Tag Archives: fraud

Can I Trust HTTPS?

Can I automatically trust a site that uses HTTPS?

 

Recently, BBC Watchdog ran a story on bogus fundraising accounts being opened shortly after the horrific Grenfell Tower fire in London.  I thought I had ceased to be surprised by the depths to which some criminals would stoop but this one sickened me.  Not only is it deceiving the well-meaning folk who think they are donating to charity, it deprives those who really need support of the funds to help get them back on their feet.  Furthermore, once the scam is revealed, it  is likely to make everyone more wary of giving to any online charity.

A spokesman from Action Fraud said that you should look for the sign of security – HTTPS – in the URL of the website along the associated green padlock symbol somewhere in your browser.

https as a sign of security

So, should you trust a site simply because it uses HTTPS? 

In a word, NO!

HTTPS stands for Hyper Text Transfer Protocol Secure and signifies that the connection between a browser and the server hosting the website is secure and uses an encrypted protocol to transmit data between the visitor and the website.  This is a good thing as it means that your communication cannot be eavesdropped by a third party; particularly important when you are sending highly sensitive information such as your credit card details through a shopping cart at checkout time.  If you are running an eCommerce site, this is clearly essential.

Until fairly recently, acquiring the SSL certificate to facilitate HTTPS was a costly business. However, with Google’s drive to secure the web the cost of certificates has dropped and with the Lets Encrypt project now well established, it is possible to acquire a certificate for nothing.

Whilst the cost of a certificate was certainly a barrier to potential scammers in the past, the price drop means they are available to all.  And with countless tutorials available online, even the most inept of cyber criminals are able to find out how to install a certificate and set up an HTTPS site.

But surely, HTTPS means it is secure, I can trust a site that is secure can’t I?

The certificate that underpins HTTPS refers simply and only to the transmission of data.  It does not certify the site, its content, the identity of the site owner or the activity conducted on that site.  Any assumption that using HTTPS indicates a more trustworthy site is therefore clearly unwarranted.

So what should you look out for?

  • Use a familiar and trustworthy website.
  • Don’t rely upon a link to a site in an email or in social media, even if it is a site you have used before; type the address into your browser address bar. It is easy to make a link look like it goes to a safe site where in fact it goes somewhere else.
  • When you arrive at a site check the address bar. Is the URL (web address) correct?  Look out for tricks such as…
    1. a different domain ending, so rather than justgiving.com it is justgiving.global
    2. deliberate spelling mistakes in the URL e.g. justgivimg.com, that you might not spot if you only looked quickly.   Before you question whether I’m calling Just Giving  out on this, I’m not but as one of the largest fundraising websites they are likely to be a big target for on line fraudsters.
    3. subdomains e,g. justgiving.official.com. This is nothing to do with the JustGiving website but a subdomain of a website called official.com.  Scammers are ingenious in how they mask the identity of the site you are going to, scrutinise everything to assure yourself that you are where you expect to be.
  • Requests for you to use bank transfers rather than credit card or PayPal type legitimate payment gateways transactions should have alarm bells ringing loudly. No legitimate fundraising site would ask for payment to be made this way.
  • If using PayPal, when you get to the stage of confirming the transaction, check to see who the payee will be, if it is not who you expect, and you may be able to confirm this by referring to a previous credit card statement, then something is wrong. Stop and only proceed with caution.

Scammers and cyber criminals are becoming increasingly competent at building websites that aim to steal either your money or your personal information.  Whilst HTTPS is a good sign that the connection between you and the website is secure, it does not mean the website itself should automatically be trusted.  Before giving a website any information or donating money, verify for yourself that the site is legitimate and that you are not being taken for a ride.

Business Ethics and Web Design

A question was posed on Quora recently about scams from purported “web designers”. I have always taken business ethics very seriously and recognise that my customers have a choice over whether they use me or someone else.  I felt compelled to give an answer to this question.
Whether you would call some of these true ‘scams’ or just shady practices all comes down to your level of business ethics. To me, these are all deceitful and deliberate attempts to  mislead the customer.

Offshoring the work but not telling the customer

Offshoring work but using local contact details such as a local phone number, business address to make out that the business is located close by. For a lot of business owners the fact they can pick up the phone to speak with or arrange to meet face to face the designer of their website is important. Hiding the the fact that the work is actually being done thousands of miles away in a different time zone by people who are freelancers is definitely suspect.
Business offshoringShould the business owner want to update their website, unless the freelancer has done a good job of marking up and commenting their code, who ever has the task of unpicking the existing code to make changes has a harder job on their hands.

Fake reviews and testimonials

Fake reviews and testimonials. I don’t mean ‘the friend you asked to favourably review your web design business in exchange for a few beers’, type of thing. I know of one web design agency close to me that have created an entirely fictitious person, business and backstory in order to create a review on their website. It is elaborate, detailed and a complete falsehood. If they will go to the effort of creating a fake testimonial for themselves, what else are they prepared to make up or be creative about?  I wrote in greater depth on this story in Sharp Practices by Web Designers.

Cookie Cutter Site development

 ‘Cookie cutter’ web site development. There is a marketing firm not far from me that advertise their ability to create websites for incredibly low prices. It is only when you look at the output they have created that you recognise a startling similarity between all their sites. They have used the same web-builder tool for all of them and worse than that, they have used an identical template for all sites.  Every site they produce is a clone of the last.
Web site clonesThe only differences being background colors, text, logos and any images. The layouts, menus and structure are identical. They have taken a tool the business owner could have used themselves, dropped in the content (no doubt created by the business owner) and have the cheek to call themselves ‘web designers’.

