How do I know if a website is genuine?

Click to enlarge

Sooner or later everyone gets an email saying you have to “verify your account” and warning of the dire consequences if you don’t. These are always a scam.  No-one genuine will ever ask you to verify (or “re-verify”) your account. Sometimes you might have to verify your email address (by click on a link in the email) but you’d never have to verify your account. Here’s a screenshot (left) of a typical “verification” page. It says it’s from Apple, but it’s not.

You’d get to this site by clicking on a link in an email that “Apple” sent you. We’ll look at that in a later post, but for the minute let’s look at the web page.

The first think to notice is the website address at the top:  www.bdic.ca/mardei/itunes/apple/login.php?app/apple-store/

This tells me the website is www.bdic.ca (most web browsers put the website name in bold, as in the screenshot) – this is the website that contains the verification page. This doesn’t seem likeley to be an Apple website (ignore the mentions of “apple”, “itunes” and “apple-store” later on in the website address – these aren’t part of the name of the website. (In fact, www.bdic.ca is a perfectly genuine website that had been hacked to trick it into hosting the duplicitous page. It’s been removed now.) 

The second thing to note is that the connection to this website is not secure. Here’s how to tell. No reputable website would ever ask you to type confidential information over an unsecured link.

But apart from all that, this “verification” just doesn’t happen. You are not verifying anything – you’re not confirming something they already know, you’re telling them things they don’t know. And given that they are not who they are pretending to be, that would be very unwise. If you fill in this form, you’re telling criminals your name, address, date of birth, mobile phone number, credit card details, bank account number and sort code, and you can be sure they will abuse them. Even the security question is designed to elicit useful personal information:

Fake security question

So, get used to checking at the top of your browser what website you are actually on, and find out how to tell if the connection to it is secure.