Need to know
- Scammers are creating fake websites imitating popular retailers in order to steal money and information from shoppers
- These sites often look very similar to those of legitimate stores, but there are ways of spotting them
- Red flags include unusual URLs, unrealistic discounts, missing information and poor spelling and formatting
Australians spent more than $63 billion shopping online last year and while total reported scam losses were down in the same period, criminals are still trying to grab some of this sizable spend.
Our latest sweep of fake shopping websites reveals these scams continue to pose a threat, with suspicious pages impersonating prominent retailers including Rip Curl and Witchery.
And it seems the pages we discovered are just the tip of the iceberg.
A recent investigation by a European cybersecurity consultancy found one criminal network operating tens of thousands of these fake stores, stealing tens of millions of dollars over three years from consumers in multiple countries.
With the EOFY sales approaching here in Australia, we’ve got the most useful tips for spotting fake sites and keeping safe during your online shop.
How do fake shopping websites work?
Online shopping scams are a type of product and service fraud. They usually involve criminals building websites that pass themselves off as well-known retailers.
Scammers will brand these pages with the logos of popular stores and fill them with advertisements for heavily-discounted goods, before promoting them on social media and search engines.
There’s very little financial outlay that criminals have to go to, to establish a store presence
Paul Haskell-Dowland, Edith Cowan University
Anyone who buys something through these sites is left waiting for products that never arrive or with poor-quality goods they didn’t order.
Paul Haskell-Dowland is a professor of cybersecurity practice in the School of Science at Edith Cowan University and says fake stores are an easy money-maker for scammers.
“There’s very little financial outlay that criminals have to go to, to establish a store presence,” he explains.
“Somebody could establish a website and promote it [via paid advertising on social media or Google] within a matter of minutes and then start receiving purchases within hours.”
How common are they?
Global criminal organisations have built networks of thousands of fake sites to target shoppers.
The ACCC’s Scamwatch received 2760 reports of fake online stores between January and November last year, with these operations stealing over half a million dollars from shoppers.
That’s after a 2022 study for the Australian Retailers Association found 40% of 1000 Australians surveyed had encountered a scam shopping website.
So far this year, Australians have already lost almost $900,000 to all forms of online shopping scam, including these clone sites.
Scammers are also increasingly turning to trusted online spaces to promote these schemes.
Last year, CHOICE uncovered several examples of scam ads being promoted on social media platforms such as Facebook and Instagram, and search engines like Google.
The latest scam pages we uncovered for this article were also being promoted on Facebook.
Both Google and Facebook parent company Meta have previously told us they’re working to remove malicious ads, but CHOICE has called for these digital platforms to be legally required to do more to protect users from scams.
How to spot a fake website
1. It has an unusual URL
A fake copy of the Rip Curl website CHOICE uncovered while researching this article.
The web address or URL is one of the most identifiable aspects of any retailer’s site and can hold important clues as to whether the page you’re looking at is legitimate.
Professor Cassandra Cross is a criminologist and associate professor at the Queensland University of Technology’s School of Justice.
She says scammers building a fake site will try to make the URL look as close to the real deal as possible.
“Offenders will sometimes use numbers instead of letters, like a one instead of a lower-case L, to make it look like it’s the same,” she says.
A scam URL might also include words and formatting that seem unnecessary and illogical for a major retailer trying to establish a simple and identifiable web presence.
For example, our latest sweep for scam sites surfaced one page impersonating popular surf retailer Rip Curl with the URL ripcurlseller.com and another passing itself off as clothing brand Witchery under witchery-au.com.
Both companies confirmed to us these sites are illegitimate and say they have processes in place to have scam copies of their services taken down.
Both brands’ official pages have more simple and official-looking URLs – ripcurl.com and witchery.com.au, respectively.
2. The prices are too good to be true
Another common factor across scam sites we’ve seen is unusually large discounts – with some operations offering as much as 80% off all their ‘products’.
“[Scammers] are working on the assumption you’re going to see that 80% off and jump in straight away and start ordering things,” says Professor Haskell-Dowland.
Another common factor across scam sites we’ve seen is unusually large discounts
This was the case for CHOICE member Yvonne Parker, who last year told us she almost spent $120 on what she believes was an impersonation site advertising significant discounts.
“I thought: ‘I’ve really lucked here’,” she recalled, saying she became suspicious after the payment on the website failed to go through.
She contacted her bank and cancelled her card before any transaction was recorded and later realised the prices were too good to be true.
“I went to the [legitimate retailer’s] website and their biggest discount was 40%,” she says. “And [the fake site] was saying 70%.”
