How to check Authenticity of a website?

Friday, June 28, 2013

How to check Authenticity of a website?
We are always in dilemma and often question ourselves whether we should provide the information in the website or the site we are browsing or surfing is genuine. Whenever we are making online purchase, we are exposing our secure information to phishing or hackers.
It is very difficult to figure out the differences between a phishing or fake website and genuine one. Many of us fall prey to the techy spammers/hackers and end up losing valuable information’s, bank account details and eventually losing money.
If there’s one thing that cyber criminals excel at, it’s instilling a false sense of trust by taking advantage of our familiarity with current events and playing off mental triggers, such as our feelings of sympathy. We call this “social engineering,” and it’s a key trait in one of the most popular online scams: phishing emails that link to fake websites.

Check the "about us" and "contact" information: 
Does the site include a postal address and a land-line telephone number as well as an email contact? It has been a legal requirement since 2007 for registered companies to provide a mailing address. 
Does the website include meaningful "about us" information or just generalities such as who they "link with" or their outlook? This real example from a scam site provides no real facts about the "company". 
Does the site have a privacy policy? No privacy policy - avoid.
Does the site sell your data? A site may be of dubious value but operate within the law; and may sell your information such as email address to even more dubious entities. Check the privacy policy, e.g. does it refer to passing information on to third parties or other organizations.

How old is the site and where is it registered?
Find out who has registered a domain name e.g. "amazon.com", and when, on a "WHOIS" website such as ezwhois.net. You will be presented with a long list of information, which will include many dates and addresses. The information of interest is the date the domain was first registered and registrant name and address. Be wary of sites that have only been registered in the past year, and of domains registered outside the country in which the website is doing business 
You also cannot be 100% certain that contact information provided by WHOIS is truthful: even if the site has not been registered with a stolen credit card, the registrant can change address details to anything they wish.
·         http://www.domaintools.com/
·         http://www.who.is/
·         http://www.whois.net/


Who hosts the website? 
Web-sites have to be located (hosted) on a web-server. Most web-site owners either pay specialist hosting companies to host their site or use of a companies offering free hosting. For example - blog might be hosted by Google. It is easy to obtain free hosting for a website without providing genuine registration details. The scam site mentioned above used free hosting. Identifying who hosts a website can be difficult. You may be able to identify the host in the WHOIS info, mentioned above, or by doing a "traceroute" - an article in its own right so you'll have to Google it. Some free and low cost hosting companies ensure their logo or link appears at the top or bottom of a website's pages: Click through to the host's site and see what sort of hosting they offer. If they do offer free or low cost hosting, and there are already warning signs from the checks above, then steer clear. Of course legitimate start-ups, blogs and information sites do make use of free and cheap hosting, but can you be sure that such a site has sufficient assets behind it for you to be happy spending money there?

Google the website and company names: 
Try searches like "website-name scam", "website-name forum" or "company-name review" and see if there are any negative comments.
Note: large websites with lots of visitors are bound to have some unhappy customers, and scam sites may post positive comments about their own site.

"Legitimate" Sites: 
Some rip-off sites may operate within the law, and pass all the above checks e.g. they may charge something that is free but "legitimise" themselves by providing so called "services" such as "vetting your application". If you're lucky, checking the company out through Google (see above) may warn you.

Registration with official organization: 
Your country may have registration/licensing requirements for certain products/services, or there may be a respected industry association for that service. If a website claims to be covered by, or a member of, one of these; then you can often verify any member/licence number quoted on the official licencing/trade site. Don't trust the licence/member link on the website you are checking, but go direct to it e.g. via a google link. You should also google the reputation of any trade association, as it is not unknown for dubious sites to "create their own".

