How to check Authenticity of a website?
We
are always in dilemma and often question ourselves whether we should provide
the information in the website or the site we are browsing or surfing is
genuine. Whenever we are making online purchase, we are exposing our secure information
to phishing or hackers.
It
is very difficult to figure out the differences between a phishing or fake
website and genuine one. Many of us fall prey to the techy spammers/hackers and
end up losing valuable information’s, bank account details and eventually
losing money.
If
there’s one thing that cyber criminals excel at, it’s instilling a false sense
of trust by taking advantage of our familiarity with current events and playing
off mental triggers, such as our feelings of sympathy. We call this “social
engineering,” and it’s a key trait in one of the most popular online scams:
phishing emails that link to fake websites.
Check the "about us" and
"contact" information:
Does the
site include a postal address and a land-line telephone
number as well as an email contact? It has been a legal requirement since
2007 for registered companies to provide a mailing address.
Does the
website include meaningful "about us" information or just
generalities such as who they "link with" or their outlook? This real
example from a scam site provides no real facts about the
"company".
Does the
site have a privacy policy? No privacy policy - avoid.
Does the
site sell your data? A site may be of dubious value but operate within the
law; and may sell your information such as email address to even more dubious
entities. Check the privacy policy, e.g. does it refer to passing information
on to third parties or other organizations.
How old is the site and where is it registered?
Find
out who has registered a domain name e.g. "amazon.com", and when, on
a "WHOIS" website such as ezwhois.net. You will be
presented with a long list of information, which will include many dates and
addresses. The information of interest is the date the domain was first registered
and registrant name and address. Be wary of sites that have only been
registered in the past year, and of domains registered outside the country in
which the website is doing business
You
also cannot be 100% certain that contact information provided by WHOIS is
truthful: even if the site has not been registered with a stolen credit card,
the registrant can change address details to anything they wish.
Who hosts the website?
Web-sites
have to be located (hosted) on a web-server. Most web-site owners either pay
specialist hosting companies to host their site or use of a companies offering
free hosting. For example - blog might be hosted by Google. It is easy to
obtain free hosting for a website without providing genuine registration
details. The scam site mentioned above used free hosting. Identifying who hosts
a website can be difficult. You may be able to identify the host in the WHOIS
info, mentioned above, or by doing a "traceroute" - an article in its
own right so you'll have to Google it. Some free and low cost hosting
companies ensure their logo or link appears at the top or bottom of a website's
pages: Click through to the host's site and see what sort of hosting they
offer. If they do offer free or low cost hosting, and there are already warning
signs from the checks above, then steer clear. Of course legitimate start-ups,
blogs and information sites do make use of free and cheap hosting, but can you
be sure that such a site has sufficient assets behind it for you to be happy
spending money there?
Google the website and company names:
Try
searches like "website-name scam", "website-name forum"
or "company-name review" and see if there are any negative
comments.
Note:
large websites with lots of visitors are bound to have some unhappy customers,
and scam sites may post positive comments about their own site.
"Legitimate" Sites:
Some rip-off
sites may operate within the law, and pass all the above checks e.g. they
may charge something that is free but "legitimise" themselves by
providing so called "services" such as "vetting your
application". If you're lucky, checking the company out through Google
(see above) may warn you.
Registration with official organization:
Your
country may have registration/licensing requirements for certain
products/services, or there may be a respected industry association for that
service. If a website claims to be covered by, or a member of, one of these;
then you can often verify any member/licence number quoted on the official
licencing/trade site. Don't trust the licence/member link on the website you
are checking, but go direct to it e.g. via a google link. You should also
google the reputation of any trade association, as it is not unknown for
dubious sites to "create their own".
What is Phishing?
Phishing
is a form of Internet fraud where a scammer, pretending to be a legitimate
person or organization, sends you an email that tries to trick you into
revealing personal or financial information, such as credit card numbers,
social security numbers, and passwords. Phishing is one of the most common
scams on the web and cybercriminals are constantly modifying their attacks to
include details that will make the recipient believe the scam is real. In a
phishing attempt, a cybercriminal may send you a message purportedly from your
bank, asking you to confirm your account information by clicking on a link.
