Is This Website Safe To Buy From?
Cybercrime is a multi-trillion-dollar industry. Widely reported high profile cases such as the WannaCry ransomware attack and state-sponsored hacking lead many internet users to believe only large corporations and governments are at risk from cybercrime. However, an estimated five billion customer data records are to be stolen in 2020 – covering personal identifying information and payment details. Large scale data leaks are not the only method for digital criminals to obtain sensitive information, often users are induced or tricked into feeding the data directly to criminals. In this article, we will look at five myths about spotting a fake website and tips to avoid the traps.
One method to deceive internet users is by abusing the intellectual property of trusted brands to craft an illusion of legitimacy. Brand owners undertaking an enforcement programme can help reduce the risks for customers, however, with the extremely low barriers to entry in ecommerce, new scam websites and counterfeit items go online just as quickly as they are removed. The subsection of cybercrime enabled by brand appropriation and IP infringement directly targets individuals. Scammers and counterfeiters have become more professional, with tools, templates, store builders, plugins, apps and guides in abundance to get started. Gone are the days when consumer awareness advice could recommend avoiding websites riddled with spelling mistakes, lacking a professional appearance and based in an exotic location. Low cost copywriters are hired for content using Grammarly to detect errors; high quality webstores are built in under a day using Shopify and WooCommerce; and the US hosts the largest number of counterfeit webstores. Relying on outdated advice leads to a false sense of security when evaluating fake websites and emails. Low awareness exposes consumers to counterfeits, phishing attacks, carding and identity theft.
1 – Assess the domain name
Users receive an email with a brand term in the email address and immediately assume the email must be from the legitimate brand owner. However, domain names with brand terms are not necessarily owned by the brand!
Scammers will often register domains with brand terms to conduct phishing attacks. A phishing attack is a form of social engineering to obtain user information. Most brand will own a portfolio of domain names, some will be used for live websites, and some will be held defensively to prevent scammers from registering the domain with illicit intent. However, it is impossible for a brand owner to purchase every conceivable domain name that could cause confusion. Many confusing registered domain names go unnoticed as the domain can be used for emails without having a website attached. Another common tactic is replacing a letter with another letter or number that looks similar.
If an email asks for any sensitive information or has an attachment, the presumption should be the email is a phishing attack, unless proved otherwise. Users should not directly reply with any sensitive information in an email, click any link requiring data to be entered or download any attachments without being 100% sure of the email source. If unsure, finding a customer service phone number directly from the brand owner or conducting a WHOIS lookup on the domain name owner should be considered.
2 – A website with a padlock is safe
Users are advised to only provide payment details or other sensitive information to a website which uses encryption. This is displayed in most browsers with a padlock icon in the address bar. A useful browser extension ‘HTTPS Everywhere’ will ensure that the encrypted version of a website is always selected when available. However, HTTPS encryption does not mean the website is safe. The data sent will be encrypted, preventing interception of the data, but the majority of fake websites also use encryption as a signal of legitimacy. The padlock only signals that the data transmission cannot be intercepted, it does not verify the website as being safe, or provide any information about how the website owner will use the data once received. Obtaining the security certificate which provides the padlock icon is often free with webhosting services, or can be obtained for free by a third party security company.
Users should only provide sensitive data when a website has the padlock icon and is using the HTTPS protocol (as opposed to just HTTP). However, not all HTTPS websites are safe. The padlock icon is not a silver bullet in determining whether a website is selling counterfeits or is a scam. Other factors must be taken into account. The padlock is a pre-requisite, a minimum requirement. Check it off the list and then go on to consider other factors.
3 – Customer reviews
Around 70% of users look at product reviews before purchasing an item online. Reviews are meant to verify the product and seller. Reviews provide a level of assurance that was desperately needed when ecommerce was in its infancy. Platforms including eBay and Amazon relied on customers to provide feedback to other customers. Counterfeit sellers on ecommerce platforms are also aware of this!
On Amazon specifically, there are two main issues with trusting reviews. Firstly, multiple sellers can list against the same product, using Amazon’s ASIN system. Reviewers normally provide a rating based on the product and other factors such as delivery. New niche products with strong reviews are magnets to counterfeiters, who then list against the same product, offering a counterfeit item at a cheaper price to win the Buy Box. The seller which wins the Amazon Buy Box will almost certainly get the customer, as most customers do not check other merchants before purchasing.
The second issue with Amazon reviews is the prevalence of ‘fake reviews’. Acknowledge by Amazon – the company has spent huge sums suing websites offering services which provide fake reviews. The complexity of the system has created a sub-ecosystem of merchants ‘gaming’ the system to attack rival merchants. Merchants purchasing fake reviews for a rival to then report the rival for the behaviour is well-known amongst Amazon sellers.
There are websites dedicated to helping customers analyse reviews – “fakespot.com” is one of the best. Fakespot helpfully provide an extension / addon for Chrome and Firefox browsers, which quickly provides a summary when on supported platforms such as Amazon. Consumers on popular ecommerce platforms should be aware that counterfeits do exist, as do practices to shield the counterfeit activity from detection. Consumers should combine third-party verification of reviews with their own perceptions about the veracity of the reviews.
4 – Live chat and customer service
Fake websites do not provide customer service. This was once true. Fake websites or webstores selling counterfeits did not previously offer customer service options. Traditional customer service meant a telephone number to call – many official webstores no longer offer a customer service telephone number. With the live chat, this method of distinguishing a fake website from a legitimate has gone. Plugins and addons exist for many of the most popular webstore builders, that enable even the most low-cost scammer to have live chat functionality. Some fake websites have simply made an option that appears to be live chat, but when attempting to use operates as a contact form, emailing an admin. This tactic is to give the impression of credibility as most modern websites have a live chat function.
A functioning live chat option does not mean the website can automatically be trusted. The availability of low-cost solutions has enabled scammers and counterfeiters to offer this service. With many counterfeiters utilising customer service as a method to drive sales.
5 – Social media presence
Similar to websites offering live chat functionality, analysing a website’s advertised social media channels was a way to assess a website. Some websites will include a bunch of social media icons, but without them leading to any accounts. Either the icons are share buttons, used to confuse the customer, or are used as decoration to give the website the mask of legitimacy. Any social icons which do not lead directly to a live profile should ring the alarm bells.
However, some counterfeiters have already adapted to this and link directly to official accounts, or official-looking accounts. Many social networks provide a layer of verification for official accounts with a ‘verified icon / tick’. If this is present, contact the account directly and ask whether the website which linked to the account is an official website. Most brands will respond quickly, recognising the power of social media based customer service.
For official-looking accounts, conduct more research. Go through the account, assess the activity and whether it fits with the brand. Many fake accounts avoid detection using stilted content or automation to upload content. Such fake accounts are a lazy attempt to trick the automated detection features employed by all major social networks as part of their content governance strategy. Both will be extremely obvious to any human who takes the time to analyse the account.
Assess All Factors
There is no single factor that can determine whether a website is fake, selling counterfeits or if an email is a phishing scam. Users should be careful with any email or website asking for personal identifying information or payment details. If the veracity of the email or website cannot be determined, take the cautious path and find a more trustworthy source.
