Attack of the Clones: How to Avoid the Website Cloning Trap

Have you ever watched one of those horror movies where something impersonates the protagonist only to wreak havoc later? Whether it’s an evil twin, an incredible lookalike, or an actual clone, the copy ends up impersonating the good guy, causing mischief, mayhem, or even worse. Website cloning can do the same thing to you and to your business in real life.

Website cloning is one of the most popular methods among scammers to fleece you of your money. And when it’s your business website that gets cloned, you can lose customers, credibility, and more.

What is Website Cloning?

As the name suggests, the cybercriminal first creates a ‘clone’ site of the original one. Nearly any website can be copied, but retail shopping sites, travel booking sites, and banks are the favorites of cybercriminals. The clone site can look exactly like the original one, barring a very small change in the URL, or web address.

For example, in the scam that targeted older Australians and their online payments through the MyGov site, the URL for the clone site was mygovau.net. The real site is my.gov.au. The differences are barely noticeable (periods separating each word and no “.net”) and easily missed by anyone not specifically looking.

How Does it Work?

Next, the criminal creates a trap intended to get unsuspecting victims to visit the clone site. This is usually done via links shared through emails, SMS messages, or social media posts directing targets to click on a link to the clone site. The message urges the recipient to take an action.

For example, an email appearing to be from the IRS demands the recipient pay pending taxes by clicking on a specific link to avoid a fine or business shutdown. Another one might be an SMS message about a limited time discount or exclusive flash sale on iPhones. Sometimes, they masquerade as your bank and scare you into believing you are being hacked, so the message asks you to authenticate your credentials by logging into your banking portal. The irony of this one is that the banking portal they link to will be a clone.

Goals can range from data harvesting—stealing your credit card, banking, and/or login credentials—to outright theft by redirecting your payment for goods or services to the criminal’s account or by profiting from bogus “administrative” or “booking” fees while still fulfilling your order. Please note, however, this does not mean all booking fees indicate a scam (even if it seems like it sometimes).

So How Do You Identify a Website Cloning Trap?

Does the email sound too good to be true? Well, then it probably is. Nike giving away free $300 shoes? Emirates Airlines giving you free tickets to Europe? Apple iPhone X for just $20 or $50? All of
these scream ‘scam!’ Want to make sure? Try looking up the deal or offer at a fact-checking site like snopes.com. Numerous myths and reported scams can be confirmed there.

If the message sounds genuine, such as an email from your bank asking you to verify your login credentials, check the email headers to see if the sender’s email address matches your bank’s. For example, if you use Bank of America, the sender’s email ID should have that in the domain. Something like customercare@bankofamerica.com could be genuine, whereas customercare@bankofamerica.net is suspicious. Learn how to identify other phishing flags here.

Before you click on anything in the message, hover over the link to see where it is pointing. If it’s supposedly from Bank of America but will take you to www.customerauthentication.com/bankofamerica, it’s not the right domain. Another detail to keep in mind when you’re on legitimate shopping/banking websites—sites where payments are made and other personal details are shared—is that they should be secure, meaning HTTPS websites, not just HTTP. And there should be a padlock symbol showing at the beginning of the URL in the address bar.

Unfortunately, all of these features are getting easier to copy, so the best advice is to use your own favorite or bookmarked link that you know is safe or to open a browser on your own and navigate to the company’s website. Avoid clicking on links altogether.

What if You Think Your Website has been Cloned?

The less-considered side of website cloning concerns the business that gets cloned. Say it’s not big Bank of America but a small credit union that gets cloned. Until upset or angry customers call in to complain, you may not know your website has been copied. It’s also interesting to note that cloning is not always used for technically criminal purposes. Sometimes competitors will set up a scraper site to steal material or search result rankings, essentially stealing business from you.

So what can you do? Start by talking with your website developer and SEO partner. They can check your website code for tags that tell search engines your content belongs to you. They can also look up who owns a site and contact the clone owner, asking them to cease and desist using your material. And if that doesn’t work, they can also help you report a cloned or scraper site to Google’s DMCA division. The Digital Millennium Copyright Act (DMCA) “criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works.”

Identifying a cloned website is tricky, but it is not something you can afford to ignore personally or as a business owner. So use and share the information above, and stay vigilant. And if you have any questions about this or other ways to improve your cybersecurity, reach out anytime. You can also subscribe to receive information like this via email.