FRAUD HELP DESK

THE DUTCH NATIONAL ANTI-FRAUD HOTLINE

Something fishy?
Report fraud to us between 09.00 and 17.00 Monday to Friday
12 Apr 2018
Reading a URL is not as easy as it looks

An increasing number of counterfeit websites have a very credible-looking web address. How to spot a fake URL?

In the past, it used to be very easy to recognise unreliable web addresses. Most didn’t have a green padlock in the address bar or didn’t start with https://. Not even when they pretended to be a trusted institution like a bank. An attentive visitor would immediately smell a rat.

Bank clients were told they needed to pay attention to the first part of the hyperlink. That had to be something like bankieren.bankvanu.nl or mijn.bankvanu.nl? Anything else was unsafe, they were warned.

Increasingly difficult to spot
Unfortunately, scammers have become more cunning. This makes it imperative for internet users to pay more attention to the site where they fill out their personal data. That is because:

– Nowadays, even the URLs of counterfeit websites are fitted with a green padlock and https;
– The URL also looks very credible

In addition, fake sites often look well-designed, which makes visitors drop their guard.

Reading a URL carefully
This doesn’t mean it’s become impossible to tell a fake URL from an authentic one. To explain how, let’s start with an example:

Example 1: https://www.example.nl

This web address is made up of three parts:

1. http:// or https://

2. www.

3. example.nl

Part of the host name is the so-called top-level domain. In this case, it’s .nl. Examples of other top-level domains are .com, .org or .be.

Unfortunately, some URLs are more complex; they are made up of more parts. And that’s what scammers happily pick up on, by spreading a link like this in email or WhatsApp messages:

Example 2: https://www.belastingdienst.nl.example.nl/www.bankvanu.nl/inloggen.html

This URL consists of five parts:

1. http:// or https://

2. www.belastingdienst.nl

3. example.nl

4. www.bankvanu.nl/

5. inloggen.html

Scammers often make URLs more complex by adding a subdomain with known domain names. It then takes more than a quick glance at the web address in example 2 to realise that you won’t be going to www.belastingdienst.nl. What you may fail to see is that the real domain is not belastingdienst.nl but example.nl.

To be able to spot this, it is useful to look first at everything between https:// and the first slash / in the URL. In this case it’s www.belastingdienst.nl.example.nl. It’s also good to know that the real domain is always right at the end. What always helps is to read a long URL from back to front. In this case, the domain is example.nl and the subdomain www.belastingdienst.nl. If there’s no forward slash / in the URL, you should start reading the URL from the end.

Legitimate businesses like banks also use the advantages of a subdomain. As previously mentioned, banks use URLs along the lines of bankieren.bankvanu.nl or mijn.bankvanu.nl [banking.bank.nl or mybank.nl].

Example 2 shows that a folder on the website can also be used to mislead people. This folder can be given the name of an existing company, for example, your bank. This also applies to the name of a document on the website. In this case, it’s inloggen.html [login.nl]. This may lead a fast or careless reader to believe that they can log on to their online banking account via this link. And that’s exactly what the con artist is banking on.

Tips in brief:

– Don’t just look at the beginning of a URL. Focus instead on the part between https:// and the first forward slash / which you see.

– Read that section from back to front. You will soon find out what the main domain is. Is there no / in the URL? Then start reading from the very end. This will give you sufficient clues to determine whether you’re on the site you were looking for.

– Don’t fall for the subdomains that look like an authentic web address. The subdomain may appear familiar, but doesn’t have to be related in any way with the real domain you’re visiting (think of example 2). Recently we warned of a counterfeit website supposedly from the Netherlands Tax and Customs Administration. Its URL was:

http://www.belastingdienst.nl.35162844.idealbetaling.pw

The web address looks like a genuine website of the Dutch internal revenue, but now you know that the real domain is idealbetaling.pw, and not belastingdienst.nl.