https

HTTPS doesn’t mean safe

Many people assume that an HTTPS connection means that the site is secure. In fact, HTTPS is increasingly being used by malicious sites, especially phishing ones.

Let’s be honest, when most people see a little green lock with the word “Secure” to the left of a URL, they think the site is safe. Ditto for spotting the words “this site uses a secure connection” or a URL beginning with the letters “https.” More and more sites these days are switching to HTTPS. Most have no choice, in fact. So what’s the problem? The more secure sites there are, the better — right?

We’re about to let you in on a little secret: Those “Secure” symbols don’t guarantee a website is safe from all threats. A phishing site, for example, can legitimately display that comforting green lock next to its https address. So, what’s going on? Let’s find out.

A secure connection does not mean a secure site

The green lock means that the site has been issued a certificate and that a pair of cryptographic keys has been generated for it. Such sites encrypt information transmitted between you and the site. In this case, the page URLs begin with HTTPS, with the last “S” standing for “Secure.”

Sure, encrypting transmitted data is a good thing. It means that information exchanged between your browser and the site is not accessible to third parties—ISPs, network administrators, intruders, and so on. It lets you enter passwords or credit card details without worrying about prying eyes.

But the problem is that the green lock and the issued certificate say nothing about the site itself. A phishing page can just as readily get a certificate and encrypt all traffic that flows between you and it.

Read also:  The Importance of Online Privacy in Protecting Against Fraud

Put simply, all a green lock ensures is that no one else can spy on the data you enter. But your password can still be stolen by the site itself, if it’s fake.

Phishers make active use of this: According to Phishlabs, a quarter of all phishing attacks today are carried out on HTTPS sites (two years ago it was less than 1 percent). Moreover, more than 80 percent of users believe that the mere presence of a little green lock and the word “Secure” next to the URL means the site is safe, and they don’t think too hard before entering their data.

What if the lock isn’t green?

If the address bar shows no lock at all, that means the website does not use encryption, exchanging information with your browser using standard HTTP. Google Chrome has started tagging such websites as insecure. They might in fact be squeaky clean, but they don’t encrypt traffic between you and the server. Most website owners don’t want Google to label their websites as unsafe, so more and more are migrating to HTTPS. In any case, entering sensitive data on an HTTP site is a bad idea — anyone can spy on it.

The second variant you might see is a lock icon crisscrossed with red lines and the HTTPS letters marked in red. That means the website has a certificate, but the certificate is unverified or out of date. That is, the connection between you and the server is encrypted, but no one can guarantee that the domain really belongs to the company indicated on the site. This is the most suspicious scenario; usually such certificates are used for test purposes only.

Read also:  Tech Support Scams: What are They and How do I Stay Safe?

Alternatively, if the certificate has expired and the owner has not gotten around to renewing it, browsers will tag the page as unsafe, but more visibly, by displaying a red lock warning. In either case, take the red as the warning it is and avoid those sites — never mind entering any personal data on them.

How not to fall for the bait

To sum up, the presence of a certificate and the green lock means only that the data transmitted between you and the site is encrypted, and that the certificate was issued by a trusted certificate authority. But it doesn’t prevent an HTTPS site from being malicious, a fact that is most skillfully manipulated by phishing scammers.

So always be alert, no matter how safe the site seems at first glance.

  • Never enter logins, passwords, banking credentials, or any other personal information on the site unless you are sure of its authenticity. To do so, always check the domain name — and very carefully; the name of a fake site might differ by only one character. And ensure links are reliable before clicking.
  • Always consider what a particular site is offering, whether it looks suspicious, and whether you really need to register on it.
  • Make sure your devices are well protected: Kaspersky Internet Security checks URLs against an extensive database of phishing sites, and it detects scams regardless of how “safe” the resource looks.

Article Source: kaspersky.com

Website Fraud Risk Assessment

In the digital era, securing your finances against online fraud is paramount. Before making any financial transactions on a website or platform, it's important to verify its credibility and legitimacy.
To begin, you can check if the website you're considering appears on our public database of known scam sites by clicking "View Scam Sites" below. This database is regularly updated and maintained by our team.
Alternatively, you can click "Submit a Request" below to complete a form and request an evaluation from our team of experts. We will conduct a comprehensive assessment to determine if the website is legitimate, checking for any scams, fraud, or illegal activities.
Don't take any unnecessary risks with your finances - take action today and submit a request or view our list of scam sites.

Submit a Request View Scam Sites