When visiting an online shop many of us check website safety by looking for a closed padlock next to the URL in our browser. It’s advice that continues to get shared today, and according to Google research almost half of us (44%) use the lock icon as to assess a site’s trustworthiness. But this is now outdated.
The closed lock icon that we see in our browsers indicates that a site is secured with a digital SSL (Secure Sockets Layer) certificate. This, alongside the additional indicator of
HTTPS in a URL, means that data sent between two points — the browser and a server — is encrypted. But what it doesn’t mean is that you can implicitly trust that connection. Because cyber criminals use SSL, too.
In fact, according to a report by the Anti-Phishing Working Group (APWG), in the first quarter of 2021 83% of phishing sites had SSL encryption enabled, which means every person visiting one of those sites would have seen a closed lock in their browser.
It used to be relatively easy to spot fake websites. You could just look out for bad grammar or the missing lock icon in the address bar, explained Joel Latto, Threat Advisor at F‑Secure.
However, this advice, while still commonly shared, is outdated.
Google’s research into the use of the lock icon has also found that 74% of people incorrectly think that it means a site is secure, with 48% mistakenly believing that it indicated a site’s trustworthiness. As a result of this misunderstanding, Google has announced that it will be removing the lock icon from the Chrome browser (version 117), due for release in early September 2023.
The story behind the lock icon is just one example of how common security misunderstandings can spread, and it showcases the importance of a rounded approach, which combines the best advice with the best tools.
Browsers and cyber security products have built‑in ways to identify untrustworthy sites, such as Google’s Safe Browsing technology and F‑Secure’s Browsing Protection, which prevents you from unintentionally accessing harmful URLs. These are great ways to assess a site’s trustworthiness. But they should be used in conjunction with the very best cyber security awareness.
Here, experts at F‑Secure provide three tips for checking website safety, enabling you to combine the latest tools with the very best advice from cyber security specialists.
If the online shop’s prices are too good to be true, they probably are, said Mika Lehtinen, Director, Research Collaboration at F‑Secure.
Legitimate shops tend to sell products at competitive prices. Fake shops may offer products at prices that are noticeably lower than the prices of legitimate shops in order to lure people in to make a purchase. If you encounter a shop with exceptionally low prices, pay extra attention to other potential indications of a scam.
Comparison engines are now available in almost every corner of the ecommerce world, and the reality is that retailers know exactly what competitors are selling their products for, meaning that most will only undercut prices by a small margin, if at all.
Top shopping sites are usually well known and trusted by many users, they have a large user base and positive reviews from users. So sticking with the trusted retailers that you have made purchase before is always a good start, said Sarogini Muniyandi, Senior Manager, Threat Protection Engineering at F‑Secure.
Keeping track of the website URL address also helps in ensuring you are on the right page. And to avoid landing on the wrong/scam page, be aware of URL misspelling and typosquatting [the intentional and inconspicuous misspelling of a link or URL].
It isn’t always possible to stick with trusted retailers, though, and in cases where you use a new retailer, a simple Google search of the the vendor name will reveal what other sites and users are saying online (for example, via Wikipedia pages, reviews, and partner and reseller sites).
It is becoming easier to fake reviews about website, or even start a fake website that boosts reviews of a fake shopping website, explained Ash Shatrieh, Threat Intelligence Researcher at F‑Secure.
The trick is always to convince victims that what they are seeing is correct, but accomplishing that is not easy. If you stumble upon many reviews from usernames which look fake (or serial, e.g. john145, john136…) chances are higher that the reviews are being faked for this website.
As well as being mindful of fake reviews, you should also turn to respected review platforms — such as Trustpilot (which currently hosts over 200m reviews) — where you can check what other buyers are saying in their legitimate reviews.
F‑Secure’s Browsing Protection (included in Total) enables you to evaluate the safety of websites and prevents you from unintentionally accessing harmful URLs.