Can I automatically trust a site that uses HTTPS?
Recently, BBC Watchdog ran a story on bogus fundraising accounts being opened shortly after the horrific Grenfell Tower fire in London. I thought I had ceased to be surprised by the depths to which some criminals would stoop but this one sickened me. Not only is it deceiving the well-meaning folk who think they are donating to charity, it deprives those who really need support of the funds to help get them back on their feet. Furthermore, once the scam is revealed, it is likely to make everyone more wary of giving to any online charity.
A spokesman from Action Fraud said that you should look for the sign of security – HTTPS – in the URL of the website along the associated green padlock symbol somewhere in your browser.
So, should you trust a site simply because it uses HTTPS?
In a word, NO!
HTTPS stands for Hyper Text Transfer Protocol Secure and signifies that the connection between a browser and the server hosting the website is secure and uses an encrypted protocol to transmit data between the visitor and the website. This is a good thing as it means that your communication cannot be eavesdropped by a third party; particularly important when you are sending highly sensitive information such as your credit card details through a shopping cart at checkout time. If you are running an eCommerce site, this is clearly essential.
Until fairly recently, acquiring the SSL certificate to facilitate HTTPS was a costly business. However, with Google’s drive to secure the web the cost of certificates has dropped and with the Lets Encrypt project now well established, it is possible to acquire a certificate for nothing.
Whilst the cost of a certificate was certainly a barrier to potential scammers in the past, the price drop means they are available to all. And with countless tutorials available online, even the most inept of cyber criminals are able to find out how to install a certificate and set up an HTTPS site.
But surely, HTTPS means it is secure, I can trust a site that is secure can’t I?
The certificate that underpins HTTPS refers simply and only to the transmission of data. It does not certify the site, its content, the identity of the site owner or the activity conducted on that site. Any assumption that using HTTPS indicates a more trustworthy site is therefore clearly unwarranted.
So what should you look out for?
- Use a familiar and trustworthy website.
- Don’t rely upon a link to a site in an email or in social media, even if it is a site you have used before; type the address into your browser address bar. It is easy to make a link look like it goes to a safe site where in fact it goes somewhere else.
- When you arrive at a site check the address bar. Is the URL (web address) correct? Look out for tricks such as…
- a different domain ending, so rather than justgiving.com it is justgiving.global
- deliberate spelling mistakes in the URL e.g. justgivimg.com, that you might not spot if you only looked quickly. Before you question whether I’m calling Just Giving out on this, I’m not but as one of the largest fundraising websites they are likely to be a big target for on line fraudsters.
- subdomains e,g. justgiving.official.com. This is nothing to do with the JustGiving website but a subdomain of a website called official.com. Scammers are ingenious in how they mask the identity of the site you are going to, scrutinise everything to assure yourself that you are where you expect to be.
- Requests for you to use bank transfers rather than credit card or PayPal type transactions should have alarm bells ringing loudly. No legitimate fundraising site would ask for payment to be made this way.
- If using PayPal, when you get to the stage of confirming the transaction, check to see who the payee will be, if it is not who you expect, and you may be able to confirm this by referring to a previous credit card statement, then something is wrong. Stop and only proceed with caution.
Scammers and cyber criminals are becoming increasingly competent at building websites that aim to steal either your money or your personal information. Whilst HTTPS is a good sign that the connection between you and the website is secure, it does not mean the website itself should automatically be trusted. Before giving a website any information or donating money, verify for yourself that the site is legitimate and that you are not being taken for a ride.