/ Travel & Leisure

Scam watch: Esta renewal copycat website

Scamwatch esta

One Which? member was savvy enough to realise that a website he’d clicked on to renew his Esta document to travel to the US wasn’t official.

Member Michael Turney told us:

‘I regularly fly to the United States and recently received an email advising that my Esta travel document was up for renewal. I know that a two-year document costs $14 (£11).

‘I typed ‘Esta renewal’ into a search engine, and the first website on the results page looked very official.

‘While filling in my details, I became aware that the website was requesting answers that it should already have had on file.

‘It wasn’t until I clicked ‘complete transaction’ that I realised it was a scam. My card had been charged £64.

‘I immediately emailed the website owners to advise that I was notifying the US Embassy and the police that I had been scammed. Within a minute, they told me that the transaction had been voided and no money had been taken.

‘I cancelled my card to prevent them using it again.’

Our say on copycat websites

We’ve seen numerous examples of copycat websites in search engine adverts fooling people into paying more than they need to for visas, driving licence renewals and Ehic cards, among other documents.

We’ve successfully campaigned in the past for search engines to do more to stop these websites from appearing in their results pages, but we want more enforcement action.

Google has set up an online form to let you report misleading adverts. We’d also recommend reporting the website you used to National Trading Standards.

Have you been caught out by a copycat website when applying for visas, a driving licence or similar? What happened?


I hope Which? reported the at least a dozen websites that come up on Google when searching ‘renew esta’?

Its just a pity that those that use the Internet dont take full precautions against websites like that , only yesterday I inputted – contact British gas and chose the top entry –my protection blocked it as a malware website . If your paid for Internet protection doesnt protect you then get a more comprehensive one or install a whole host of plug-ins on your browser like I have , they cover bad scripting ,malware domains , clean links, malware servers and many other types of protection . What I did notice for Windows users when I had Windows was that some of the protection I use in Linux was blocked in Windows because it blocked Windows prolific spying, as well as that Windows “modifies ” your browser if you dont use Edge/ IE so that it complies with “Windows rules ” meaning you are blocked from fitting some protection because it conflicts with ,again, windows spying on your non- MS browser. I actually “feel, sorry ” for those Windows users as I spent years fighting against MS but to achieve what I wanted I had practically to disable the Windows system , and even then it didnt let me forget it .Now I dont use Windows I can stop “taking the pills ” as I am a lot more calmer .

I’m still shocked that people don’t use gov.uk to find the correct links for these official things. There definitely is a requirement to educate people.

I agree William. The expansion of use of the internet for access to all kinds of services has not been accompanied by an education programme to protect people from their eagerness [or lack of practical alternative] to do it on-line. I believe the government should take out advertising for GOV.UK to show people how to obtain free government services such as EHIC, Passport applications, Driving Licence applications, Driving Test appointments, and so on, and also other application facilities provided by foreign governments such as ESTA. Could it be that the VAT received from all the charging sites for ‘processing’ people’s applications is inhibiting the government from rendering them redundant?

I use GovUk daily as part of my job. However, when googling apply for toad tax, the top ‘hit’ was an ad ( which it turned out was for a copycat site.). I inputted all my info and then later realised that I had been asked for information that they should know e.g. MOT expiry. The site had charged a fee for the transaction. I immediately emailed and notified them that I was reporting them on the basis that they were copying an official government site. My payment was refunded. I contacted Gov.uk and the DVLA with screenshots of the site which were uncannily similar to the official one, and both responded to say ‘use only the weblink on your renewal notice to be safe’. No concern about the site at all.
I blame google they are letting people advertise falsely because they pay.
So, yes we do ‘need’ more information about scams’ to be included with renewal information, but we don’t all ‘need’ educating per se.

A quick google here found uk.usembassy.gov/visas/visa-waiver-program/ “This is the official website of the U.S. Embassy and Consulates in The United Kingdom. External links to other Internet sites should not be construed as an endorsement of the views or privacy policies contained therein.”

but that was the 3rd hit.

