Don’t Let Members Get Spooked By Spoofed Sites

October 30, 2025 0
33 views
Dislike
0

We are wrapping up another Cybersecurity Month here at CUSO Magazine. We have learned about the rise of AI scams, RFID skimming, got a refresher on password hygiene, and were reminded how important board literacy training is for credit union cyber health.

As we close out the month, it’s time to talk about another attack vector bad actors use to confuse and exploit members and staff alike: website spoofing.

What is website spoofing?

Spoofing is the act of cleverly disguising fraudulent websites as trusted ones. Regardless of how the faked website is sent to members and staff—and we’ll get to the specifics shortly—the important idea here is that the URL of a fraudulent website is made to look like something you know and recognize. Sometimes this is done by doing something as simple as replacing an ‘m’ with ‘rn’ (e.g. cusornag.com instead of cusomag.com). Sometimes an extra letter is inserted where it might not be noticed by the reader. Depending on the font used, it might be glaringly obvious (if you’re looking for it), but sometimes it’s disguised so cleverly by the font, it’s nearly impossible to tell.

Getting an unsuspecting target to click on a bad link is only step one for scammers. Maybe the site the user is directed to delivers a nasty payload to that person’s device. Another option though is that the individual is presented with a very convincing replica of the site they thought they were visiting. From there maybe they’re presented with a “confidential” web form asking for sensitive information the bad actor can use to access accounts, take over emails or phones, and in general wreak havoc. Either way, avoiding these websites is the first and most important countermeasure.

How are these spoofed sites presented? 

Spoofed sites are delivered in a variety of ways using a variety of methods to convince you to click. Chances are you have received a text saying you owe money for this or that. Sometimes it’s a package that can’t be delivered and they need new information (despite the fact that you weren’t expecting anything). Whatever it is, text scams rely on you clicking on a link that has either been spoofed to look like something you know or is designed to look like something that might be legitimate.

The same principle exists with email spam. Whether you’ve won something, or owe something, or need to fix something, the bad actors will use whatever means at their disposal to convince you the URL is legitimate. And with the advent of A.I. and large language models, they are getting increasingly sophisticated with the messages.

One of the newer attack vectors is courtesy of your browser search engine of choice. Have you ever searched something in Google only to find that you have to scroll past a few sponsored links to get to the one you want? Well what if the sponsored link is the one you want… or so you think.

In the example above, I searched for Adobe and was returned a sponsored result (above) and the actual search result below. In this case, both are the same. However, the sponsored result isn’t always innocuous. Scammers use Google Ads and sponsored links to put their fraudulent websites at the top of your results.

Before you pick up your pitchforks, Google actively combats these violators, removing millions of ads that violate their policies. According to allCare IT, Google removed 5.2 billion ads and restricted another 4.3 billion in 2022, and suspended 6.7 million advertiser accounts. But while they work hard to ensure what is presented is legitimate, some can slip through the cracks.

In March 2025, a woman from Ontario, Canada lost $25,000 after clicking a link in a Google search result she thought was directing her to the Canada Revenue Agency. Everything looked above board, she entered her account information, and within minutes the money was gone.

What you, your staff, and members can do

Cybersecurity is an ever evolving challenge for credit unions. There’s only so much we as an industry can do to safeguard members from harm. And while we implement tools to improve account security, we cannot stop a member from doing something to jeopardize themselves. The best we can do is offer frequent education and do what we can to assist when the worst should happen.

As for spoofed websites, members and staff should be instructed to always be wary of clicking links from individuals and phone numbers they don’t recognize. Think it’s legitimate? Direct them to instead go directly to that organization’s official website or call their listed number to inquire. As for sponsored ads, best practice is to just not click on them. Instead, scroll past to get to the real results that haven’t been pushed to the top through ad programs.

And lastly, though scammers will find ways around this too, suggest the use of two-factor authentication whenever possible as it adds another layer of security to sensitive logins. With those basic guidelines, you and your community can avoid getting spooked by spoofed websites.

Author

  • Esteban Camargo

    As a supervising editor of CUSO Magazine, Esteban reviews and edits submissions, assists in the development of the publishing calendar, and performs his own research and writing. His experience provides CUSO Mag with a seasoned writer and content curator, able to provide valuable input to contributors, correspondents, and freelance journalists.

    Esteban has worked at CU*Answers since 2008 and currently serves as the CUSO's content marketing manager.

    View all posts
cybersecurity64 cybersecurity month7 scams11 spoofing1

Your email address will not be published. Required fields are marked *