Snippets issue highlights unsafe padlock icons, new scam payment tactics and phony water safety check: Internet Scambusters #853
That padlock icon in your browser address bar that you used to rely on to signal website safety can no longer be trusted -- because crooks are now using them as well.
In this week's Snippets issue, we'll explain what's happened to that once trusted symbol of security.
We also have news about why crooks are now demanding actual cash as payments from victims and a sneaky trick thieves are using to get into your home.
Let's get started...
Scammers Hide Behind Padlock Security Symbol to Trick Victims
Bad news. For years, we've been advising readers to check for a padlock in their browser address bar as a sign of a website's security. But no more.
It seems that advice by itself is no longer reliable. Why? Because crooks have started putting padlocks on their own scam sites.
The same goes for the addition of an "s" in the address prefix, creating "https". Yes, the "s" implies security but crooks can now add that too.
Here's the simple explanation: All the padlock and "https" really mean, and have ever meant, is that any data sent between your computer and a website is encrypted, or scrambled, so it can't be intercepted and read by hackers or other snoops.
That still applies. But, in the past, only legitimate sites used encryption, so it made perfect sense to regard the padlock as a sign of safety.
Encryption was also somewhat complicated and expensive to set up but, as crooks have become more sophisticated and it's become easier to get an encryption certificate, they've adopted the same technology so that when you visit their sites, these too display the padlock and "https".
The result: More than half of all fraudulent sites, which are mainly used for phishing -- stealing a victim's sign-on and financial information -- now show the padlock.
So, although you still want to know your data is being encrypted during transmission, you can no longer be sure you're visiting a legitimate website when you see it.
"The upshot," said a recent report on the tech site cnet.com, "is that there's no one trick to protect you from the dark side of the internet. You have to be savvier than ever to avoid scammers and check for more than one sign that a website is legitimate."
Those signs and checks include:
- Being sure the actual website address is correct, ideally by carefully typing it in yourself rather than clicking on links.
- Keeping your web browser up to date. Most browsers will also try to check that a site is genuine and issue a warning if there's any concern.
- Same goes with keeping your Internet security software up to date. Most of these programs can detect when a site is unsafe.
- Using a password manager, which won't insert your code if it detects a site isn't genuine.
And even though you can't trust that padlock any more, you should never provide confidential information to a site that doesn't have one at all!
Pay in Cash
Another trick that scammers have recently latched onto involves how victims pay them.
Many people now know that it's dangerous to wire cash to someone you don't know because any money you send is untraceable. They also know that legitimate organizations, including government and law enforcement agencies, don't ask for payment by this method.
The same applies to requests for you to pay via gift cards or cash cards that you buy at stores.
So, what option does that leave for the scammers who don't want to be traced? Cash, of course.
They've started using this tactic particularly with grandparent scams and other distress calls, where the crooks claim either to be someone the target knows or to be representing them.
The say they need payment by a specific time and that someone will come to collect the cash. They may even send a legitimate courier company.
Older folk are the main victims, with one quarter of people 70 and older reporting they paid these scammers with hard cash.
We recommend the same rule as for other payment methods: don't give or send cash to someone you don't know.
And if you're told someone you know is in trouble, hang up and call them or their family to find out where they really are.
Infected Water Check
Now, would you trust a guy who shows up at your front door, saying there's a salmonella health alert and he needs to test your water supply? We hope not.
These days we do hear quite a lot about water purity and we've already warned previously about ineffective water test kits and scammers who try to pressure you into installing an overpriced water purification system.
But this latest batch of crooks just want to get into your house to steal. They often turn up in pairs, so one can distract you while the other searches the house for cash and jewelry.
Or if they're alone, they may say they have to go to a different part of the house, like another bathroom. Or they'll even ask you to run water elsewhere in the house.
Here's the thing. Most if not all water companies would never just turn up at your home for a safety check without first arranging an appointment.
And even if they do, they'll likely be in a van with the water company logo, in some kind of uniform and carrying ID. If they're genuine, they should happily wait in their vehicles while you check out their credentials with the water company (using the number you find in the phone book or in a bill, not one they give you).
Otherwise, politely refuse them entry and call the police.
Alert of the Week
Too many emails in your inbox so that it can't take any more? We don't think so -- that's so last century.
So, if you get that message, chances are it's a scam, especially if you're asked to click a link to learn more or unblock it.
If you do, you'll either find yourself on the site of a "pharmacy" peddling drugs or a fake sign-on page for your email service provider.
But if you really do think you have too many emails, sign on separately to your online mail account and delete them from there.
That's it for today -- we hope you enjoy your week!