How Do You Know if a Website Is Legit

There are many ways to decide if a website is fake—here'southward what we recommend.

The internet is full of websites that are either fake, fraudulent or a scam. It's a sad fact of life. You run across, the development of the internet has brought with information technology a number of extremely convenient advances in the way we shop, bank, and interact with the world around us. At the same fourth dimension, that development has also given style to new risks—new avenues for criminals to rip off the unsuspecting. In 2018 Cybercrime volition be a $1.5 trillion industry.

Really, what it all boils down to is fraud. These hackers and cyber criminals are niggling more than new age con men. And the con game is as erstwhile as time itself—people have literally been tricking 1 another since the showtime of fourth dimension. And in the same vein as ancient mystics and old-fashioned serpent oil salesmen, these con-men are after one thing: your money.

Present their tactics tend to involve phishing. Lots and lots of phishing.

What is Phishing?

Phishing is a type of online fraud that involves getting an private or organization to disclose sensitive, sometimes compromising information, under imitation pretenses that accept been expertly manufactured past the attackers. Tailoring your phishing attack to your target is sometimes chosen spearphishing, it'southward a grade of social engineering. These attacks take several forms, ofttimes elaborately combining multiple mediums to create the impression of legitimacy.

What does that mean?

Well, let's look at an case. An assailant may get-go by sending you lot a formal looking email from an address that resembles an official account. It may say something like, "an attempt to login to your account has been made from some other country, delight update your password."

In fact, that'due south exactly how John Podesta, the chairman of Hillary's Clinton's presidential campaign, had his email account compromised.

That email included a link to a specially designed page that is a perfect replication of the Google login page. To the untrained eye, it's almost impossible to tell the simulated site from the real one. You can meet how like tactics could exist used to steal financial information or medical data. Hither's an example of a fake PayPal login screen:

And with the advent of free SSL services and contempo changes to browser indicators, it'southward becoming easier than always to disguise phishing sites as legitimate.

UPDATE: Google has now changed its browser UI to be less misleading.

Other Types of Cyber Attacks to Exist Aware Of

Phishing is amongst the most prevalent, but not the only blazon of assault that you demand to exist wary of on the cyberspace. Here are some examples of other types of internet malfeasance:

• Third-Party Content Injection – The most common example of this is over public WiFi hotspots. Have you e'er noticed an abundance of actress ads or pop-ups (on websites that don't ordinarily contain them) when yous're at the mall or the airport? This is an example of third-party content injection. Considering the website lacks SSL, the Internet service provider can inject its own content onto the site. This means y'all're not seeing the site as it's intended. And if the 3rd-party has negative intentions, information technology can inject harmful content.
• Eavesdropping – Like to phishing, if an attacker knows how, they can eavesdrop on a connexion and steal any information being transmitted. This underscores the need for connection security—without it, everything you lot send online tin be intercepted and stolen by anyone who wants it.
• Good Sometime-Fashioned Fraud – Ever seen a 20-dollar iPad? Neither have nosotros. At present, that doesn't mean you won't see websites annunciate them—they just near never be. In all likelihood you're nigh to wire money to an account in the Philippines. Staring longingly at that low-res paradigm on the pop-upwards ad is the closest you'll e'er get to actually owning the tablet.

five Ways to Determine if a Website is Fake, Fraudulent, or a Scam

Here are 5 ways to decide if a website is fake – plus some additional tips to stay prophylactic online.

1. Pay Shut Attending to the URL

You would be absolutely shocked how many people pay niggling to no attention to the address bar of their browser. This is a huge error. The address bar contains a ton of vital information about where you lot are and how secure yous are at that place. So get into the habit of occasionally glancing upwards there whenever you visit a new page.

In fact, most of the browsers abide a concept chosen the Line of Decease. The idea is that a user should never trust annihilation below a certain betoken on the browser, the so-called line of death. An assaulter can control everything below the line (and even some things above it) so you have to know where to wait for reliable information.