Unethical SEO Services

SEO Services. There are some genuine and professional SEO service providers out there. They seem to be outnumbered by the scammers and crooks who promise “top ranking in Google” or “first page in all search engines”. For the business owner who knows little about how the search engines work (and let’s face it, that is most business owners) but is keen for their business to grow, these sort of promises sound ideal. Of course what the SEO scammer does not say, is that the top ranking is either for the most obscure ‘long tail key word’, or achieved through dubious means. The former has no meaningful impact on the business since very few searches are made for that ‘long tail key word’ whilst the latter has a dramatic effect upon their business once the search engines punish the site for employing suspect methods to raise its ranking.

Inflating Prices

Over charging. The situation that comes to mind most readily is the web design agency that says they can handle domain registration and / or hosting. They then massively inflate the costs incurred when invoicing the customer. I’ve seen bills for hundreds of dollars for registering a domain or hosting it.web agencies that overcharge
When you investigate where it is being hosted, it is easy to see that the real price is around $60 / year. Meanwhile the customer is being charged $500. In my view this is taking advantage of the customers lack of knowledge to make a fast buck.

To me, as a web designer / web developer, integrity is everything. I need and want my customers to trust me and heed the well given advice I offer them. To be less than 100% honest at all times risks damaging that hard earned trust. I want the relationship with my customers to be a partnership that stands the test of time; treating them as idiots or ‘cash cows’ to be milked feels plain wrong.

Shopping Safely Online

According to the Centre for Retail Research in the run up to Christmas 2014, on line shopping in the UK comprised very nearly 25% of all sales made.  This was up a whopping 19% on the year before.  We spent over £17bn on-line in the six weeks before Christmas 2014.

As the BBC reported Scammers, hackers, thieves and crooks of all persuasions are gearing up to take advantage of our increasing adoption of online purchasing and are planning even more cunning ways to part us from our money.

Here are 10 ways to shop safely on line….

  1. Visit familiar websites that you know and trust; if you find a site offering incredible deals way down on page eight of a Google search , there is likely to be something awry.  If the deal was that good, it should have appeared on the first page or two.
  2. Be aware of ‘look-alike’ sites that either use a misspelling of a real business name (e.g. johmlewis.com) or a different ending to an existing web address (for example .net rather than .com or .com.uk instead of .co.uk).The ‘look-alikes’ are sometimes all but identical to the real sites since the crooks have simply cloned the site they are pretending to be.  Always check in the address bar of your browser to make sure you really are where you think you are.
  3. Look for the lock icon.When sending details of your credit card always look to see if Secure Socket Layer encryption has been enable.  This is shown by the web address changing from http://www.. to https://www.. (the all important ‘s’ indicating that it is a secure connection).Depending on your browser you should also have visible confirmation that a secure connection is now in use.  A padlock is added either in the status bar or right next to the site address in Chrome.  If you are being asked for your card details and there is no padlock the absence of the lock icon should have alarm bells ringing immediately.You wouldn’t stand in the middle of the street shouting out the details of your credit card, so why do the equivalent on line!
  4. Keep your browser and computer operating systems up to date.  Same goes for your anti-virus and other security programs.  Hackers in particular, attempt to exploit known weaknesses in programs.  Omitting to update key software is like leaving a window open in your house.  You are making it easy for the crooks to gain entry.
  5. Consider using a browser with the Safe Browsing function installed.  Browsers that incorporate Safe Browsing include Google Chrome, Firefox & Safari.Safe Browsing warns the user when they are about to access a site that may have potential threats.  More than 5 million warnings per day for all sorts of malicious sites and unwanted software are provided by Safe Browsing.
  6. Credit rather than debit.  The payment protection afforded by using a credit card rather than a debit card is usually greater.  Whilst no one ever wants anything to go wrong, at least this might offer a little more peace of mind.  Even better than that, try switching to a payment service such as PayPal.
    These services never reveal your credit card to the online merchant meaning that if you do inadvertently fall foul of a look-alike site, then at least your card details are still secure.
  7. Exercise caution when downloading new apps.  Only download apps from trusted sources such as Google Play (for Android) or the Apple App Store (for Apple devices).  Cyber-thieves have deliberately made similar looking apps to existing ones that can harvest sensitive information.If in doubt, thoroughly read the reviews of the app before installing it to see what other users have to say about that app.
  8. If something seems to be “too good to be true”, it probably is.  Unsolicited email containing details of incredible bargains are almost always bait to get you to access a site that cyber-crooks will use to steal data, information or money from you.A common ploy to encourage people to click a link in an email is to make the offer time sensitive, “Hurry, only available for 24 hours“, or saying it is for the “first 200 customers only“.   Even if the mail comes from a friend you should still exercise great caution; it is easy to ‘spoof’ an email message so that it appears to come from someone other than the true sender.
  9. This is a good time to check that you are using strong, unique passwords for all of the sites where you have set up an account. Using weak, easily guessed passwords or using the same password across multiple sites is simply making it easy for the cyber-thieves should your details fall into their hands. If you are not sure what makes a good password, here are some great password tips from Google.
  10. Finally, once you have those strong secure and unique passwords in place, you don’t want to forget them (which let’s face it, is easily done when you have tens of sites where you have an account). Password vaults such as Keepass or LastPass are an excellent way of managing numerous passwords.
    Keepass Lastpass

Shopping on line is convenient and brings a world of choice and convenience to your front room.  Done with a reasonable amount of caution, it is no less risky than shopping on the high street.  Done with less awareness and a degree of carelessness or naivety, and you face a chance of getting scammed, fooled or sadly robbed.

Take care and above all, stay safe.