It would have been nice, I had thought at some point in the past, if my Internet browser can actually get me to the correct site I wanted to go to regardless of whether I missed a letter or two while typing its URL on the address bar.

For some, that may sound like wishful thinking.

But what online bank users are probably not aware of is that banks, especially the major brands like Bank of America, have already made it possible for users to do something like that.

How did they do it? They bought and/or registered likely misspellings of their domain names in an attempt to curb typosquatting. For example, using Bank of America as an example, if we key in “bnkofamerica[dot]com” (missing first ‘a’), “bankofmerica[dot]com” (missing second ‘a’), “bankofamerca[dot]com” (missing ‘i’) and “bankofaamerica[dot]com” (second ‘a’ is doubled) then hitting Enter will direct users to their official, SSL-enabled website.

Curious, I tested URLs of other banks to see if have done the same. To accomplish this personal study, I randomly selected three (3) banks per region, created five (5) misspelling iterations per URL, and organized them into one table, which you can check out below:

Typoed bank URLs and their redirectionsclick to enlarge

You may notice from the table that some misspelled domains resolve to pages other than the banking website. These pages, however, were found to be benign at best, thus, there is very low chance that there’s risk being on such pages provided the user’s not click-happy. Below is a screenshot sample of the said page:

A benign websiteclick to enlarge

Unfortunately, not all positive hits redirected to benign pages. After entering “citibnk[dot]com” then hitting Enter, I was immediately led to the below survey scam page:

Citibnk: Survey scam sampleSurvey scam sample
(click to enlarge)

Testing this URL further, I used a proxy to change IPs every time I access it. Sure enough, it led me to different pages with region contextual offers: one instance showed a site that purportedly checks for credit score and two instances of launchpad sites to adult-related content (Note that I only showed one of the two sites I was able to access):

Credit check sampleCredit check sample
(click to enlarge)

Sample adult website launchpadAdult-themed launchpad site sample
(click to enlarge)

Regardless of where users could be led should there be a mistake, it’s still wise to double-check that you have keyed in the correct URL on the address bar before accessing it. It’s also never too late to stop the browser from loading (if you already punched Enter before checking) and correct misspellings before proceeding. Better safe than sorry, right?

There are several sites that can help one determine if they are in the website they want to access and not a fake or scammy one. For starters, you may want to go here, here, and here.

Jovi Umawing