The areas that an attacker can control are highlighted in cherry-red and numbered. Let'southward go over them actually speedily:

1. The Favicon – Websites can put whatever icon they desire in the tab.
2. Domain Proper noun – This is part of the URL and it's trustworthy, as long as you lot know what you're looking for (more on that in a second).
3. File path/Director – Ditto.
4. Web content area – This can be any the aggressor wants it to exist, including a very disarming spoof of a legitimate website.

One of the master tactics in phishing is to create a website that is nigh indistinguishable from the existent thing. In order to exercise this, hackers and cybercriminals take gotten very ingenious in the means they copy URLs. Between the ability to create sub-domains that mimic real domains and how browsers can confusingly shorten URLs, information technology's easy to go duped.

Related: What is Unicode Phishing?

In order to know what to look for when examining the URL, you lot demand to know how a URL is constructed.

Related: Secure Your Domain & Sub-Domains with a RapidSSL Wildcard Document.

At present, armed with that cognition, always make sure that you know what the bodily domain you lot're on is. Sub-domains can be misleading. Here'southward an instance of a first- and 2nd-level sub-domain that intentionally mimic a domain and TLD:

This URL is designed to wait similar information technology's PayPal.com, simply if you lot look closer y'all'll notice that those are sub-domains, the name of the actual domain is "confirmation-managing director-security." Recollect, the real domain name appears correct before the TLD (east.g. .com/). This is not really PayPal. This is a phishing site. Notice how information technology still displays the piddling green padlock thanks to the utilize of an SSL certificate?

That'south why y'all always have to check the URL.

2. Check Connection Security Indicators

Back to the address bar. If the final signal didn't underscore the importance of this browser feature—this ane should drive the betoken home. Within the address bar are several connection indicators that let you know whether your connexion with this website is private. As we mentioned before, information technology's possible to eavesdrop on connections on the internet.

The internet was built on HTTP, or the hypertext transfer protocol. When HTTP was first defined the internet was not used for commercial activity. In fact, commercial activity on the internet was actually illegal at the time. The internet was primarily supposed to exist a platform for the costless exchange of information between academia and the government. Whatever advice done via HTTP is sent in plaintext and can be intercepted, manipulated, stolen—you name it.

In gild to remedy this, SSL or Secure Sockets Layer was adult. SSL was subsequently succeeded past TLS or Transport Layer Security. Today, nosotros colloquially refer to both as SSL.

At any rate, HTTP + TLS = HTTPS, which is a secure version of HTTP that prevents communication from being intercepted and read by anyone just you and the website you are connected to. That'southward a lot of data, merely what you really need to know is this:

HTTP = Bad
HTTPS = Good

Never trust an HTTP website with your personal information.

At present, let's get to connection security indicators. Yous want to look for ane of the two post-obit indicators:

The Padlock Icon

Or, the EV Name Badge/Greenish Address Bar

Both of these icons indicate that the website is using HTTPS and that you accept a secure connection. If y'all see either of these, your connexion is secure and y'all are communicating privately with the website listed in the URL.

Remember, near secure connections will have the padlock icon, but some may also take the Green Address Bar. Or rather, it used to be uniformly greenish. Present, different browsers display the EV Name Badge in dissimilar ways.

The Green Accost Bar/EV Proper noun Badge is only shown when a website is using a specific type of SSL certificate known as an Extended Validation (EV) SSL Certificate. This document allows a website to assert its identity and prove it is operated by a real-globe, legally incorporated company. Browsers requite websites with EV SSL certificates preferential handling by displaying the company name to the left of the URL. When y'all see an EV Name Badge, you lot tin relax—you lot're secure. The greenish accost bar cannot be faked, it is un-impugnable proof of identity—and past extension trustworthiness.

The exact appearance of EV proper noun badge varies by browser. Sometimes the proper noun is written in greenish, sometimes it is inside a light-green rectangle and sometimes it's not light-green at all. Here are a few examples of how EV certificates wait in popular browsers:

It's possible for a URL to accept HTTPS in it simply for the padlock icon non to appear correctly, also. This indicates that there is some security effect with the connection – unremarkably mixed content, when a site is nonetheless loading some assets that are HTTP – and represents a cause for concern. If this is the case, information technology's best to assume you do not have a secure connection.

