Questions: Detecting Fake Websites and Online Scams

Reading a domain correctly is critical: read from right to left, stopping at the first slash. The real domain is the part immediately before the first slash — here, 'secure-verify.net.' Everything before it is a subdomain that anyone can create freely. So 'paypal.com.secure-verify.net' is a subdomain of 'secure-verify.net,' not of 'paypal.com.' The padlock only confirms the connection to 'secure-verify.net' is encrypted — it says nothing about whether that site is trustworthy. This subdomain pattern (trusted brand as prefix of attacker's domain) is described as 'especially deceptive and extremely common.'

Unrealistically low prices are a classic scam signal. The padlock and HTTPS tell you only that the connection is encrypted, not that the site is legitimate — fake sites routinely use HTTPS. Professional-looking design is not a reliable signal either; scammers invest in appearing credible. The combination of polished appearance with prices far below market value is a strong fraud pattern: the product either never arrives or is counterfeit. HTTPS is necessary but not sufficient for trust.

Answer: False

HTTPS confirms that data between your browser and the server is encrypted and cannot be intercepted in transit. It says nothing about who controls the server. A phishing site can and routinely does use HTTPS, meaning your credentials are securely transmitted to the attacker — the encryption is working perfectly, just not in your favor. The padlock means 'this connection is private'; it does not mean 'this site is legitimate.' Its absence is a strong red flag; its presence is not a green light.

Answer: False

The claim that legitimate institutions never communicate urgently is an overclaim. Real institutions do sometimes send time-sensitive alerts — password breach notifications, genuine fraud alerts. The key insight is not that urgency is always fake, but that artificial urgency is a scammer's primary tool for preventing you from pausing to verify. The correct response is to slow down: navigate directly to the official site by typing its URL, call the institution's known phone number, or check through an app you already have installed — rather than clicking the link in the urgent message.

The fundamental vulnerability of clicking links is that displayed text and actual destination are independent — the browser goes to the href, not the text. Hovering reveals the true URL in a browser, but email clients may not show this, and even visible URLs can use deceptive Unicode characters. Direct navigation bypasses typosquatting, subdomain attacks, and display-text deception simultaneously, which is why it is the single most effective defensive habit for high-stakes web interactions.