Beware the Clones: How Cybercriminals Use Website Trickery to Gain Access to Your Business Data and Personal Information

Website cloning has made phishing attempts much less easier to spot. Whether you realize it or not, some of the smartest professionals in your industry have fallen victim.

Did you catch the 2019 film “Us?” Or any of the riffs and remakes of “Invasion of the Bodysnatchers?” If so, you probably remember why the idea of cloning is such good fodder for horror classics. It’s a viscerally unsettling concept: something dark and sinister taking the shape of someone you know in order to use your sense of trust and familiarity to do you harm.

In real life, this is exactly what the practice of website cloning does. It’s become one of the most popular methods for scammers to infiltrate your business and separate you from your money.

Here’s how website cloning works. 

As the name suggests, cybercriminals start by creating a “clone” of an original, trusted website. Any website can be cloned, but the most likely candidates for cloning are banks, retail sites, travel booking sites.  The clone site can look almost exactly like the original one, aside from a very miniscule change in the URL. This small deviation can be something as inconspicuous as an extra letter, not easily detected by a passive observer. 

Next, the site-cloners set a trap. The goal is to get unsuspecting victims to visit the clone site via links. These can come in as part of emails, social media, or text messages. The messaging varies from the enticing to the alarming, but always seeks to compel the recipient to take an action.

For example, a text message may present itself as being from the IRS. These typically urge the recipient to pay supposedly-delinquent taxes by visiting the cloned IRS website. The sender warns that you could face fines or a business shutdown.

Another may come in the form of a social media message about a time-bound discount on Apple iPhones or airline tickets. Often, cybercriminals cut straight to the chase, maybe with an email pretending to be from your bank, asking you to authenticate your credentials by logging into your banking portal. The catch, of course, is that the banking portal will be a clone, and everything you type in will go straight to the scammers. 

Identifying Website Clones

How do you identify a clone website? Though it’s true that some are easier to spot than others, most people tend to take false comfort in the belief that modern cyber scams are so obvious that they’d certainly know how to spot one. But as a provider of IT security solutions for businesses, the Level5 team works every day with brilliant business owners — top professionals across many industries including lawyers, doctors, engineers, financial experts — who have unsuspectingly fallen victim to these kinds of scams. 

For some of the more dubious traps, it can be a matter of simply asking yourself honestly if what’s being said sounds too good to be true. In most cases, it probably is. A social media “influencer” is giving away free Louboutin shopping sprees? Emirates Airlines is offering you an extended vacation in Dubai? These things do happen, but they’re unlikely. It’s that tiny sliver of plausibility that can hook people into clicking through to the site, “just to see.” And a well-cloned site can be convincing. 

Example of an email image used by cybercriminals to trick recipients into thinking it was sent by Google.  The image utilizes Google's typical color scheme but the word Google is spelled with an uppercase I in place of the lowercase L.
An example of how cybercriminals can manipulate text and imaging to trick recipients into trusting the sender and clicking on links. This was not created or sent by Google.

Examine URLs and domains for authenticity

 If a message looks authentic, check the email header to see if the sender’s email domain matches who they say they are. For instance, if you get an email claiming to be from your bank, the sender’s email ID should have that in the domain. Something like [email protected] could be genuine, whereas [email protected] or even wells-fargo.com is suspicious.

Check the final URL before you enter any information to make sure it is the actual one. Most websites (and particularly websites that handle personal details and payments, as shopping and banking sites do) are secure sites that begin with HTTPS. These sites will have a lock symbol at the beginning of the URL. Also, check the domain. For example, something like www.customerauthentication.com/bankofamerica is not part of the bankofamerica.com domain. 

IT Security for Your Business

Identifying the evolving tactics of cybercriminals can be much trickier than you think. Your business can’t afford to become complacent. Even if you outsmart the many clones and phishing attempts business owners can come across daily, are your employees trained to do the same?

Want to chat about IT security for your business? Ready to learn more about cybersecurity awareness training for your employees? Whether you’re just down the street in Boca Raton, Florida or across the country, Level5 Management’s tech experts are available whenever you need us. LiveChat with us on the site or call (561) 509-2077