyone can purchase website names with other domain endings like .com, .org, etc.

I receive similar spoofed addresses from banking sites. Chase Bank is “chase.com” and emails from bankingchase.com or chaseonline.com are examples of the kinds of spoofed URLs that scammers will try to use to fool prospective victims. These are effective because they do have “chase” in the URL and are in the realm of possible websites you would not be surprised to encounter.

Previous Lesson
Back to Course
Next Lesson
Scroll to Top