You will now meet the "Non Secure" alarm on all websites that are beingness served via HTTP every bit of July of 2018, likewise. This will requite you lot an firsthand visual indication that your connection is not secure.

At present, i more than thing: A secure connection doesn't necessarily equate to a prophylactic website. Lots of simulated websites use gratuitous SSL certificates. Think of it like this:

• You should merely visit sites that use HTTPS
• Just because a site has HTTPS, doesn't hateful yous can automatically trust it.

Just because the connection is secure (which should be mandatory), you don't necessarily know who is on the other end of that connectedness. Outside of Extended Validation SSL and the EV Name Bluecoat, which can be trusted on site, y'all'll need to do a little more sleuthing to make certain the site is legitimate. To verify a website's HTTPS connection, you tin likewise try this SSL checker tool.

iii. View Certificate Details

This one is a scrap more than advanced because it involves diving a fleck deeper into your browser's menu and that can exist misleading if you don't have a proper understanding of SSL.

If a website doesn't have the light-green accost bar, the most that you can tell from the presence of security connection indicators is that your connection is secure. That means no 3rd party can eavesdrop and steal information. But as we just discussed, it doesn't mean you're safe, though.

That'southward because you don't know who is on the other end of the connection, still.

Fortunately, that information might exist available. Here's how to find information technology:

Most browsers (like Safari and Firefox) let you to view the certificate by clicking the padlock icon in the address bar.

For Firefox:

• Click the Padlock icon
• Click "More Information"
• Click "View Certificate"

For Safari:

• Click the Padlock icon
• Click "View Certificate"

For Chrome:

• Click the Three Dots icon to bring upwardly the carte
• Under "More than Tools" select "Developer Tools."
• Click on the Security tab
• Click "View Document."
  -or-
• Click the Padlock icon
• Click "View Certificate" (Google returned to making document details bachelor by clicking the padlock last year)

When you click on the document data, you will get all of the data the CA verified before it issued the document.

Once you take the certificate details open up you want to expect for the following field: Subject.

The Bailiwick is the website or organization that the document is representing. Depending on the type of document (DV, OV, or EV) y'all will meet different amounts of data in the Subject area.

A DV certificate will just have a domain name. An OV certificate volition include limited visitor information (a proper name, a state/province and land). An EV will have detailed company information, such as an verbal street address. You tin can recognize an EV certificate if the browser is displaying the EV Name Bluecoat. Extended Validation offers the most information—that's why it has a special visual indicator.

If an organization has an OV SSL certificate – which is recommended as a baseline for east-commerce businesses, financial institutions, etc. – then you volition be able to see verified business details in the certificate information. Provided the website is registered to the right company, you're fine. Y'all can probably trust this site.

If it doesn't, then you need to be careful.

At that place'south also the possibility that this information isn't supplied at all. If that's the instance then the website only has a Domain Validated SSL certificate. This doesn't mean y'all should automatically distrust the website, merely it does mean you need to keep to be skeptical until the site tin can prove its legitimacy.

4. Look for Trust Seals

When a visitor or organization makes a substantial investment in their customers' security, they typically want a little bit of credit for it. That'due south i of several reasons that trust seals be. You've probably seen more than than a few trust seals in your time on the cyberspace. They wait like this:

Trust seals are ordinarily placed on homepages, login pages, and checkout pages. They're immediately recognizable and they remind visitors that they are secure on this folio. It's not dissimilar putting a sign in your yard or a sticker in your window that advertises your security system. People know what they mean as before long as they see them.

But did y'all know you can click on them too?

That's correct, most SSL certificates come with trust seals that will display verified data when clicked on. This is important because it lets you lot know that the SSL document is in good standing and might also inform you of additional security mechanisms in place like malware scans or vulnerability assessments. SSL/TLS certificates aren't the merely products that comes with site seals, either.

But, just seeing the site seal isn't enough, it is essential that you lot click on it to verify it's legitimate.