2nd hit was www esta us/ which looked fairly official but in very small print right at the bottom said “Legal Disclaimer: ESTA.US is a private information website not affiliated with the United States Government.”

1st up was www esta-registration co uk/ which included “this is a non government service…”

Savvy users ought to know by know that the first few hits on google are advertisements – hence they are unlikely to be official government sites.

Since I stopped using Google a long time ago when I stopped using Windows two of the biggest trackers in the world I dont and never will know whether they have changed their inbuilt policy of routing you to websites they benefit financially from . If you say “savvy users ” you must mean a minority of users but posters who come on websites like Which asking for help trust in big names because they publicise themselves as such and dont give it a second thought about clicking on the top web-page URL . I do it as well, but I do it intentionally so that my multi-protection can tell me bad websites which I pass on to others . The real point is – this should not happen because those massive companies know where the traffic goes, know what the servers are like , I can watch data flow and get a list of it . As I post this I can see this page is reasonably secure , but some other pages are not and it depends on the data being transferred , you cant block everything if you wish to use some websites but traces can be removed . Why should the public be made vulnerable for profit ?

Firstly I wish Which? would
1. Use the actual site name and the company

2. ” We’ve successfully campaigned in the past for search engines to do more to stop these websites from appearing in their results pages” Really. The success would seem partial or momentary.
Can Which? post the details of their exchanges with the search engines and the undertakings they agreed to.

3. I have suggested for three years that Which? should, as a service to subscribers, both in making life simpler and in making it safer , be the default place to go for safe links to the right sites. As we age the knowledge that if we boot to Which? and then put in the name of the interest we have – in this instance ESTA – then we will be steered the right way.

An everyday service worth paying for by our subscriptions. I would call it CAwiki as a nod to the owning charity.

I would heartily endorse Patrick’s idea of W? hosting a page or pages of ‘safe links’. We did do something similar in 1998, but to have one officially run would be excellent.

Ian In have already posted an app I have on my main browser called -Clean Links – which is also available for cell-net phones , it is available in several places but the original website is github.com where it converts obfuscated/ nested links to genuine clean links. : https://github.com/diegocr/CleanLinks this is a secure website.

Github is useful indeed, and you can also install Privacy Badger, Better Privacy, Google link search fix and HTTPS everywhere on Firefox, all of which makes browsing a whole lot safer in general.

Ian- Privacy Badger was good up until Firefox updated itself a few weeks ago , now when you go to the list of blocked/Not blocked domains you are taken to a Mozzila extension page(hidden on your computer) where a J Script is interfering with the ability to permanently block websites in particular sly named Twitter/Facebook tracking domains , I dont rely on it now but do have uBlock with a much enhanced range of blocked domains/URL,s /etc . There are others more technical I could install. Bad news ! (for me ) MS has bought a seat on the –wait for it –LINUX board after decades of – we hate LInux they see Linux has now (2017) 2 % of the market , not much you think but its down to Chromebook and exactly as I said a year or two ago -MS fully intends to “go mobile ” with a variation of W10-omg ! as it, quite rightly sees, mobile is the way to go(agreed by the board a long time ago). Believe it or not Windows is now a minority system worldwide and they are not about to let that go unchallenged by buying up smaller companies related to this trend . Guess what system is used on 99 % of servers/ most of the UK government security departments+USA equivalents , also their massive data collection computers (Big Data etc ) –thats right -LInux.

I think your issue has only affected MS and Linux machines, Duncan. It doesn’t seem to have troubles the Mac’s.

Its done intentionally by Mozilla Ian , instead of adding a tag to the web-page to control it , it uses a Jscript to open a special web-page controlled by the script installed on my PC of which I have the full code but haven’t tracked it down yet , it installs a skin just like a virus would , its only the fact Mozilla has done it that upsets me , if it was a virus I could do something about it , it even occurs on a live system DVD of another system i tried out so its particular to Firefox. Thanks for the info though, it might help me find the file and destroy it.