If you’ve used the internet for any amount of time, there’s a good chance you’ve received plenty of phishing emails. Nigerian prince emails, foreign lottery winner emails and even “if you don’t pay the ransom, you’ll never see your son again” emails, all of which are designed to get you to hand over your identifying information, your money or both.

But now that phishing emails so widely recognized for the scams they are, savvy thieves have a new trick up their sleeves: phishing websites. How do these work? They masquerade as the real deal, tricking you into entering your credit card info, downloading a harmful software, filling out the registration form with your sensitive data or some other similar tactic.

Try this example: You head over to Amaz0n.com or PayPaI (notice the zero instead of an O and a capital letter I instead of a lowercase l) and enter all of your information, update your payment information or bank account, verify your account identity or some other mechanism for stealing from you. You never knew you weren’t on the correct site and the scammers stole everything.

“But I’m never going to type A M A Z (zero) N,” you might be thinking, and you’re probably correct. The hackers know that too, so that’s not how they target you. Instead, they get you to click a link in an email, a social media post or ad, a text message, or some other form of communication. You see what you think is an email from Amazon, either offering you some incredible deal or telling you there’s a problem with your recent order, and you click the link provided in the very professional-looking message. The link redirects to a fake website, though, even though the email domain name and the web address look close enough to the real thing to fool anyone who isn’t paying attention.

Fortunately, avoiding fake websites is almost as easy as ignoring those pleas for help from deposed Nigerian royalty.

  1. Develop the habit of NEVER verifying your identity or account information to someone who contacts you. Whether it’s by phone, email or a website, do not click or enter any personal data or payment details if you didn’t type in the web address yourself. If you think there could actually be a problem due to a message you received, get out of that message altogether and go to the website yourself, typing in the web address (you know, to avoid typing a zero instead of a letter O!).
  2. Check the website designation before doing anything. Even if you’re shopping on your favorite retail site or uploading photos to your favorite social media platform, give a quick glance at the top of the screen. Secure sites will have an HTTPS designation before the “Amazon.com” instead of HTTP. If the S is missing, your data should be missing, too!
  3. Check with the entity directly. Most major websites have had copycats steal their logos and try to convince unsuspecting users to click over to the fake site. Amazon and PayPal are just two common ones, but iTunes, Facebook, Citibank and other major financial providers, and other highly visible names also have similar fake sites.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.