Despite billions of dollars being invested in cybersecurity technologies, the use of look-alike domains and counterfeit websites to trick people with phishing scams is on the rise. 🤷♂️
This post should reduce the risk of anyone falling for a phishing scam.
Don’t Rely on the Browser Padlock for Trust
Make sure every e-commerce website you use starts with https. This means the connection between your computer and the website is encrypted and therefore private. BUT, it does not mean you can trust the website or the website owner.
For years people were told to look for the browser padlock when shopping online or when accessing online banking. This was good advice back then. But today, the padlock provides people with a false sense of security because the vast majority of phishing sites use a Domain Validated (DV) certificate.
Some browsers no longer display a padlock. They prefer not to tell you when a site uses encryption and instead, tell you when a site doesn't - with a warning message that says "Not Secure".
Scammers know that this warning will alert consumers to the fact that it's not likely to be the legitimate brand they think it is. So they use an SSL certificate to make sure consumers don't notice the look-alike domain name, masquerading as a legitimate brand.
MetaCert, a security firm where I'm CEO, has classified an enormous number of phishing URLs - thanks to our own tools, team and 5k strong cryptocurrency community, who report suspicious links to us every day. According to MetaCert data, over 95% of all new phishing scams start with https.
SSL certificates have been automatically issued with zero ID checks for free for some time now. So there is no barrier to market for criminals to obtain https. So, please ignore the padlock for the purpose of "trust".
Use a Credit Card
No website is hack-proof. And new sophisticated phishing scams discovered in 2019 now use a reverse-proxy. This makes it easy for criminals to steal everything you type into a legitimate website, bypassing 2FA. Yes, it's possible to interact with a legitimate website with 2FA and still fall for a phishing scam.
So you need to also check the URL to make sure it's not a phishing domain. This alone is difficult to do because many phishing URLs are difficult to spot. And it's mathematically impossible for any security system to detect every new malicious URL.
It takes PhishTank, Google Safe Browser API and other blacklists at least a couple of days to detect, validate and classify new phishing scams. By then, most of the damage has already been done.
Your credit card company will have your bank and make sure you are covered with insurance. The same might be said for your debit card, but it's best to avoid waking up to an empty bank account.
Know your Merchant
If you're unsure about a particular website that you haven't heard of before, please make sure to do research before clicking the 'buy' button.
This is especially important when clicking on ads inside Facebook or other social media websites. It even goes for sponsored ads on Twitter - they're not verified by Twitter.
You can check to see when a domain name was registered and by whom at whois.com - if it was registered recently you might want to avoid buying from them. If they have made all of their contact information private, reconsider your purchasing decisions.
Check Shipping and Returns Policies
I've come across companies that sell products at a loss but more than make up for it with extremely high shipping costs, which are difficult to notice until it's too late. Also check to see if they have a returns policy that you're happy with.
Check your Account frequently
Be sure to check your credit card statements every week to make sure there's no fraud.
Be safe and have fun over the holiday season! 🔒
Disclaimer: The Author is the CEO at MetaCert