Five visual signs you're looking at a phishing page

Why visual signs matter

Most phishing pages are made by criminals copying real websites. They rarely build the page from scratch. That means the fakes have small details that the real page doesn't, and the real page has small details that the fakes haven't bothered to copy. Once you know what to look for, you can usually tell within ten seconds.

Here are five signs that come up again and again. None of them, on their own, is proof. But two or three together is almost always a fake.

1. The web address looks almost right, but isn't quite

This is the most common sign by far. Real banks, exchanges, retailers, and government services use short, recognisable web addresses. Fakes try to look like the real thing without using the real address.

Watch for:

• A familiar brand name with extra words attached. paypal-secure-login.com, apple-support-au.net, coinbase-verify.online. Real PayPal is paypal.com. Real Apple is apple.com. Real Coinbase is coinbase.com. The extra words are giveaways.
• A familiar brand name with a small spelling change. paypa1.com with a '1' instead of 'l'. amaz0n.com with a zero. commbank.com.au.cn with the real-looking part buried in a longer fake domain.
• An address that ends in something unusual. Most legitimate Australian businesses end in .com.au or .com. If a 'bank login' page ends in .online, .xyz, .click, .zip, or a country code that doesn't match the brand's home country, treat it as suspect.

The trick is that browsers display web addresses in tiny text, and tired humans read them quickly. Slow down. Read the part right before the .com (or .com.au) carefully. That's the part criminals can't fake.

2. The page asks you for things the real one wouldn't ask for

Real services know your information already. They don't need you to 'verify' it by typing it in. Watch for pages that ask for:

• Your full credit card number plus the three-digit security code, when you're not actually buying anything.
• Your bank login plus your one-time SMS code.
• Your driver's license, passport, and selfie all at once, with no clear reason.
• Your seed phrase or private key for a crypto wallet. No legitimate service ever asks for a seed phrase, ever, under any circumstances. This is the single most reliable sign of a scam in the crypto space.

The reasoning is simple. If the service is real, it already has your account information from when you signed up. It doesn't need to ask again. Scammers ask because they're not the service.

3. The urgency is artificial

Real services don't pressure you. Government tax offices don't tell you that you'll be arrested if you don't pay within fifteen minutes. Banks don't tell you your account will be closed at midnight if you don't click a link. Couriers don't fine you for delayed pickup.

If a page or message is pushing you toward a quick decision with consequences, the urgency is the warning sign. Real consequences don't have countdowns. Step away from the device, find the company's real customer service number through a search engine (not the link in the message), and call them.

4. The login page works for any password

This one is subtle but powerful. If you suspect a page is fake, type a deliberately wrong password and click submit. A real login page will reject the wrong password with an error. A fake login page will often 'succeed' because the criminals haven't bothered to check passwords. Their goal is just to capture whatever you type so they can use it on the real site.

If your wrong password is 'accepted' and you're forwarded to a thank-you screen or a verification step or anything other than a normal login error, you've just confirmed it's a fake. Don't enter the real password. Close the tab. Change the real password on the real site.

5. Small visual details are off

Look at the logo, the page footer, and the legal links at the bottom. Fakes usually copy the front of the page reasonably well but skimp on the parts criminals don't think anyone reads. Common tells:

• The logo is slightly fuzzy or the wrong shade of the brand colour.
• The footer doesn't have proper company registration details (Australian Pty Ltd or ACN, UK Ltd or company number, US incorporation state).
• The 'Terms of Service' or 'Privacy Policy' links point to the same page or to a missing page.
• Customer service contact is only an email at a free provider (Gmail, Hotmail, Outlook) rather than a corporate domain.
• Copyright at the bottom shows the wrong year, or no copyright at all.

Real businesses care about these details because regulators and lawyers care about them. Criminals don't, because they're moving on to the next page in a few weeks anyway.

When in doubt

Use AVA. Paste the link, the email address, the wallet address, or the social account into the main check tool and see what AVA scores it. Free for the first five checks per day, no signup required. If AVA flags it as risky, trust that. If AVA is uncertain, your gut feeling about the five signs above is probably worth listening to.

If you've already entered your details into a fake page, three things to do immediately:

1. Change the real account's password on the real site. Use a different password than the one you typed into the fake.
2. Tell your bank or the service if money or account access is involved. They can flag the account for unusual activity.
3. Report the scam at AVA's report form so others can be warned.

You probably won't catch every scam by eye, but you'll catch the obvious ones. Combined with a quick check via AVA when something feels off, you've made yourself a much harder target than the average internet user.