5. Consult the Google Safe Browsing Transparency Report

This is the last resort, only information technology serves as a nice final safeguard: Google it. Literally. The Google Safe Browsing Transparency Report allows you to copy and paste the URL into a field and information technology gives you a report on whether or not you tin trust that website. It's not especially fancy, nor does it boast impressive aesthetics, but it certainly is an constructive mode to make up one's mind whether or not a site is unsafe.

Granted, this isn't the terminate-all, be-all. Google does occasionally miss stuff. But non for long. When yous're as ubiquitous as Google, nothing escapes your view for long. Google's Condom Browsing service is amidst the best on the net when it comes to keeping users safety. If you're e'er in doubt, Google it.

Bonus! You tin acquire a lot from a Privacy Policy

Right now, in 2018, people are as attuned to their privacy and information security as they take ever been. A big part of that stems from the litany of new privacy regulations that have being instituted the world over– regulations like GDPR. These efforts to legally require companies to safeguard our data and exist more transparent have provided an boosted, unforeseen do good, too: it's now a lot easier to tell a legitimate company or organization from a fraudster.

It starts with the Privacy Policy, no matter where y'all are — what jurisdiction — organizations are required to provide certain information in their privacy policies. The squeamish part about this information is you can check it, verify information technology and make certain that yous are dealing with real people and a real website.

Let'due south start with a uncomplicated binary: is this a passable Privacy Policy? Y'all may not be a connoisseur of privacy pages simply chances are yous have seen plenty of them to be able to tell a real 1 from something more dubious. The easiest manner to check is to wait for actual specific information: names of officers or employees, addresses, ways to arrive contact and participation in specific programs.

A practiced example of this would be the European union-The states and Swiss-The states Privacy Shield program run by the US Department of Commerce, the Section of Transportation and the FTC. Usa companies that accept partners in Europe are frequently required to certify themselves in society to comply with the Eu'southward General Data Protection Regulation. The Privacy Shield has an official listing that you can check to verify an organization'due south participation, too. Check that list. If you lot see the company there, you're set.

If they merits to be certified and they're not, they're breaking the law by misrepresenting themselves, which should give yous pause. Even if this is a legitimate website, is this the kind of outfit you want to requite your business organisation to?

8 More Internet Tips to Assistance you lot Spot Simulated or Fraudulent Websites

This next department might besides be chosen our common sense department. That beingness said, you'd be genuinely surprised how many people ignore this stuff on a regular basis. Here are eight more tips to assist keep you safe online.

Trust Your Browser

The browsers are our portal to the internet. We can only go where they take u.s.a., and sometimes they don't desire to take u.s.a. certain places. Do yourself a favor and listen to them when they suggest you not go to a website. Whether it'southward Chrome or Firefox or even Border or Safari – they all let you know when yous're most to stray to somewhere unsavory. And this isn't merely guesswork, either. This is based on data and user reports that clearly bespeak a threat. And then have that threat seriously: heed to your browser.

Bonus Tip: Despite bad communication from plenty of other articles, NEVER disable your antivirus or driblet your firewall. Ever.

Expect for Bad English

Good websites accept pride in themselves. That means the graphics look sharp, the spelling and grammar is on point and the entire experience feels streamlined and polished. If you lot're on a website that feels similar it was written by someone with a third-grade educational activity – or by someone who doesn't speak English equally a start linguistic communication – you lot may want to be a footling bit wary. Especially if those mistakes appear on of import pages.

Everyone makes the occasional mistakes—fifty-fifty big companies. Just at the indicate the mistakes become egregious yous demand to beware.

Look at the Contact Us Section

Another telltale sign when it comes to whether or not a website is fake or not can exist establish on its "Contact Us" section. How much information is in that location? Is an accost supplied? What about a phone number? Does that line actually connect to the visitor? The more data that is supplied, the more than confident you should feel—provided it's actually good information. If all they're giving you is an e-mail address or, worse, there'due south no contact information any—run.

And remember to verify the information. Google the address, mayhap even cheque out street view. See if any employee that's listed has a LinkedIn profile. Do a little homework.

Is in that location an Over-Affluence of Ads?