Once you click on the link, it launches a Trojan (a malicious program that
appears to be benign) that installs a keystroke logger on your machine. This
keystroke logger then captures everything you type, including passwords.The
link may also take you to a fake bank website that asks you to enter your
personal information. To the untrained eye, the fake site looks identical to
the bank’s real homepage because the scammer has copied files from the real
site. However, when you attempt to log in to your account, the site asks for
information that the real site never would. It may ask not only for your name
and address, but also your account number, password, the last eight digits of
your debit card number, and your ATM PIN. Another common phishing trick that
hackers use is erecting fake sites at commonly misspelled addresses in the hope
of catching unsuspecting web surfers. Mistyping a webpage address can lead you
to these fake sites, an occurrence that’s not uncommon for people who regularly
surf the Internet. Creating fake sites is called typo squatting, and like most
cyber tricks it’s designed to get your information and your money. India is at
tenth place when it comes to hosting phishing sites with the US and China
biting the phishing bait more often. The United States remains at the top
with 28.78% of all phishing sites located out of the United States and
11.96% out of China. Korea, Germany, Australia, Canada, Japan, United Kingdom,
Italy and India are the other countries where phishing attacks are
prevalent. As of now,
2.11%
of the phishing sites are located in India. Singh says, 'India on the threshold
of having more and more people getting into online banking or taking online
personal loans. So, it won't be a surprise if someday someone tells me that out
of the total size of frauds happening - India would be at 1% or 2% - but even
that would be Rs 200 crore.”
Recognizing Phishing and Fake Websites:
The
good news is that you can avoid scams by looking for telltale signs that
indicate when a site is fake or an email is phishy. The next time you are not
completely confident that you are on a legitimate website or that an email you
received is valid, check for these signs:
Uses an incorrect URL:
If
you are used to going to your bank via a regular address and the address of the
site you land at is not the same name, you can be confident that you are not at
the real site. Always double check to make sure that the site address is
accurate. You can also hover your mouse pointer over a link in the email to
verify that the link is directed to the same site that the email came from.
Asks for banking information:
A
real bank would never ask for your bank account information or your debit card
and PIN numbers via email. Be wary of any email or site that asks for sensitive
information (such as your social security number) that is beyond your standard
login.
Uses a public Internet account:
Before
you click on any link sent to you by email, take a look at the sender’s email
address. If the email is from a public account, but claims to be from your bank
or other business, do not trust the email. Moreover, do not trust any
email or website that asks you to “confirm” sensitive account information,
because this is surely a scam. You should also make sure that any email
claiming to be from your bank includes your given name in the message,
such as “Dear Amitava Nandy,” instead of “Dear Valued Customer.” Real banks
address messages to you by name as a way of confirming your relationship.
Includes misspelled
words:
If
a bank asks you to log in to your “acccount,” this is pretty good clue that you've stumbled
upon a phishing email or fake website. Real companies have staff checking the
accuracy of emails and website, and a mistake like this would be caught before
it was sent or published. If you see a misspelling or a misuse of the company
name, look for other mistakes and clues to confirm your suspicions—and don’t
enter any of your personal information on the site.
Is not a secure
site:
Legitimate
e-commerce sites use encryption, or scrambling, to help insure that your
payment information remains safe. You can see if a site uses encryption by
looking for a lock symbol in the browser window. Clicking on the lock
symbol allows you to verify that a security certificate was issued to that
site, a sign that it’s a legitimate, trusted website. You should also
check that the address starts with “https://” rather than just “http://”. Do
not enter payment information on any site that isn’t secure.
Displays low
resolution images:
Spammers usually
erect fake sites quickly, and this shows in the quality of the sites. If the
logo or text appears in poor resolution, this is an important clue that the
site could be phony.
Use technology to
protect you:
Comprehensive
security software with anti-phishing technologies, like McAfee Security Center,
available pre-loaded on Dell™ PCs, can help protect you. Just make sure that
your software is up to date with the latest security protections by enabling
automatic updates or clicking the “update” button on your security software
control panel.
Report anything
you think is suspicious;
If
you do come across what looks to be a phishing attempt, help yourself and
others by reporting it. There are many who are victim of scam/phishing so
please help them and give your valuable time. You can forward phishing emails
to the Federal Trade Commission (FTC) at spam@uce.gov or report
phishing scams to the Anti-Phishing Working Group at reportphishing@antiphishing.org or
at Internet Crime Complaint Centre. You can also lodge a complaint at consumer
forum and cybercrime. Although phishing is prevalent, awareness and the right
precautions will go a long way in keeping you safe.
Practice smart
surfing:
When
on the web, make sure that the website you’re visiting is secure before you
enter any information. If you have any doubts, enter a fake password, since
phony sites will accept false information. To better protect yourself, you may
also want to use a search engine to help you navigate since they can catch
misspellings and prevent you from landing on fake websites. Also, use a search
tool such as McAfee® SiteAdvisor®, which indicates in your search results
whether sites are safe or not.
- http://www.complaints-india.com/Online-Scam-Complaints/Phishing-Scams/
- http://www.consumercomplaints.in/new_complaint/
We are victimized coz we are ignorant and casual in our approach. We don’t cross check either due to crunch of time or we are lazy. Most of the issues can be identified if we Google it. It had solved many of my problems and Google is a Bible for me.
Looking forward for comments and valuable suggestions
No comments:
Post a Comment