Why a padlock doesn’t mean a site is safe

I’ve always advised that one of the checks you can do to determine whether a website is genuine – and not put up by scammers whose sole intention is to steal your private information or your actual hard-earned cash – is to look for the green padlock symbol next to the web address in the bar at the top of your browser window. However, it’s with regret that I report this is no longer a good indication of a legitimate site, because – guess what? – scammers are increasingly using the padlock too.

Checking for the padlock was once a good way to reassure yourself about the security of a site, but unfortunately that’s no longer the case. In fact, the cybersecurity researchers at PhishLabs, who spend their days tracking illegal online activity, say that in 2018 almost 50% of fraudulent websites display the padlock, thus suggesting that they’re safe when they’re not.

In fact, somewhat ironically, if you were to enter your credit card number into one of these fraudulent sites it would probably be very safe. That’s because the padlock means the site sends information over an encrypted connection, so if you put in your passwords or security question information, only the cybercriminals who run the site would be able to see them. OK, perhaps that’s better than the whole Internet being privy to the name of your first pet, but it’s hardly ideal…

So how has this security lapse come about? Without going into the technicalities, the security certificates that enable a website owner to use the padlock symbol can now be created easily and cheaply – and the scammers know that. Sadly, the same also goes for the https prefix on web addresses. This signals any data you enter will be encrypted by the site, but it doesn’t guarantee that the data will go to good people.

So what can you do to check if a website is genuine? Well, if you haven’t used a particular site before, especially if you’re a new customer and haven’t made a purchase from it previously, spend a few minutes looking around. Read the About section, check the outbound links work and, if it’s a retail site, familiarise yourself with the Delivery and Returns pages, in order to get a sense of whether the information you would expect to be there is actually there and to see if it feels right.

As I’ve said many times, poor grammar and spelling are also giveaways. Even major organisations and big-name brands can make the odd slip-up (when I come across these I do, I admit, have a tendency to email them enumerating their errors), but if there are persistent mistakes, a site is badly designed and doesn’t hang together, or a logo is off, then it may not be genuine and it’s not worth taking the risk.

Obviously reviews can be and are faked – this is something that the consumer organisation Which has recently investigated – but that doesn’t mean you shouldn’t consult sites like Trustpilot and Sitejabber, just approach them with caution. Do the due diligence and if a site doesn’t feel right, click away. Honestly, you’re bound to be able to buy that life-size fluffy llama somewhere else.

Sarah Burns is Prizeology’s Chief Prizeologist and a National Trading Standards Scams Team Scambassador. 

© Prizeology and The Prizeologist Blog, 2018. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited.



Women’s World Cup promotions

Women’s World Cup promotions This year is World Cup year. However, I’m aware that there are World Cups in many sports so, to clarify, it’s a football World Cup year and, should further clarity b...