You are now in the main content area

Website Phishing

With your help, TMU can minimize online threats.

Phishing attacks aren’t just limited to your email inbox. Malicious actors can set up fake websites designed to steal your personal information or trick you into downloading viruses or malware.

Learn tips for spotting common website phishing tactics and strategies for protecting yourself when using the internet.

It’s easy for a hacker to create a fake website that mimics an official organization’s website via HTML and CSS coding. By posing as an organization’s official website, malicious hackers hope to steal your account information or infect your devices with viruses and malware.

Common traits of phishing websites:

  • The website’s URL is very similar to an organization’s real website URL and only differs by a few letters or characters.
  • The website includes typos or grammatical errors.
  • The website is poorly formatted and images and logos are stretched or blurry.
  • Upon visiting a website, a fake login window appears asking you to enter your account login details and passwords.

Phishers can use fake pop-ups and push notifications on fraudulent phishing websites to trick users into thinking that their device is infected with a virus or malware that needs to be removed or they risk having their device compromised.


Common signs of pop-up phishing attempts include:

  • Pop-up windows that automatically launch a new pop-up once the original is closed.
  • Disguising pop-ups as real world system warnings and notifications you’d receive from an official internet browser or website.

Push notifications

By allowing push notifications on phishing websites, you can be:

  • Redirected to other phishing websites, increasing the likelihood of accidentally downloading malware or being exposed to other phishing attempts.
  • Encouraged to turn on notifications to download malware disguised as official software or files.
  • Encouraged to turn on notifications to see more information on a fake website, increasing your risk of having your personal information tracked or stolen.

Browser-in-browser phishing attacks use simulated login windows with spoofed domains to trick people into providing their login credentials. Browser-in-browser phishing schemes commonly include fake single sign-on (SSO) authentication windows mimicking real SSO windows used by companies like Google or social media platforms to facilitate secure logins.

To accomplish this, hackers use programming languages like Javascript to replicate browser windows and URLs to mimic real world browsers, tricking users into sharing user names, email addresses and passwords.

How to spot a browser-in-browser phishing attempt


  • The URL of the SSO window looks suspicious and does not match URLs from the organization’s official website.
  • The SSO window includes spelling and grammatical errors.
  • Images and logos on the SSO window are stretched or blurry.
  • The link to the SSO window came from an unsecure source like an unknown email address or suspicious ad or website.
  • You are unexpectedly prompted to enter your login credentials into an SSO window on a website that shouldn’t require you to login.

Stay alert: if you have multiple browser windows open connected to different accounts or cloud services, it can be difficult to determine which connection is prompting you to login through an SSO window.

If an SSO window looks suspicious, do not enter your login credentials and close the window.

Foundational to the internet are Hypertext Transfer Protocols, or HTTP, which is an internet communication protocol connecting a web client (your internet browser) and a server (software or hardware that interprets a website’s URL and delivers web page content). In essence, HTTP is the “method ” that allows your web browser and the server to communicate with one another.

Increasingly, websites are using HTTPS, or Hypertext Transfer Protocols Secure, which is a secure alternative to HTTP. By employing a security certificate, HTTPS websites encrypt any data being shared between a web client and a server, making it harder for hackers to gain access to your data.

As a general rule, always avoid visiting websites or providing personal or login information on websites with URLs beginning with just HTTP as they do not include any encryption or verification protocols.

Remember: HTTPS does not necessarily mean a website is safe

While websites with URLs beginning with HTTPS are typically thought to be secure, this does not necessarily mean that they’re all safe. Increasingly, phishing websites are obtaining real security certificates to trick victims into believing these websites are real and trustworthy.

When visiting an HTTPS website, always look out for common signs of phishing websites to ensure your data isn’t being compromised.

With more of us browsing the internet on our mobile phones and tablets, hackers are now creating fake websites formatted specifically to target users using mobile devices.

Websites for official organizations often have built-in mobile device support, with websites specifically reformatted to be accessed on phones or tablets. When accessing the internet via a mobile device, always remain vigilant and look out for warning signs of a phishing website.