Attackers build pixel-perfect clones of real websites to steal your login credentials. Learn to detect them before you type a single character.
+100 XP ON COMPLETION
What Are Spoofed / Fake Websites?
Spoofed websites are near-identical copies of legitimate sites — your bank, Google, Microsoft, or company portal — designed to capture your credentials the moment you type them in.
Modern phishing kits can clone a real website in minutes. The page can look indistinguishable from the real thing. Your only protection is knowing what to look for in the browser, not on the page itself.
⚠ A page that LOOKS real can still be completely fake. Design is not proof of legitimacy. Focus on the URL and SSL indicators.
Example 1 — No HTTPS / Missing Padlock
Look at the browser address bar below. Notice the warning indicator and the suspicious URL.
⚠http://google-account-signin.com/login
Google
Sign in to your Google Account
🚩 What's Wrong Here
1HTTP, not HTTPS: No padlock. Real Google always uses HTTPS. HTTP means your data is transmitted unencrypted — and the site identity isn't verified.
2Wrong domain: "google-account-signin.com" is NOT google.com. The real Google sign-in is only at accounts.google.com.
3Lookalike name: The domain uses "google" as a keyword to appear legitimate — this is called a homograph attack or domain squatting.
Example 2 — HTTPS Doesn't Mean Safe
Many people believe that the padlock (🔒) means a website is safe. That's a dangerous myth.
🔒https://faceb00k-login.net/signin
facebook
Log in to Facebook
🚩 The SSL Trap
1HTTPS only means the connection is encrypted — not that the site itself is legitimate. Attackers can and do get free SSL certificates for fake domains.
2The domain is still wrong: "faceb00k-login.net" — two zeros replacing the letter O. Never ignore the actual domain name.
3Wrong TLD: Facebook uses .com — not .net. The real site is always facebook.com.
🔒 A padlock = encrypted tunnel. It does NOT = trustworthy website. Always read the full domain name.
URL Tricks Attackers Use
Typosquatting: paypal.com → paypai.com (lowercase L looks like i)
Subdomain tricks: paypal.com.evil-site.net — the real domain is evil-site.net, not paypal.com
Homograph attacks: Using Unicode characters that look identical — аpple.com (Cyrillic 'а') vs apple.com
Hyphen tricks: amazon-account-secure.com looks trustworthy but is completely fake
URL shorteners: bit.ly/3xJk... hides where the link actually goes
Extra TLDs: microsoft.com.login-verify.ru — .ru is the real TLD here, not .com
💡 Rule of thumb: The REAL domain is always the word immediately before the LAST dot before the first slash. In "paypal.com.verify.net/login" — the real domain is verify.net.