How to tell if a website is safe
We all use the internet for a variety of reasons; we stay in touch with our friends and family using social media and shopping online is easier than ever. But, it’s important to remain vigilant when a website requires your personal details to complete a transaction (e.g. if you need to register your contact and payment details).
Here are our top tips for keeping your details safe online:-
1) HTTPS
The simplest way to check if a website is safe is to check if the site URL prefix is HTTPS
e.g. https://www.google.com.
HTTP is the underlying protocol for the World Wide Web. The ‘s’ stands for ‘secure‘ and ensures communication between your device and the server is encrypted. If you choose to continue to a site without secure HTTP connection, do not input any personal information.
When a website is encrypted, the data is scrambled between the website and the reader, a digital key is used to unscrambled that data when it is received. This prevents the data being intercepted between the sender and recipient.
On most browsers a secure website is indicated via a padlock icon before or after the website URL. But an unsecured website is indicated by a unlocked padlock before or after the website URL.
Examples of padlock symbol in Chrome, Edge and Internet Explorer
However, fake websites can also have secure encryption, so this should not be the only check you perform before entering your personal details into a website.
2) Use your browser’s safety tools
Most browsers have inbuilt tools to protect its users from harm. Google Chrome, Microsoft Edge, Microsoft Internet Explorer, Firefox, Safari all have privacy options located in settings.
It’s good practice to get to know the privacy settings for a browser and to learn what messages appear if unsafe sites are found. Find the information and options for your specific browser in the help section within the browser menu.
Browser privacy options available include; sending ‘do not track’ requests to websites (which prevents websites from tracking your activity); disabling Adobe Flash (a multimedia player); and controlling which sites can access your webcam and microphone.
Here are a few examples of how privacy settings appear on different browsers:
3) Check if the website is safe
If using a website for the first time, you may not be familiar with some features if you have never seen them before. If you aren’t sure how trustworthy a website is, you can test it before entering any personal details, (especially payment card information), by using a trusted ‘safe browsing’ website.
Google’s safe browsing checker is one such website and is a useful tool to bookmark in your browser for quick access. Safe browsing websites can identify which websites may not be secure. Virustotal also has a similar tool.
4) Check the links
When the mouse cursor hovers over a link in a webpage, information about where that link leads will show in very small print in the bottom-left of the browser window for most browsers. However, phishing/spoof sites will often use similar looking links to trick the browser into handing over their personal details.
For example, Paypal, a trusted online payments system is used by many people when making a purchase online. Lots of websites give users the option to check out using Paypal, rather than entering card details directly into the website as a payment method.
Scammers have found ways to take advantage of the trustworthy status held by Paypal, by inserting links to fake Paypal login websites, as shown in the image examples below:
To the untrained eye, this login page is entirely convincing and looks like the real deal. But if you compare this to the genuine login page you can see the lock in the left corner of the URL bar, which signifies that the website is encrypted:
The below button appears to be a legitimate link to checkout with Paypal but if you hover your mouse over the button you will see that the button is not in fact connected to Paypal at all:
After following a link, check the URL is still pointing to the site you navigated from and hasn’t redirected you to another site.
The SSL store has a useful guide to spotting fake websites here
5) Privacy Policy/Privacy Notice
Check if the site has a privacy policy or privacy notice. Do you know what the company intends to do with your data?
Under the GDPR, it is a legal requirement for a business to make sure its online users are aware of the way their personal data is being used.
A privacy notice should include the following information:
- Contact details for the person responsible for data
- What personal data is kept
- Why it is being stored
- How long the company will keep the information
- What legal basis the company has to use the data
When entering a website, usually you are asked to accept a ‘cookies policy’. Cookies are small data files which are saved on a user’s computer and gives the website information each time it is visited. From knowing whether a user is logged in to a website to how many times the user has previously visited, this information is stored as ‘cookies’.
More information about cookies and how they work can be found on BBC Webwise.
6) ‘Trust’ Badges
Trust badges are images which often appear on websites, usually at the bottom of a page, as an indication of site security. With so many different schemes in place it’s difficult to ensure the trust badges are legitimate.
Many of the genuine schemes will have links attached to their badge, which will go to an explanation of their trust scheme. However, in most cases, trust badges are not to be trusted! As above, you should ‘hover’ over an image of a trust badge placed on a website to see if the link leads anywhere. Be aware that images of trust badges are the same pictures whether or not they are fake.
7) Company details
Is there a contact address and phone number?
Does the company operate out of legitimate premises?
And can they be contacted by phone or do they mysteriously live in cyberspace with only an email address for contact?
If the website lacks contact details be aware. The site could still be genuine but if you have any complaints about the website/service you receive then it can be difficult to resolve an issue without a point of contact.
8) Web security tools
Many of the popular antivirus packages offer addons to protect web browsing and online purchases by using tools such as real-time scanning of malicious code, reported fake sites warnings and password managers. These can automatically alert a user if sites are detected which are not as they may first appear.
9) Complex passwords
Whilst it might be easier to use the same simple password for your online accounts, it also makes it easier for hackers to gain access to your accounts! Try to use more complex passwords and don’t use same password for multiple sites. If remembering different passwords is difficult, use a password manager which can store passwords such as LastPass. Password managers can also help generate complex passwords and will autofill usernames and passwords for you when visiting a site.
10) Install an ad blocker
Prevent unwanted pop-ups, background ads & on-site ads with an ad-blocker such as AdBlock or UBlock.
These are free and can be easily added as browser extensions. They can prevent navigation to an untrusted site through accidentally clicking an ad. You can disable the ad blocker on trusted sites if you wish.
11) Check if you are a victim
http://haveibeenpwned.com is a free website which can check if your data has been leaked in any known data breaches.
Google has also recently added a real time checker which automatically alerts a user if the username and password being used on a website has appeared in a data breach. Information about this feature is found at https://security.googleblog.com/2019/12/better-password-protections-in-chrome.html
If you think your data has been breached, get in touch with our team.