Government bodies are having a tough time lately dealing with an advent of fake sites. Earlier this week, Work Development Agency had to issue an official statement on its Facebook page, warning users of two doppelgänger sites that have used its SkillsFuture initiative to set up URLs that might confuse the public.
The rise of bogus sites spinning off from government agencies is not a new phenomenon: last year, Central Provident Fund (CPF) and Immigration and Checkpoints Authority (ICA) were some examples of government ministries plagued by technological disruptions. What followed was a series of fake websites posing as the aforementioned parties, aggravating the ordeal. The common nature of these bogus sites is that they tend to prompt the user to log in or register in order to gather personal data while confusing the public.
Naturally, the affected parties must act fast to nip the situation in the bud.
In the case of WDA’s hijacked SkillsFuture brand, Kelly Ho, lawyer and managing director, Kel LLC, said that some possible options for the government agency to consider are:
1.Commence an action in Court for trademark infringement and/or passing off.
2. For “.sg” domain names, submit a complaint to the Singapore Network Information Centre, a wholly-owned subsidiary of IDA. If WDA succeeds, then the domain name will have to be cancelled or transferred to WDA.
3. For non-“.sg” domain names, submit a complaint to the Internet Corporation for Assigned Names and Numbers.
WDA can commence the Court action and/or submit the complaints arguing the following grounds:
(i) The registrant’s domain name is identical or confusingly similar to a trademark or service mark in which WDA has rights.
(ii) The registrant has no rights or legitimate interests in respect of the domain name.
(iii) The domain name has been registered and is being used in bad faith.
Prevention is always better than cure
John Bai, director, security response, Symantec, said that education is a key component when it comes to protecting a brand’s website. While doppelganger websites may not always be fraudulent in nature, it is important for consumers to be aware of the official website that they should be referring to.
“Prior to a launch, companies need to put in place a robust plan to ensure that consumers know how to recognise the correct website. If it is a big launch, they also need to anticipate phishing attacks and also look at buying the URLs of similar sounding websites to ensure that customers who mistakenly go to these web addresses are redirected accordingly.”
Bai pointed out that many of the current phishing techniques rely on driving customers to spoofed Web sites to capture personal information.
“As such, technology such as Secure Sockets Layer (SSL) and Extended Validation (EV) SSL are critical in fighting phishing and other forms of cybercrime by encrypting sensitive information and helping customers authenticate your site.”
He also shared the following tips on how to spot doppelgänger websites:
- Incorrect address
Always check the address bar and verify that all is as it should be. If you are suspicious, do a domain WHOIS lookup to see who owns the domain. The result will tell you the registrar (company that the domain was purchased through), when it was created, when it expires as well as contact details.
- Check domain name
Another easy way is to check the Domain Name in Google – If you type the domain name into Google, if it is a real site, there should be links to that website from other websites. If only the domain comes up and no other search result appears for that domain name, then it is very suspicious.
- Check if the Login, Create Account, and Payment Pages are secure
Many fake or doppelganger sites will not bother to buy an SSL (Secure Sockets Layer) certificate. SSL certificates secure the transfer of your data when you submit sensitive information (creating an account, or submitting payment info) and cost money. A scam site, quite often, will not bother with an SSL certificate, as the site will likely be shut down within a couple months after the fraud has been reported.
- Beware of links shared via email
Users should not use links in an email to connect to a website unless they are absolutely sure they are authentic. Instead, open a new browser window and type the URL directly into the address bar. Often a phishing or doppelganger website will look identical to the original – look at the address bar to make sure that this is the case.