3. It has poor-quality content or an unusual layout
Professor Haskell-Dowland says the speed with which scammers establish fake stores means supporting content on these sites can often stand out for its poor quality.
“[They] don’t go to a lot of effort to make them look genuine,” he explains. “There’s a lack of care taken with the layout of the adverts for the products and the textual descriptions.”
This lack of care has been obvious in several scam sites we’ve uncovered.
One site we saw last year impersonating outdoor retailer Kathmandu didn’t even bother to put the name of the company in its ‘About Us’ section, leaving us only with information about a mysterious “Online shop”.
An imitation Kathmandu site CHOICE found stood out for its suspicious ‘About Us’ page.
Other scam pages come undone in the ‘Contact Us’ section, directing visitors to email addresses that don’t include the name of the store or that appear to be a person’s private address – something Professor Haskell-Dowland says is inconceivable for a legitimate major company.
“Would a big brand have such poorly presented information or list someone’s Gmail address as the contact for a big multinational chain?”
If you’re unsure about a site, check for links to its terms and conditions, privacy policy or contact details, commonly found at the bottom of each page. The information in these sections should be coherent and professional.
4. It has unusual payment methods
Be suspicious of online retailers asking you to pay via bank transfer.
Professor Cross says a website requiring you to pay in a way you wouldn’t normally when shopping online should be treated with suspicion.
“If you’re being asked to pay with a non-traditional payment form, via Bitcoin or a money transfer, then that’s potentially a red flag,” she explains.
Other forms of payment, including Visa and Mastercard credit and debit cards and PayPal offer greater protections to consumers, but beware that scam websites will sometimes also accept these methods.
5. The reviews are damning
If you’re suspicious about a site, you can enlist the help of fellow consumers who might have had previous experience with the outlet.
You can find reviews of websites on services like Google or Trustpilot, as well as on social media. If the website you’re using is a scam, there’s a chance victims might be using these forums to warn others.
If you’ve found a suspicious site, enter recognisable parts of the URL into a search engine along with the words “site” and “scam”. Posts on social media are included in results when you do this.
The results will often turn up warnings about scam pages impersonating common brands.
However, because scam sites can be set up very quickly and are often removed just as swiftly, the site you’re looking at may be brand new and community feedback might be lacking.
Brands also occasionally post warnings on their legitimate website or social media pages, alerting customers to the fact that their web presence is being impersonated.
If you’re using Facebook or Instagram, look for a blue tick next to the retailer’s profile name to confirm that it’s their official account.
6. It was only created recently
As mentioned above, scam sites can come and go in the blink of an eye. Therefore, if you’re questioning a website’s legitimacy, enter the domain or URL into a lookup service such as whois.com or Icann Lookup to see when it was registered.
If it was only created very recently, you may be looking at a fake.
Cross-checking the domain names of the scam Rip Curl and Witchery sites we found for this article, we discovered they’d both been created by the same registrar mere weeks beforehand.
A legitimate store’s domain, meanwhile, may have been registered for decades.
What about the padlock and https?
A padlock in your device’s address bar is not a guarantee that the site you’re visiting is safe.
Many of us are used to seeing a padlock symbol and “https” in the URL of a website we’re visiting.
Unfortunately, this only indicates that the site has a security certificate and that communication between the site and your device is secure. It’s not a guarantee the site itself is safe.
“Any website can have a certificate, no matter how dodgy it is,” says Professor Haskell-Dowland. “Getting one is often no more difficult than securing a domain name and can actually be zero cost.”
How to report a scam website
If you’ve encountered a website you believe to be fraudulent, report it to the ACCC’s Scamwatch.
You can also warn fellow consumers by leaving a review or posting on social media.
Professor Cross says it can also be useful to report it to the retailer that the scam site is impersonating.
“They might have a bit more status [and] they might be able to get that taken down in a way that an individual can’t,” she explains.
If you’ve made a payment to a suspicious site, contact your financial institution or card provider immediately
If you’ve made a payment to a suspicious site, contact your financial institution or card provider immediately. They may be able to stop the transaction.
If you believe scammers may have accessed your personal identity details, contact IDCare for support.
If you’ve lost money or information, contact ReportCyber (reports lodged here are passed onto police).
If you’ve created an account on a suspicious shopping site with the same password you’ve used on other platforms, change it to secure your profiles with those services.
For more on what to do if you’ve fallen foul of a scam, read our guide to the five things to do if you’ve been scammed.
Stock images: Getty, unless otherwise stated.