Some malicious individuals use phishing scams to set up convincing spoofs of legitimate Web sites. They then try to trick you into visiting these Web sites and disclosing personal information, such your credit card number.

Fortunately, there are several steps you can take to help protect yourself from these and other types of attacks.


What is a spoofing attack?

Spoofing attacks are commonly used in conjunction with phishing scams. The spoofed site is usually designed to look like the legitimate site, sometimes using components from the legitimate site. The best way to verify whether you are at a spoofed site is to verify the certificate.

Do not rely on the text in the address bar as an indication that you are at the site you think you are. There are several ways to get the address bar in a browser to display something other than the site you are on.


How to verify a site certificate?

Always verify the security certificate issued to a site before submitting any personal information. Before you submit any personal information, ensure that you are indeed on the Web site you intend to be on.

In Internet Explorer, you can do this by checking the yellow lock icon on the status bar.

This symbol signifies that the Web site uses encryption to help protect any sensitive personal information—credit card number, Social Security number, payment details—that you enter. The lock only appears on sites that use an SSL (Secure Sockets Layer) connection, which is typically used only on sites where you enter sensitive information.


Screen shot of yellow lock icon in Internet Explorer

Secure site lock icon.

If the lock is closed, then the site uses encryption. Double-click the lock icon to display the security certificate for the site. This certificate is proof of the identity for the site.

When you check the certificate, the name following Issued to should match the site you think you are on. If the name differs, you may be on a spoofed site.

    If you are not sure whether a certificate is legitimate, do not enter any personal information. Play it safe and leave the Web site. If the site does not require you to enter sensitive information, it probably won't display the lock icon.

Screen shot of an MSN certificate


Legitimate certificate.

When new subscribers sign up for MSN services, they can match the Issued to domain name ( to the Web site domain name (also

Also, be cautious about clicking links in e-mail messages or in online ads from retailers you don't recognize or trust. If you have any doubt about a link, do not click it.

Instead, type the Web site address into the address bar of your Web browser, or try to confirm that the link is legitimate. Remember, if an offer sounds too good to be true, it probably is.






Insecure websites are displayed as: