So I’ve bought a few items from the company website and need to pay for them. I receive multiple emails from what look like colleagues providing a link where I can pay.

https//tekeur0pe.co.uk/paynow

https://paynow55.tekeurope.co.uk

https://tekeurope.co.uk/paynow

https://tekeurope.paynow55.co.uk/

2 of these 4 links may be valid, two definitely are not. Making an address appear to be part of another site is a common tactic often used in scam emails to trick users into thinking they are visiting the legitimate website rather than one the scammer has set up.

Double check the Website’s name

https//tekeur0pe.co.uk/paynow

In this first example we have replaced the ‘o’ with a ‘0’ in Tekeurope. The effect of this would be to send me to a completely different website unrelated to the company I work for. Whilst it stood out quite clearly in this example it can sometimes be enough to fool someone who is for example in a rush.

The way this is normally done is by creating addresses that look right at first glance by using slight misspellings or replacing characters with ones that look visually similar (e.g nn for an m).

Another trick used is to create longer site names which include the company name like tekeuropepaymentgateway.co.uk. Legitimate businesses rarely operate sites like this and will normally use a subdomain of their existing site, if in doubt contact the company by some other means such as by phone to check.

Make sure the domain is what it appears to be

The domain is the name of the website. Sometimes scammers will attempt to make it appear the name of the website is that of legitimate company but instead send you to their site.

To check the domain we look between the http:// or HTTPS:// at the start of the address and the next ‘/’ or the end of the address if there isn’t one.

So starting at the right we have the top level domain, a few examples of these are .com .org and .co.uk.

To the left of this before the next ‘.’ is the domain name, combine this with the top level domain to get the name of the site you are on, e.g. Tekeurope.co.uk

Anything to the left of this next dot is a subdomain, a subsection of the website.

So how does this work with these addresses?

https://paynow.tekeurope.co.uk

So starting after https:// we go to the next / or the end of the address if there isn’t one (as in this case). Starting there and moving left we have the top level domain ‘.co.uk’, next moving left until we hit the next ‘.’ we get the domain tekeurope. We are on tekeurope.co.uk.

paynow is a subdomain of tekeurope.co.uk

https://tekeurope.co.uk/paynow

So following the same process again we start after https:// and move right until we reach the first ‘/’. Then moving left we have the top level domain then the domain itself. Again we are on tekeurope.co.uk

“paynow” to the right is likely a page on the site and can be disregarded for this purpose.

https://tekeurope.paynow55.co.uk/

Starting after https:// and moving right we reach the first ‘/’. Working back we have the top level domain .co.uk. Moving left until the next ‘.’ we have the domain name. However in this case we have a problem. The word ‘tekeurope’ is to the left of this point and is only a subdomain of the website. The website we are on is called paynow55.co.uk (not an active site at the time of writing).

This is a commonly used trick, sometimes seeing the name of the company in the address is enough to convince people that this is the site they are on.

Conclusion

Always make sure to double check the address of the site you are on in order to minimise your chances of falling victim to online fraud. Remember to double check the page you are accessing is in the right domain and that the spelling and characters of that domain name is exactly what you were expecting.

Posted by Jamie Moore (Tekeurope)