The advent of the internet, just like technology, has eased the way we lead our lives. However, it has also made us susceptible to the dangers of the digital world. Now, more than ever, not only can we buy our groceries online, but we also run the risk of falling prey to a web of intricately woven scams and lies — all from the comfort of our couches. This is why every one of us needs to know how to tell if a website is legit.
According to the Better Business Bureau (BBB) Scam Tracker, there were 48,362 scams in 2018 in the U.S. alone, and 23,439 scams have already been reported in 2019. With the numbers rising every year, and scammers finding ingenious new ways to commit cybercrimes, it’s imperative to learn to recognize these forms of attacks.
How to Tell If a Website Is Legit
Given the nature of our digital existence, we could, at any moment, be in contact with a cybercriminal or fall victim to a phishing attack and be none the wiser about it. It’s therefore understandable if you feel the paranoia grip you right before you visit a website your friend told you about or click on the advertisement flashing in some corner of your screen. A good rule of thumb is to pay attention, use good judgment when browsing, and look out for signs that can help you gauge the credibility of the website.
Here are 10 ways to find out if a website is real or a fake:
1. Verify the Website’s Trust Seal
A trust seal attempts to communicate to you as an end user that the website they’re on is safe, and that the business itself views security as a priority. It is a stamp granted by a security partner (such as a certificate authority, or CA) that’s indicative of the legitimacy of the website. If a trust seal is legitimate, clicking on it will take you to a page that verifies the authenticity of that seal.
2. Does It Have the Padlock with HTTPS? Did You View the Certificate Details?
HTTPS merely means that the communication channel between you and the server is encrypted and secure (i.e., an attacker listening in on the network will get garbled encrypted information that won’t make sense). HTTPS does not assure that the server you are communicating with will not steal your data. If the server is itself malicious, the S in “HTTPS” will do very little to ensure security.
Look at it this way: While it’s a no brainer that if your browser flags a website as “not secure,” no sensitive information should be entered on the page. But even if the site uses HTTPS, it doesn’t automatically guarantee safety. This is why SSL/TLS certificates offer different validation levels.
To view the digital certificate issued to the website, click on the padlock in the web address bar and select Certificate if using Google’s Chrome browser. For Firefox, click on the padlock and then on the arrow to show connection details. Click on more information and then view certificate.
3. Check the Contact Page
Our third recommendation for how to tell if a website is legit is to verify whether the website has a physical address. Does the company have a phone number listed and an email ID? Try sending an email to the ID provided on the contact page and check if it gets delivered. Verify that the email is not a generic one (such as email@example.com) but one that comes with the company brand (such as firstname.lastname@example.org).
4. Check Whether the Company Has a Social Media Presence
Most legitimate companies have some level of a social media presence. Fake websites sometimes have the icons for Twitter or Facebook, but the graphics don’t actually link to a real account. Read company reviews on such platforms and see if you can find real employees of the company on LinkedIn.
5. Don’t Click on Links Within the Body of an Email
Unless you requested a password reset link, there’s almost never a compelling reason to click on links in your email.
If PayPal was writing to you, they would know your name and use proper grammar. They’re not going to refer to you as “member” or “customer.” Furthermore, not in a million years would they threaten to suspend your account forever with a poorly written email, use urgent or threatening language, or ask you to provide personal or account information.
By just hovering the mouse over the login button, you should be able to see the actual link where you would get redirected. Remember that once you hit login, it might take you to a site that looks eerily similar to the original PayPal website. But the moment you enter your credentials, there’s a very good chance that your account will get compromised or your account details will be sold.
6. Look for Spelling or Grammatical Mistakes. Is There a False Sense of Urgency?
These are all telltale signs of a phishing attack. Most legitimate companies make an effort to ensure minimum quality standards in all communication that leaves their desks. Apart from rare genuine typos, it’s highly improbable that you will ever receive a poorly worded email from an Apple or a Microsoft. All communications from legitimate companies will have an appropriate tone and will never sound menacing or threatening, even if you don’t follow through with their call to action.
If the website looks like it was designed by some seven-year-old who is learning to draw, or if it has glaring grammar issues, chances are that it’s a malicious website and you should avoid it at all costs.
7. Use the Google Safe Browsing Transparency Report
When in doubt about a website’s safety, head over to the Google Safe Browsing Transparency Report. This tool allows you to enter a URL to check whether it hosts any malware or if the site is safe for browsing.
9. Pay Close Attention to the URL
Check that the website isn’t attempting a homograph phishing attack. Browsers can be tricked into displaying fake domain names as trusted legitimate sites such as a domain registered as xn--pple-43d.com is displayed as apple.com.
URLs can be manipulated using alphabets that appear similar from other foreign languages such as the Cyrillic alphabet. The URL can be designed to look a certain way using subdomains, but if inspected closely, the name of the actual domain is appears right before the TLD. A simple way to identify whether a URL is a homograph phishing attack is to copy and paste the URL in another tab. When pasted on the address bar the URL appears as “https://www.xn--80ak6aa92e.com/” before you hit enter and load the site.
10. Know the Obvious Signs of Website Malware
Web defacement attacks, suspicious pop-ups, and advertisements that attempt to entice you to click on them typically are indicative of malicious websites egging you on to download and execute some malware on your system. Be wary of websites that redirect you to other sites with promotional content or to a legitimate looking page asking you to enter sensitive information. Always exercise caution when clicking on any ads!
Security Add-Ons and Tools
In addition to the steps we outlined above for how to tell if a website is legit, there are tools and add-ons that can help you stay safe online as well.
Services like Norton Safe Web and Virus Total analyze URLs and tell us if the site we are interested in visiting is safe or malicious. Apart from the aforementioned precautionary steps, a few extensions and tools can also come in handy to keep us from visiting fake websites.
- Netcraft Extension: This tool allows you to do a quick lookup of the sites you want to visit and provides protection against phishing.
- Disconnect: This tracker blocker lets you see everything that tracks you on a website and allows you to disable them.
- Webroot Filtering Extension: This tool keeps you safe by blocking and filtering out dangerous websites.
- Privacy Cleaner: This application runs in the background and alerts you if a page or an app tries to access your files and information.
We hope these recommendations for how to tell if a website is legit will come in handy.