Person typing on a computer with a search bar floating above keyboard

Is that website real or fake?

Cybercriminals often use fake websites to steal your login or personal information or to download a virus or ransomware on your device without your knowledge. A common trick is for a cybercriminal to create a fake website that looks like a legitimate one, such as a bank’s website. Then the cybercriminal sends you an urgent email or text message that says you must log in to your bank account and includes a link to the fake website.

How to Assess a Website
Before clicking on a link or entering any information on a website, take a moment to really look at the website address — that’s the main way to assess whether a website is most likely real or fake. Hover your mouse over the link before clicking on it to see the actual website address, which may be different than what the text says.

A website address, or Uniform Resource Locator (URL), can be long, but they all follow the same, basic format. The “punctuation” (e.g., colon, dots, slashes, question mark, hash mark) are important and separate the parts of the URL.

No matter how long or short the URL, there are only two parts to examine to help identify a fake website.

A graphic containing a URL with the domain and extension highlighted in yellow

  1. Examine the website’s domain. It is the most important piece of text for spotting a fake website (highlighted in yellow in the graphic). Start at the first single slash (green arrow), then work “backward” (left) to the second dot (blue arrow). If there is no single slash, then start at the last character. The domain should exactly match the website you want to visit. Does it contain a misspelling or other inconsistency? For example, is the domain “mys1te.com” or “myssite.com” instead of “mysite.com”?
  2. Review the website’s extension. The extension is part of the domain and indicates the type of organization that is sponsoring the website or contains a code to indicate a website’s country. Again, start at the first single slash (green arrow in the graphic), then work “backward” (left) to the first dot (orange arrow). Cybercriminals often use a different extension to make a URL look legitimate, but the website, “mysite.com” is a totally different website than “mysite.org” or “mysite.ca” (.ca is Canada’s country code).