Skip to main content
STCU Log in >
Illustration of a suspicious character.
Illustration of a suspicious character.
Illustration of a suspicious character.

‘Spoofs’ that aren’t so funny.

Published May 18, 2017.

To avoid fake websites, look for these clues.

A "spoof site" is a website that looks real but is really fake, a clone often created to trick you into providing your personal and financial information.

Why? So fraudsters can rip you off: pulling money from your accounts, buying stuff in your name, and stealing your identity to commit more crimes.

If you have doubts - even inklings of doubts - about the legitimacy of an email or website claiming to be from your credit union or bank, call your financial institution. There are also a few clues to look for when you're online to distinguish a real site from a spoof.

Looks like a duck, not a duck.

Victims often arrive at spoof banking sites by clicking on links in "phishing" emails that look like they came from your financial institution. The spoof emails and sites are designed to mimic your credit union or bank's legitimate emails and site, including their color scheme, font choices, and logo (copied from the internet). They often have web addresses similar to the real sites' addresses.

The thieves' goal is to get you to follow their instructions and to provide your personal or financial information. The email messages might be alarming or threatening: "Your account has been compromised" or "We will be forced to close your account." Or they might sound fairly benign: "Your account information is out of date."

No matter what, don't click on the links. A legitimate institution will not ask you to follow a link to provide or verify personal or financial information. (Nor will it ask you to reply to an unexpected, unsecured email to provide that information. And if it asks you to return a phone call, make sure it's a number you know or can verify with an outside source.)

Study the situation.

If you have arrived at a financial website that strikes you as possibly sketchy, study the address bar in your browser for few clues.

  • First, look at the URL, or the web address. Is it the URL you know and have used before? Does it make sense? Some experts suggest retyping all URLs in the address bar, if you've arrived at a site by following a link, to avoid tricks such as internationalized domain name (IDN) homograph attacks. (In that example, fraudsters use characters from other languages to mimic familiar English URLs, steering you to spoof sites.)
  • Look for the "s" in the https, which indicates a secure connection.
  • Check for a green padlock icon in your address bar, which indicates that data sent to and from the website is encrypted.
  • Check next to the padlock for the site's certificate. Financial institutions can get special certificates that prove they're who they're claiming to be online. For example, the words "Spokane Teachers Credit Union" or "Spokane Teachers Credit Union [US]" on the certificate of any secured STCU site.

Too late?

What to do if you’ve been tricked by a phishing email or a spoof site.