Using a subdomains to fool people
What’s a subdomain?
Let’s look at some examples:
- www.trustedcompany.com— this is a real, official domain.
- trustedcompany.fakewebsite.com — this is not the same. It’s actually part of
fakewebsite.com, and has nothing to do with the real company.
Even though “trustedcompany” appears in the name, it’s just a subdomain of another website. This is a common trick to make things look legitimate when they’re not.
Anyone can create a subdomain. If I register shop.com. I can create any name before the shop.com. As an example, a subdomain called thepostoffice.shop.com - See the danger here!
Many people will just see “thepostoffice” and believe it to be a legitimate link and this is where many people fall foul.
Why this matters?
Scammers use these fake subdomains to send emails that:
- Pretend to be from well-known companies
- Ask you to click on links or open attachments
- Try to steal your login details or personal information
What should you do?
- Look carefully at email addresses and links.
The real company will usually use something like:@companyname.com, not:@companyname.otherwebsite.com. - If you’re unsure, do not click and report it.
- Remember: Even small changes in an email address can mean it’s fake, and these could be a '0' (zero) instead of an 'O' (oh) or similar character substitution that you may miss on a quick scan.
Tips to Stay Safe
- Hover over links before clicking – check where they really lead.
- Watch for unusual spelling, tone, or formatting in the message.
- If something feels off, you can either run it through Co-Pilot to see what it thinks, or report it to us. Better safe than sorry!
Surveys suggest up to 15% of UK adults may experience financial fraud annually.
Source: UK Gov
Fraud (particularly online) is widespread—millions of incidents per year, but most go unreported.
Official records cover only a fraction (~25%) of actual incidents.
