Fake Websites, Lookalike Stores & Domain Tricks
A padlock in the browser bar used to mean safe. It no longer does. The lock means your connection is encrypted. It says nothing about who runs the server.
The Sale That Was Never Real
Arjun was looking for headphones during a festival sale. He searched, found what appeared to be the brand's Indian store at sony-india-store.in. The prices matched the sale he had seen advertised. The site looked professional. He paid Rs 6,499.
The headphones never arrived. The "order tracking" link led to a generic parcel tracker. Customer support stopped responding after two days.
The real Sony India site is sony.co.in. The site Arjun bought from was registered 11 days earlier. Its entire purpose was to process payments during the sale window before being taken down.
What Is Actually Happening
Fake websites work because they resolve a basic question - "does this look right?" - without actually proving anything. Looking right is easy to fake. Being right requires checking the one thing attackers cannot replicate: the exact domain name registered to the real organisation.
1.5 million
new phishing sites created every month in 2025.
That is roughly one new fake site every two seconds. Most are active for hours or days, then abandoned.
Source: Interisle Consulting Phishing Landscape Report, 202587% of Phishing Sites Now Use HTTPS
SSL certificates are free and take minutes to obtain. 87% of phishing sites display a padlock. The padlock confirms encryption. It does not confirm identity. Treating it as a safety signal is one of the most widely exploited misconceptions in digital security.
95% of Major Brands Have Lookalike Domains Registered
Attackers register slight variations of real domains before and after major sale events. 95% of Fortune 500 brands have at least one active lookalike domain targeting their customers.
Lookalike Apps Removed by the Millions Annually
Google removed over 2.28 million policy-violating apps from the Play Store in 2023 alone. Many impersonate banks, government services, and payment apps. Official-looking names and icons pass initial review before being flagged.
Fake Sites Appear in Top Search Results
Attackers purchase Google Ads for fake bank sites that appear above the real bank in search results. Clicking "bank login" in a search is no longer safe. Typing the known address directly is the only reliable entry point.
The Domain Tricks Attackers Use
Typosquatting registers common misspellings. amaz0n.com (zero instead of O), paypa1.com (one instead of L), fllpkart.com (doubled L). These trigger on fast typing or mobile autocorrect.
Subdomain confusion puts a real-looking name before the actual domain. sbi.co.in.verify-account.xyz looks official at a glance. The real domain is verify-account.xyz, not sbi.co.in.
TLD switching uses alternative extensions. google.co.com or amazon.shop instead of amazon.com. Looks similar, points to a different server.
Homoglyph attacks replace characters with visually identical ones from other alphabets. A Cyrillic "a" is indistinguishable from a Latin "a" at normal reading speed, but it is a different character that resolves to a different domain.
New domain registration is the simplest tell. Most fake stores are registered days or weeks before a sale event. A domain registered last week selling electronics at a discount is almost always fraudulent.
Practice: URL Danger Scanner
Paste any URL below. The tool breaks it into components and flags suspicious patterns.
What That Just Showed You
1. The domain is the only reliable identity signal. Logo, layout, padlock, reviews - all of these can be copied or faked. The exact domain name registered to the real organisation cannot be duplicated. It is the only check worth making before entering data.
2. Subdomains can be misleading by design.
sbi.co.in.login.xyz is not an SBI website. The actual domain is login.xyz. Everything before the last dot-separated segment is a subdomain, not the organisation name.
3. Search results are not safe navigation. Sponsored results appear above legitimate sites. Never use a search result to navigate to your bank or a financial service. Type the address or use a saved bookmark.
4. New domains are the clearest red flag. A legitimate e-commerce business has an established domain with years of history. A site registered this month selling discounted premium goods almost certainly is not what it claims to be.
Three Things Worth Doing
1. Check the root domain, not the full URL.
Ignore subdomains. Find the part immediately before .com, .in, or any extension. That is the actual owner. Compare it exactly against the real company's known domain.
2. Never navigate to financial sites via search. Type the address directly or use a bookmark you created yourself. This eliminates both typosquatting and paid-search phishing in a single step.
3. Check domain age before buying from an unfamiliar store. Paste the URL into a WHOIS checker. If the domain was registered in the last 30 days and is selling branded goods, do not buy. New domains selling discounted items are a consistent pattern in e-commerce fraud.
One Question Before You Continue
Arjun's fake store had a padlock in the browser bar, professional design, and competitive prices. What was the single thing that would have revealed it as fraudulent before he paid?