Ads are a fact of life. No thing where you get, yous're going to run into ads. But if yous're on a website that is more ads than content, tread carefully. If you have to click several links to get through intrusive popular-ups and redirects to reach the intended page—you lot're on a website that is probably simulated or at to the lowest degree scamming. There'south a fine line between UX and selling ads. When it's articulate that a website has no regard for that line, y'all need to exist wary.

Check the Who.Is

This is another tip for advanced users.

If you actually want to know who is running a website there is a database called Who.Is that can tell you what email address it's registered to. At that place are a number of free sites that allow you to check a website'south official WHO.IS registration, though GDPR concerns accept complicated admission lately.

A WHO.IS registration can tell yous the possessor of a website and if information technology's an private or a company. If information technology's a company there will be an "Arrangement" listed along with an address and phone number. For an individual, at that place volition exist a "Name" listed forth with an address.

This can be an invaluable tool, especially when you're dealing with brands. If you're at a website that claims to be owned past a big visitor but is registered to some address in another country, in that location's a good chance you lot're on a fake website.

Check the Shipping and Return Policy

Any legitimate due east-commerce company is going to have a aircraft and render policy, it's considered a best exercise. So any website that purports to exist selling something but lacks this documentation is automatically doubtable. Likewise, if you click the link and the policy looks flimsy or has been copy-and-pasted direct from another website, that's also suspect. Wait, nosotros're not telling you to read the whole thing – nor are we naïve plenty to believe you would – simply a quick wait should tell you all you need to know.

What forms of payment do they accept?

This is another tip that is more than for east-commerce, merely what forms of payment does the website offer to accept? Well-nigh legitimate companies will take major credit cards and typically accept a couple of non-payment card options, besides. If a website is request you to send money to a random PayPal accost, wire information technology past Western Union, pay in iTunes souvenir cards or only deals in cryptocurrency, that should send up a ruddy flag. The majority of the time, those methods are done to avert scrutiny and ensure that a transaction can't be reversed. Remember, a legitimate website would take nothing to hide and likely wouldn't participate in this kind of suspicious business practice.

Cheque for a Digital Footprint

The beautiful thing about the internet is that nothing exists in a vacuum. Chances are other people take had experiences with this company and – adept or bad – they accept shared those experiences somewhere. With merely a tiny bit of digging, you tin can probably figure out if a website is fake based on reviews alone. Google the proper noun of the site along with "+ reviews." Check with the Meliorate Business concern Agency, or ane of the myriad scam sites that be to protect consumers. Just look a petty. The internet may not be the best at telling yous whether something is good, merely information technology tin can definitely tell you lot when something is bad. And all it takes to find out is about three minutes and Google.

Where to Report Faux or Fraudulent Websites

Nosotros encourage you to study fake websites. Information technology'due south skilful for the internet, it's skillful for your inner chi and if you lot're petty—it gives you that adept tingly feeling. Here'due south where to study malicious websites:

• Google – Safe Browsing
• Mozilla – Protect the Fox

Microsoft gives its users an opportunity to study malicious sites within its browsers. To practice this become to the Tools/Safety menu, select Phishing Filter/SmartScreen Filter and click "Report Unsafe Website."

A Final Word

It'southward possible that afterward reading this guide y'all're feeling a little uneasy. That's not the point we were trying to make. The internet is an astonishing place and you can use information technology for a countless number of worthwhile activities. Merely, much like anything else in life, there are some dangers. Don't let that dissuade you, as long as you stay vigilant you lot're not likely to run into many problems.

Only stay on the beaten path, trust websites that accept made an investment in authentication and exist careful if you lot e'er get the sense that something might be off.

---

Re-Hashed is a regular weekend feature at Hashed Out where we dust off one of our favorite posts from yesteryear, requite information technology a little beloved and share it with you once again. Today we discuss a topic that'south relevant to everyone: web prophylactic. This commodity has been updated to reflect the current security climate in 2018.

russelllormeaving.blogspot.com

Source: https://www.thesslstore.com/blog/5-ways-to-determine-if-a-website-is-fake-fraudulent-or-a-scam/