What is domain spoofing? How to protect yourself from fraudsters
There’s been a rise in fraudsters creating websites with domains that mimic Wave’s in an attempt to launch phishing attacks to steal login credentials from our customers.
This is a type of fraud known as domain spoofing.
It works like this: cyber criminals create fake websites that look similar to legitimate ones to trick customers into submitting their login or personal information. Think of them as Wave’s evil, digital doppelgängers.
But don’t worry, this doesn’t mean your life is going to turn into a Gothic horror novel.
We’re here to tell you everything you need to know about domain spoofing, and how to keep yourself safe.
What is domain spoofing?
Domain spoofing, also known as URL spoofing, is when cyber criminals create a deceptive website that mimics a legitimate one. These fake sites use URLs that are similar to the real ones, with misspellings or added characters that you’re meant not to notice.
These fraudulent sites are supposed to deceive you into thinking you’re on the official website so you’ll enter sensitive information like login credentials, financial details, or personal data or even send money or download dangerous malware. The fake sites might even copy the entire content of the real site, making it extra tricky for you to spot the fakes.
How to protect yourself against domain spoofing
Here are some clues to look out for to determine if you’re dealing with a spoofed website:
Check the URL
Scammers often create URLs that are close to the original, but not quite right. Keep your eyes peeled for small misspellings, extra characters, or different domain extensions.
Look for HTTPS
Secure websites start with "https." If you see "http" instead, proceed with caution. However, keep in mind that some spoofed sites can also have "https," so this shouldn't be your only line of defense.
Look for an SSL
Most legitimate websites will have an SSL (secure sockets layer) certificate, which confirms the identity of a website and protects information sent to the server.
To check for an SSL, go to your address bar and click on the padlock icon 🔒, which should confirm that your connection is secure and that the website’s certificate is valid.
Check the source
Fraudsters can also use a fake email with the domain of a real, trusted company (this is—you guessed it—called ”email spoofing”). They’ll send you an email pretending to be the legitimate company in an effort to get you to click onto the spoofed website, where you’ll be prompted to enter your personal information.
Always double check the sender and content of an email and only open links from our official communications.
Wave will typically contact you from a @waveapps.com email address. If you're concerned, you can verify the request by contacting support via chat while logged into your account.
If the sender is making a weird request or urgent warning, it’s probably a scam—we’ll dig into this more below.
Watch for odd requests
If a site asks for more information than seems appropriate or something feels off, trust your gut. For example, if you're prompted to provide your Social Security number or credit card information for something trivial, it's a red flag.
Wave's risk team exists to monitor all activity on our platform to protect it from fraud and losses and maintain regulatory compliance. In order to do this, the risk team might ask you for:
- An ID scan, and/or phone or utility bills to verify your identity
- Business documents like licenses and tax forms to verify your business
- Bank statements to verify you have sufficient cash flow to cover any chargebacks or refunds
- Documentation and contracts between your customers to make sure you are set up for success if your customers dispute any payments
Again, if you’d like to verify the request, you can contact support via chat while logged into your account to double check.
Bookmark your websites
Instead of typing in the url every time you want to access a site, bookmark it! This reduces the chances of you accidentally typing in the wrong URL and entering a spoofed site.
Use strong, unique passwords
Using strong, unique passwords for different sites reduces the risk of thieves getting access to your different accounts if they happen to get into one.
Enable multi-factor authentication (MFA)
By adopting MFA, you can add an extra layer of security that makes it harder for scammers to access your account, even if they get their hands on your login information. Here’s how to set up MFA in Wave.
How Wave is protecting you
You can help protect yourself by staying alert and keeping an eye out for signs of a fake website—but here’s what we’re doing to reduce the chances of you coming across one in the first place.
Reporting spoofed websites
Wave regularly monitors for any signs of domain spoofing and acts quickly when we detect a fake site. We’ve reported these spoofed websites to our stakeholders, cybersecurity agencies, and Internet domain registries.
We’re also proactively purchasing similar versions of our domain to prevent fraudsters from using them in the future.
Educating our team and customers
By educating our employees and customers about domain spoofing and how to spot it, we’re building up a community effort to combat fraudsters.
We can all do our part to share our knowledge with others, report suspicious activity, and make it harder for fraudsters to succeed by upping our security and due diligence.
Implementing multi-factor authentication (MFA)
Wave recently launched MFA, which greatly enhanced the security of Wave accounts, making it much harder for unauthorized users to gain access.
Adding an extra layer of security, such as MFA, can make it much harder for scammers to gain access to sensitive information, even if they manage to trick you into entering your login credentials.
Moving forward with domain spoofing
Awareness about domain spoofing and how to spot it is a powerful tool in combating it.
By educating yourself about the risks of domain spoofing and arming yourself with the knowledge to recognize and avoid spoofed websites, you’re helping to protect your personal and financial information—and helping Wave keep customers like you safe.
Remember, staying informed and proactive is your best defense against domain spoofing. Keep your eyes open and trust your gut.
(and create unique links with checkouts)
*While subscribed to Wave’s Pro Plan, get 2.9% + $0 (Visa, Mastercard, Discover) and 3.4% + $0 (Amex) per transaction for the first 10 transactions of each month of your subscription, then 2.9% + $0.60 (Visa, Mastercard, Discover) and 3.4% + $0.60 (Amex) per transaction. Discover processing is only available to US customers. See full terms and conditions for the US and Canada. See Wave’s Terms of Service for more information.
The information and tips shared on this blog are meant to be used as learning and personal development tools as you launch, run and grow your business. While a good place to start, these articles should not take the place of personalized advice from professionals. As our lawyers would say: “All content on Wave’s blog is intended for informational purposes only. It should not be considered legal or financial advice.” Additionally, Wave is the legal copyright holder of all materials on the blog, and others cannot re-use or publish it without our written consent.
Read next
