Photo: Jeramey Loin (Shutterstock)
The great thing about Google services is that they are easily accessible and free. The downside is that they are also accessible to scammers and they are getting better and better at exploiting them to rip you off.
The latest scam involves the service known as Google Sites. Not as well known as Gmail or Google Docs, Sites is a Google service that allows you to create a website with a custom URL. Over the years, common wisdom for online security has been not to click on domains you don’t trust. Something along the lines of “www.yourbank.fakedomain.com” might seem like an obvious attempt to trick you – but what about “sites.google.com”?
How the scam works
Scammers create a “spoof” website that looks eerily similar to the real one in order to trick you into logging into them instead of the real one. Their hope is that when someone googles PayPal, for example, their spoof website will show up on the Google results page, and they’ll trick people into giving up their credentials.
Imagine this scenario: your phone dies when you go out to dinner, so you borrow this from a friend to sign up for PayPal and pay your share of the bill. You type “PayPal Login” into the Google search bar and you get the following results:
G/O Media may receive a commission
33% discount
Sobro Smart coffee table
The coffee table of the future.
It’s a coffee table with a fridge, high-quality Bluetooth speaker, LED lights, and plenty of power outlets.
The first result is the legitimate PayPal website. However, notice the third result, which begins with “sites”. This site is not the official PayPal site, it was built using the Google Sites service. However, if you tap on this result, you will see the following:
Screenshot: Screenshot of the unverified PayPal website
You can immediately see that the URL for the spoof website doesn’t look right. But the website itself looks very similar to the official one – and, especially on mobile, you can’t always easily view the entire URL unless you tap on it to view it. If you were to enter your credentials including your password on the spoof site, you would not only be providing your personal information to scammers, you would potentially gain complete control over your PayPal account.
Always check the URL – or enter it yourself
Google Sites is just one of many ways to create fake websites, so the problem is not with Google itself. You need to be vigilant about many things, but there are some things you can do to avoid becoming a victim of these scams.
Check the URL. Always look at the URL before logging into any website. Make sure it’s “secure” – websites with Secure Sockets Layer (SSL) certification have a small lock icon in the URL bar. Make sure the URL doesn’t contain any extra characters.
If you’re not sure if you have the right domain, search the domain on Google like this: “Is [domain in question] legitimate?”. Some domains are harder to parse than others. Take paypal.com.webservices.com, which seems fine if you don’t notice there’s an extra “.com” at the end.
Don’t click Google Ads
Google Ads usually appear high up in search results and try to match what you were looking for. However, these websites are often not affiliated with the official website you are looking for and worse than wasting your time, they can also lead you to fake websites. Instead, select from Google’s standard search results and verify the URL before signing up.
Avoid googling websites
Instead of Googling for the page you want to visit, make a habit of typing the URL directly into the browser’s address bar. If you know that this is a website that you will visit frequently, e.g. For example, your bank’s website, you can bookmark it so you don’t have to enter it every time.
