On average, the normal person will misspell 83 percent of their native vocabulary. Bad actors have caught on to the trend and have started a new way to trick people into handing over their information.
Typo squatting, also known as URL hijacking, is a cyberattack technique in which hackers register domain names that resemble legitimate websites — with minor misspellings or slight variations — to trick users. These sites are used to steal personal information or distribute malware.
“They are sneaky,” said Jerry Smith, associate director of information security operations. “They build this knowing that you might click their link because it is a carbon copy of the actual site. They make it pretty, and you do not realize what you’ve clicked until it is too late.”
As part of National Cyber Security Awareness Month, UAB IT is spreading the word about typosquatting and other online scams. Look to UAB IT social media for more tips and tricks on phishing threats, data safety and more, as well as our security awareness site and our PhishBowl, which features the latest phish we've caught.
There are several versions of typo squatting. These are some of the most common scams that experts see:
- Imitators: These sites try to pass themselves off as legitimate. They try and adopt the company’s color scheme, logos, and even the page layout. These sites aim to take login credentials and personal information.
- Surveys and giveaways: These scams are sent to collect data. The more data given, the more scammers can pull off a heist for identity theft.
- Malware installs: When visitors visit these sites, malware can be downloaded on the device used.
Luckily, there are ways you can spot typo squatting before you give away your information. Always check the URL: The best practice is to double check before you click. In Outlook, UAB IT has implemented SafeLinks to allow an extra layer of protection. You can also bookmark your frequently visited websites.
“We want UAB students, faculty and staff to know that if you think you have been scammed or have encountered a phish, you can always reach out to us,” Smith said. “The team is here to help protect you and your information.”