The great thing about Google services is that they are easily accessible and free. The downside is that means they are also accessible to scammers, and they are getting good at exploiting them to rip you off.
The latest scam involves the service known as Google Sites. Not as well known as Gmail or Google Docs, Sites is a Google service that allows you to create a website with a custom URL. Conventional wisdom for online security over the years has been to not click on domains you don’t trust. Something along the lines of “www.yourbank.fakedomain.com” may look like an obvious attempt to trick you — but what about “sites.google.com”?
How the scam works
Scammers will make a “spoof” website that looks eerily similar to the real one, aiming to get you to log into theirs instead of the real one. Their hope is that their spoof website will surface on the Google results page when someone googles, say, PayPal, and they will trick people into giving up their login information.
Consider this scenario: Your phone dies when you are out to dinner, so you borrow a friend’s to log into PayPal to pay for your part of the bill. You type “PayPal login” in the Google search bar and receive the following results:
The first result is the legit PayPal website. But note the third result, which starts with “sites.” That website is not the official PayPal website, but was created using the Google Sites service. Nevertheless, if you tap on that result, this is what you’ll see:
You’ll be able to tell right away that the URL for the spoof website doesn’t look right. But the website itself looks very similar to the official one — and especially on mobile, you can’t always easily view the entire URL unless you make a point of tapping to reveal it. If you were to input your credentials into the spoof site, including your password, you’d not only give your personal information away to scammers, but potentially, complete control of your PayPal account.
Always check the URL — or type it out yourself
Google Sites is just one of many ways to create spoof websites, so the problem is not inherently a Google one. You need to be vigilant of many things, but there are some things you can do to avoid falling prey to these scams.
Check the URL. Always look at the URL before logging in to any website. Make sure it is “secure” — sites with secure sockets layer (SSL) certification have a small lock symbol in the URL bar. Make sure the URL doesn’t include any extra characters.
If you’re not sure if you’ve got the right one, Google search the domain like so: “Is [domain in question] legit?”. Some domains are harder to parse than others. Take “paypal.com.webservices.com,” which seems OK if you fail to notice there’s an additional “.com” at the end.
Don’t click on Google Ads
Google Ads usually come up high on the search results and try to match up with whatever you searched. However, these websites are often not affiliated with the official site you’re looking for, and worse than wasting your time, they can also lead you to spoof websites. Choose from Google’s standard search results instead, and make sure to vet the URL before logging in.
Avoid Googling websites altogether
Instead of googling for the site you want to visit, get into the habit of typing the URL directly into the browser’s address bar. If you know it’s a website that you’ll often be visiting, like your bank’s website, bookmark it so you don’t have to type it every time.
Leave a Reply
You must be logged in to post a comment.