As millions of people visit online retailers to spend their hard-earned money this holiday, cybercriminals will be working to trick consumers into mistakenly sending that money their way, instead. A number of browsers are pioneering new ways for users to recognize that the site they are visiting might not be what it appears. Non-HTTPS pages, or pages without an EV SSL certificate validating them as trustworthy, will be flagged as potentially dangerous sites.
Thanksgiving is quickly approaching, and with it comes the start of the holiday shopping season. Black Friday and Cyber Monday are the two most lucrative days of the year for retail businesses, and the National Retail Federation estimates that nearly 70 percent of adults in the U.S shop during the Thanksgiving holiday weekend. Black Friday brought retailers an estimated $6.2 billion in online sales alone last year—a new record—while Cyber Monday added an additional $7.8 billion to the total.
It should come as little shock that retailers aren’t the only ones circling Black Friday on their calendars. As millions of people visit online retailers to spend hundreds, even thousands, of their hard-earned dollars, cybercriminals are finding increasingly creative ways to trick consumers into mistakenly sending that money their way, instead.
Here is a common tactic used by cybercriminals: They will build a very close approximation of a retailer’s website, then trick consumers into visiting their site instead of the legitimate site. Perhaps the most common way that they do this is by sending an email advertising a deal or a sale for a specific retailer. Although the email may appear legitimate, any recipient who clicks the link will be redirected to a phishing site masquerading as the retailer’s site. Unless users double-check the URLs of sites in the address bar, they are unlikely to realize their mistake. If they attempt to purchase from the site, any financial information they entered will go straight into the hands of the scammers.
Luckily, this isn’t happening in a vacuum. Although criminals are getting more and more innovative, consumers are also getting smarter and more internet savvy. A number of browsers are pioneering new ways to help people recognize that the site they are visiting might not be what it appears. Last year, Google Chrome began flagging all unencrypted HTTP pages as “not secure,” and Firefox followed suit with the release of Firefox 70 this year. This means that non-HTTPS pages, or pages without an EV SSL certificate validating them as trustworthy, will be flagged for consumers as potentially dangerous sites.
It is worth noting that there is a difference between “secure” and “safe.”
The presence of an SSL certificate does not necessarily mean that a given website is trustworthy. It simply means that any information you enter into that site (credit card info, login information, etc.) cannot be intercepted by a third party. Unfortunately, many phishing sites today are capable of obtaining SSL certificates, so the fact that a site is “secure” does not automatically mean that it is safe to enter your information there.
On the flip side, however, consumers should not enter information if they do see a “not secure” warning pop up—even if they know the site to be legitimate. Unencrypted ecommerce sites pose a wide range of risks for consumers, and credit card skimmers, credential thieves, and other scammers will surely be hard at work attempting to intercept unsecured communications. The “not secure” warning is a good indicator that you might be on a fraudulent website, but even if you are on the right website, it likely indicates that the site is not capable of protecting your information, and you should take your business elsewhere.
The “not secure” warning is hardly the be-all-end-all of website security, but it is an outstanding rule of thumb for consumers unsure whether they can trust a certain website. Consumers should be on the lookout for potential scams—particularly at this time of year—and today’s browsers are increasingly providing them with the tools they need to make better decisions.
In fact, research has shown that 97% of active internet users want to do business with companies that take steps to protect their confidential information. Avoiding a “not secure” warning served up by leading browsers gives responsible companies a leg up on their less conscientious peers by giving their customers not just a great holiday deal, but confidence that the merchant has made protecting their financial information a top priority.