1.28 million phishing sites were detected worldwide in the second quarter of 2023 alone. The FBI’s Internet Crime Complaint Center, or IC3, received 323,000 social engineering complaints in 2022. The important thing to note is that these statistics represent the reported cases, which constitute just the tip of the iceberg.
There are no definitive answers to questions like how many indexed websites are fake, how many people end up on malicious sites while browsing the web, and how much money is lost to illegitimate websites across Europe.
With phishing sites growing in number and sophistication and innovative methods of digital skimming making headways, the common internet user needs to adhere to safe browsing practices. This post aims to help you navigate the internet more securely by methodically testing websites for authenticity and safety.
Table of contents
How to check if a website is safe?
A secure and legitimate website bears many markers of its legitimacy. You need to spot and interpret those correctly to tell if a website is safe to visit and transact with. In the following sections, we’ll talk about different web page areas and how they can inform us about the site’s safety.
1. Check the address bar or URL bar
Certain elements in the address bar and the URL itself indicate a website’s safety. You can focus on two things when checking a URL.
a. SSL certificate
Click the URL twice to see if it is prefixed by https://. The ‘s’ stands for secure and indicates the presence of an SSL certificate.
A valid SSL certificate implies that any data sent to the website is encrypted in transit. While that doesn’t guarantee a website’s complete safety, it indicates that the website owners intend to keep it secure for users.
To learn more, click the View site information button on the left end of the address bar.
You will see a lock icon on a secure website with the phrase Connection is secure.
This implies the website follows the SSL (Secure Socket Layers) protocol. You can click the Connection is Secure button to learn more about the SSL certificate.
You will find the ‘Certificate is valid‘ button. Click on it to learn who issued the certificate and how long it’s valid.
b. The URL itself
Typosquatting is a popular form of URL-based scam where the scammer buys domains that closely resemble known sites. For instance, a scammer may own domains like wikepedia.org and wikiipedia.org to trap people who make a typo while searching for wikipedia.org.
Spoofing is another form of cyber nuisance in which the scammer builds a site identical to a legitimate site. The URL may differ by one letter or even the font. Spoofing can be used to steal login credentials or other sensitive information and infect malware.
Here’s what to do
- Slow down and take a good look at the URL before hitting the search
- Always check for the https prefix
- Before clicking any link, hover over it. The URL you are about to visit will be displayed at the bottom left corner of the page. Make sure the URL matches the intent of the link.
2. Use a URL checker to determine site status
The safe browsing site status page by Google can be used as a free website health checker. It is a part of the Google Transparency Report. If you are suspicious about a website, copy and paste the URL into the site status page. Google will show you if there are any known issues with that particular webpage.
Your browser is likely already set up to warn you about unsafe sites once you request such a page. But sometimes, it can miss certain URLs; in such cases, using a URL checker is a good idea.
3. Check the website’s privacy policy
Unsafe website is a broad category that includes unsophisticated phishing sites riddled with malware and endless pop-ups as well as grand webpages with incredible design elements that collect data using unscrupulous means. While security measures built into your browser can help you avoid the first kind, the second kind is way harder to beat.
How to spot red flags in the privacy policy
1. First of all, if a website doesn’t have a documented and easily accessible privacy policy, it’s a huge red flag. The existence of a privacy policy is the baseline expectation here.
2. If you cannot find a clearly defined data collection policy, there is reason to doubt the site’s intentions. You should know what data is being collected and how much of it is being collected.
3. You also have a right to know the data usage policy. Is your data collected for targeted advertising or sold to third-party players? The absence of an unambiguous data usage policy is concerning.
4. If a company stores personal information, it should also be able to tell you if they are encrypting your data at rest. While specific details about the security measures put in place to protect user data are not expected to be part of the privacy policy, the complete absence of any documented commitment in terms of data security is problematic.
A site that writes its privacy policy clearly and uses minimal jargon inspires trust, whereas websites that try to cover problematic data usage practices with heavy legal language should be avoided.
4. Try to find contact information
Every website represents a business and has a registered address (physical and/or digital). Finding that information is important in checking if a website is secure. A scam website is unlikely to have contact information. Even if it does, chances are you won’t reach anyone through those contact details.
Contact information serves another useful purpose. Suppose a user wants to purchase from a lesser-known e-commerce site and feels uncomfortable sharing their financial information. In that case, they can contact the people behind the site and ask for an alternative mode of transaction. Learning who owns the website at this point can also be useful.
5. Design inconsistencies and grammatical errors
Building a website takes time and effort. Even though generative AI has made life easier for hackers in terms of creating website content, there are still discernable discrepancies in most fake sites. If you land on a fake site while searching for a known webpage, the design will likely give it away almost instantly. The site will feel different in terms of functionality as well. Follow your instincts and run a quick check following the previous methods.
Here are some things you are likely to find on spoofing sites
- Spelling errors
- Alignment issues
- Faulty grammar
- Wrong colour schemes
It can be a bit difficult to spot fakes on your first visit to a site. If you have doubts, run the checks we’ve mentioned so far.
6. Reviews are a good way to quell doubt
Sometimes, looking for the obvious signs of a secure website is insufficient. A website may have everything on point and still be a scam site. The very business behind the website may be illegitimate.
If you plan to share sensitive data with a site or are about to make a financial transaction in its favour, it’s always better to read a few neutral reviews. Reviews found on Quora, Reddit, G2, etc., can be helpful in that regard.
7. Too many pop-ups
If you land on a website and are immediately bombarded with clickables popping up all over your screen, it’s safe to leave that site immediately. Do not click anything, and do not even try to click the close buttons that might appear on the pop-ups—you never know where a fake URL might lead you.
Keep a keen eye out for pop-ups that ask for personal information, contain threatening content (scareware), or advertise products unrelated to the site you are visiting. Too many pop-ups are a clear sign of a malicious or legitimate site that has been infected. Stay away.
Free Tools to Check Website Safety
Protecting yourself online is so essential these days. Before you click on anything, it’s wise to check if a website is safe. Luckily, there are some great free tools out there that can help.
- Google Safe Browsing: This tool, part of the Google Transparency Report, allows you to check a website’s safety status by simply entering the URL. It will inform you if there are any known security issues with the site.
- Sucuri SiteCheck: Sucuri offers a free website scanner that checks for malware, blacklisting status, and other security issues. It provides a comprehensive report on any vulnerabilities found.
- Qualys SSL Labs: This tool performs a deep analysis of a website’s SSL/TLS configuration, helping you ensure the site’s connection is secure.
- SecurityHeaders: Developed by security researcher Scott Helme, this tool analyzes a website’s HTTP response headers and provides a security score based on the headers implemented and their configuration.
- VirusTotal: This comprehensive tool scans URLs and files using multiple antivirus engines and website scanners, offering a thorough safety analysis.
- URLVoid: Aggregating data from various blacklist engines and online reputation tools, URLVoid provides a comprehensive safety report for any given URL.
- Mozilla Observatory: This tool focuses on proper security header implementation and provides actionable recommendations for enhancing website security.
These tools are a great starting point for assessing website safety. However, no tool can guarantee complete security, so it’s always wise to stay vigilant and combine these checks with other safe browsing practices.
Tips to protect yourself from unsafe websites
These security tips are a must, as they help you protect your browsing experience. Your web browser can do a good job of keeping you out of trouble while browsing and certain browsing habits can further alleviate the risk of landing on a fake or malicious website.
Do not ignore warnings from your browser
Even if you think your browser incorrectly flags a site as unsafe, do not override it. Run a URL check and, if possible, contact the website owners to find out if there has been a security incident that puts users at risk. Remember, doubt and verification lie at the core of staying safe online.
Choose applications that support 2FA
If you are planning to use web-based platforms to make transactions or share data with businesses, you should always opt for sites that let you enable two-factor authentication. That way, your account gets an extra layer of security and stays safe even in the event of password theft.
Use a password manager
Using a password manager like Uniqkey eliminates password-related problems. Automated logins and 2FA verifications minimize the possibility of human error.
Platforms like Uniqkey can easily spot phishing attempts and ensure you steer away from them. Even if you land on a fake site, the password manager will spot the discrepancy and refrain from producing the credentials, thus neutralizing the security threats.
Use firewalls and malware cleaners
Every click can potentially inject malware into your system when you visit an unsafe website. A high-quality firewall can greatly help you thwart such infections. You can also use malware cleaners to clean up existing threats.
Website safety is a rising concern among search engines, and almost all major players have taken extensive steps to verify a website’s legitimacy.
Nevertheless, the best step forward for users is to build awareness about website security and be vigilant. Simple acts like looking at the domain name, noticing how the website looks and feels, and looking for signs that a website is legit can help you avoid identity theft or financial loss.