9 tips for avoiding suspicious Web sites

Nine tips to help you spot--and avoid--scandalous, spoofed, and spyware-prone Web sites.

Jessica Dolcourt Senior Editorial Director, Content Operations
Jessica Dolcourt is a passionate content strategist and veteran leader of CNET coverage. As Senior Director of Content Operations, she leads a number of teams, including Thought Leadership, Speed Desk and How-To. Her CNET career began in 2006, testing desktop and mobile software for Download.com and CNET, including the first iPhone and Android apps and operating systems. She continued to review, report on and write a wide range of commentary and analysis on all things phones, with an emphasis on iPhone and Samsung. Jessica was one of the first people in the world to test, review and report on foldable phones and 5G wireless speeds. Jessica led CNET's How-To section for tips and FAQs in 2019, guiding coverage of topics ranging from personal finance to phones and home. She holds an MA with Distinction from the University of Warwick (UK).
Expertise Content strategy, team leadership, audience engagement, iPhone, Samsung, Android, iOS, tips and FAQs.
Jessica Dolcourt
4 min read

Editor's Note: This article was updated on 5/8/09 from a previous version published on 3/3/08, and the original, published on 12/15/06.

No matter how you arrive at an unsafe Web site, it's all downhill from there. Phishers will attempt to coerce you into disclosing your address, credit card number, or social security number. Or maybe adware engines will start sprouting pop-ups over your screen like a field of clover. Worse, your computer may become part of a botnet, its processing power used to send spam and infections to others, possibly even in your name. Here are nine telltale signs you're swimming in dangerous waters, with tips to help keep you firmly in the safety zone.

Before we dive in, take note of two tools to help warn you of dangerous sites. McAfee SiteAdvisor for Internet Explorer and Firefox and AVG LinkScanner assess the hazards of sites you visit, and are available for Firefox or Internet Explorer. Online Armor is one firewall that scans sites in real time based on traceable patterns of malicious software behavior. Also check out our Security Starter Kit for an excellent set of tools that defend against potential threats.

Sign 1: Pop-up city
You click a search result and are suddenly bombarded with no fewer than 10 porn pop-ups. Back out immediately by right-clicking the pop-up in your task bar and selecting 'close' or by killing the EXE in your Task Manager. It might also help to press Alt-F4 to close your browser. Then run a malicious software scanner and remover to assess and fix the damage--Malwarebytes Anti-Malware is a good start.

Sign 2: Where's the EULA?
Rogue antivirus apps often scare you into parting with your credit card number by informing you it's found bogus spyware on your machine (it!) If you're about to sign up for or purchase a service and aren't prompted to accept an end-user license agreement, nor are you offered a privacy policy to view. Shady site proprietors often disclose their intentions in the privacy policy or EULA, so you should always read carefully! The free tool EULAlyzer (from the makers of SpywareBlaster) is a great help because it analyzes license agreements and notes any unusual or possibly dangerous language. An upgrade to the professional version is available for about $20.

Sign 3: Excessive firewall alerts
Your firewall repeatedly alerts you to file extensions you don't recognize and other suspicious anomalies. Once you've set your firewall to allow your most common programs, any alert should be taken seriously, and a number of warnings should be a red light something is amiss. If you're not running a firewall, get one right now.

Sign 4: E-mail and instant message links phish for information
You follow a link embedded in an e-mail and arrive at a site that asks you to provide security information for an "important update." Misleading links are increasingly sent through instant messages under the guise of a contact's friendly tip. This variety is especially easy to fall for. If the page is asking for data or looks like a different destination than the link implied, pull yourself out of autopilot and start taking screenshots. Contact the company for verification before taking any action, and check the Federal Trade Commission's alert board.

Sign 5: The site's URL and e-mail don't match
Any case in which a site's URL doesn't match the contact's e-mail address should raise an alarm. Most legitimate companies provide their employees with a corporate e-mail account. This doesn't mean, however, that you can automatically trust sites where the two align. Illegitimate companies can purchase domain names as easily as legitimate companies.

Sign 6: Are you secured?
If a site prompts you to enter personal information, such as a username, password, or credit card number, check the browser window. Unless the site is secure--that is, unless the address starts with https:// and a closed padlock appears at the bottom of the window--your information is ripe for theft.

Sign 7: Check teh speling
Developers and engineers may have a bad reputation when it comes to grammar, and that's why most companies hire wordsmiths. Be wary of a site chock-full of grammatical and spelling errors. That includes the Web address--there's a world of difference between www.yahoo.com and www.yhoo.com.

Sign 8: Nested links
Does the site forward you to a completely unrelated site when you land on it? If nested links progressively take you to other sites, the host may be trying to pull a fast one.

Sign 9: Ridiculously large sums
If a free gift offer seems too good to be true, it probably is. You don't get a $500 gift certificate for doing nothing. Most often you'll have to provide personal information, download something compromising, engage your friends in a pyramid scheme, or all of the above. And how about those well-known scams that offer to pay out, but only after you wire someone a chunk full of a change? In this case, the surest preventative measure is your delete button.