What is Phishing? 
Phishing is a form of Internet fraud where a scammer, pretending to be a legitimate person or organization, sends you an email that tries to trick you into revealing personal or financial information, such as credit card numbers, social security numbers, and passwords. Phishing is one of the most common scams on the web and cybercriminals are constantly modifying their attacks to include details that will make the recipient believe the scam is real. In a phishing attempt, a cybercriminal may send you a message purportedly from your bank, asking you to confirm your account information by clicking on a link. Once you click on the link, it launches a Trojan (a malicious program that appears to be benign) that installs a keystroke logger on your machine. This keystroke logger then captures everything you type, including passwords.The link may also take you to a fake bank website that asks you to enter your personal information. To the untrained eye, the fake site looks identical to the bank’s real homepage because the scammer has copied files from the real site. However, when you attempt to log in to your account, the site asks for information that the real site never would. It may ask not only for your name and address, but also your account number, password, the last eight digits of your debit card number, and your ATM PIN. Another common phishing trick that hackers use is erecting fake sites at commonly misspelled addresses in the hope of catching unsuspecting web surfers. Mistyping a webpage address can lead you to these fake sites, an occurrence that’s not uncommon for people who regularly surf the Internet. Creating fake sites is called typo squatting, and like most cyber tricks it’s designed to get your information and your money. India is at tenth place when it comes to hosting phishing sites with the US and China biting the phishing bait more often. The United States remains at the top with 28.78% of all phishing sites located out of the United States and 11.96% out of China. Korea, Germany, Australia, Canada, Japan, United Kingdom, Italy and India are the other countries where phishing attacks are prevalent. As of now,
 2.11% of the phishing sites are located in India. Singh says, 'India on the threshold of having more and more people getting into online banking or taking online personal loans. So, it won't be a surprise if someday someone tells me that out of the total size of frauds happening - India would be at 1% or 2% - but even that would be Rs 200 crore.”
  
Recognizing Phishing and Fake Websites: 
The good news is that you can avoid scams by looking for telltale signs that indicate when a site is fake or an email is phishy. The next time you are not completely confident that you are on a legitimate website or that an email you received is valid, check for these signs:

Uses an incorrect URL: 
If you are used to going to your bank via a regular address and the address of the site you land at is not the same name, you can be confident that you are not at the real site. Always double check to make sure that the site address is accurate. You can also hover your mouse pointer over a link in the email to verify that the link is directed to the same site that the email came from.

Asks for banking information: 
A real bank would never ask for your bank account information or your debit card and PIN numbers via email. Be wary of any email or site that asks for sensitive information (such as your social security number) that is beyond your standard login.

Uses a public Internet account: 
Before you click on any link sent to you by email, take a look at the sender’s email address. If the email is from a public account, but claims to be from your bank or other business, do not trust the email. Moreover, do not trust any email or website that asks you to “confirm” sensitive account information, because this is surely a scam. You should also make sure that any email claiming to be from your bank includes your given name in the message, such as “Dear Amitava Nandy,” instead of “Dear Valued Customer.” Real banks address messages to you by name as a way of confirming your relationship.

Includes misspelled words: 
If a bank asks you to log in to your “acccount,” this is pretty good clue that you've stumbled upon a phishing email or fake website. Real companies have staff checking the accuracy of emails and website, and a mistake like this would be caught before it was sent or published. If you see a misspelling or a misuse of the company name, look for other mistakes and clues to confirm your suspicions—and don’t enter any of your personal information on the site.

Is not a secure site: 
Legitimate e-commerce sites use encryption, or scrambling, to help insure that your payment information remains safe. You can see if a site uses encryption by looking for a lock symbol in the browser window. Clicking on the lock symbol allows you to verify that a security certificate was issued to that site, a sign that it’s a legitimate, trusted website. You should also check that the address starts with “https://” rather than just “http://”. Do not enter payment information on any site that isn’t secure.




Displays low resolution images:
Spammers usually erect fake sites quickly, and this shows in the quality of the sites. If the logo or text appears in poor resolution, this is an important clue that the site could be phony. 

Use technology to protect you: 
Comprehensive security software with anti-phishing technologies, like McAfee Security Center, available pre-loaded on Dell™ PCs, can help protect you. Just make sure that your software is up to date with the latest security protections by enabling automatic updates or clicking the “update” button on your security software control panel.

Report anything you think is suspicious; 
If you do come across what looks to be a phishing attempt, help yourself and others by reporting it. There are many who are victim of scam/phishing so please help them and give your valuable time. You can forward phishing emails to the Federal Trade Commission (FTC) at spam@uce.gov or report phishing scams to the Anti-Phishing Working Group at reportphishing@antiphishing.org or at Internet Crime Complaint Centre. You can also lodge a complaint at consumer forum and cybercrime. Although phishing is prevalent, awareness and the right precautions will go a long way in keeping you safe.

Practice smart surfing: 
When on the web, make sure that the website you’re visiting is secure before you enter any information. If you have any doubts, enter a fake password, since phony sites will accept false information. To better protect yourself, you may also want to use a search engine to help you navigate since they can catch misspellings and prevent you from landing on fake websites. Also, use a search tool such as McAfee® SiteAdvisor®, which indicates in your search results whether sites are safe or not.








We are victimized coz we are ignorant and casual in our approach. We don’t cross check either due to crunch of time or we are lazy. Most of the issues can be identified if we Google it. It had solved many of my problems and Google is a Bible for me.

Looking forward for comments and valuable suggestions

No comments: