banner
Home / News / How to Check If a Website Is Safe to Buy From (And Prove Yours Is)
News

How to Check If a Website Is Safe to Buy From (And Prove Yours Is)

Oct 03, 2023Oct 03, 2023

As of Q2 2020, HelpNet Security reported that more than 18,000 fake websites, on average, were being created daily. Based on that calculation, it means an average of at least 6.57 million fraudulent websites were produced annually. This means your employees need to know how to check if a website is safe to buy from so your company doesn't get scammed by a fake vendor.

Now, put yourself in your prospective customers’ shoes. They’re trying to figure out whether to do business with your company. There are several questions they may ask about your website:

Let's explore what constitutes a "safe" site from a user's perspective and how to tell if a website is safe to buy from. We’ll also talk about what website admins can do to help prove to visitors that their websites are safe and legit.

Let's hash it out.

When it comes to gauging the safety of a website, there are certain things that users should look out for. Historically, we’d point people to check for the security padlock icon in the browser. (For decades, this icon has served as a way to communicate that a website is secure). However, as we recently shared in another blog post, the secure padlock icon in Chrome will go the way of the Dodo bird with the launch of Chrome version 117 (sometime around September 2023). Why? Because people were misconstruing a secure website for one that was safe. But as we’ll discuss a little later, these terms aren't synonymous.

When websites use the HTTPS protocol, it means that the website is using encryption to secure the data that transmits between the client and the server. Basically, the website visitor's browser encrypts the data using an encryption key and the recipient server decrypts it using a decryption key. This is made possible using an SSL/TLS certificate.

So, instead of the secure padlock icon, you’ll instead see a "tune" icon that looks like this:

But simply stating that a website is secure doesn't give you the complete picture when it comes to telling whether a website is safe…

But just because something is encrypted doesn't automatically mean it's safe. This is one of the two big reasons why the Google Chrome Security Team says they’ve decided to get rid of the security padlock altogether:

While there are plenty of words we like to use interchangeably within the industry, secure and safe shouldn't be two of them. Why? Because even though they sound like they’re the same thing on the surface, the truth is that they’re not.

A secure website means that the website uses an encrypted connection to protect data from interception attacks. These types of attacks occur when an attacker (i.e., a man in the middle) tries to get between two communicating parties to read, modify or steal their data while it's in transit.

A safe website, on the other hand, entails that you not only use a secure connection to transmit and receive data, but you know who the party is on the other end of the connection that will receive your sensitive data.

A secure website, without verifiable identity, gives a false sense of security. Even if you use the best encryption algorithm, it won't do you any good if the person on the other end (i.e., the one with the decryption key) isn't trustworthy.

Now that we know the difference between safe and secure, it's time to quickly explore some of the ways to check a website's authenticity and security.

If you want to buy something from a website, running the website's domain or any specific URLs through a website scanner before clicking on it is always a good idea. This practice can help you avoid your computer or mobile device getting infected with malware.

For example, enter a website's URL into VirusTotal.com's URL checker tool to see if it shows any worrisome results. For example, we used maliciouswebsitetest.com as an example:

If you receive a link containing a shortened URL (e.g., bit.ly, tinyurl, goo.gl, etc.), you can use a URL expander tool as well to parse short URLs into their full versions. For example, we took the shortened URL https://bit.ly/3ME9e3D and expanded it to read https://thesslstore.com/blog.

It's now more important than ever for consumers and employees alike to evaluate the digital identity of a website and the organization that owns it. Why? Because if you don't know who you’re connecting to, you could find yourself the victim of identity theft, fraudulent purchases, or a more significant data breach.

Once you’re on a website, you can check the site's SSL/TLS certificate information. When using an organization validation (OV) or extended validation (EV) certificate, your organization's validated digital identity becomes tied to the domain. For example, TheSSLstore.com's website security certificate shows our Common Name (CN), organization name (O), location (L), State (S), and other information:

Don't see any information that looks like this? It likely means that the website is using a domain validation (DV) certificate. This means that the certificate authority (CA) that issued it only verified that the certificate requestor has control of the domain; it didn't do any digging or additional digital identity verification of the company itself.

It's not uncommon for legitimate businesses to use DV certificates. Not every website needs a higher level of validation (e.g., informational websites that don't collect sensitive data). But it's important to note that these minimum validation certificates are also commonly used by cybercriminals because they’re free (or can be purchased at low costs) and don't require business validation. In fact, PhishLabs’ analysis of phishing websites in Q1 2021 showed that more than 94% of phishing websites used domain validated (DV) SSL/TLS certificates.

Now that you’ve run through these first checks, the next step is to look at the website's contents with a critical eye. Read the content, review the products and prices, and ask yourself: does it add up?

Another great way to tell if a website is safe is to read the reviews left by others. Of course, this isn't foolproof, as bad guys can post fake reviews online or hire people to do it for them. But it's still an extra verification method because someone who gets scammed will inevitably post negative reviews on sites like Yelp, Trustpilot, Consumer Reports, Angie's List, and others.

You also can check websites like the Better Business Bureau (BBB) to see if any complaints have been lodged against the website or company in the past few years.

Still not enough? You can take things even further and check the legitimacy of the domain's owner. In the U.S., you can do this by checking the records of the state that the company claims to be registered in. For example, we can search the state of Utah's Division of Corporations and Commercial Code database for information on the certificate authority DigiCert, Inc.:

For more information on how to determine if a website is fake or a scam, check out our other related resource.

Now, it's time to flip the script and look at things from the perspective of website owners and administrators. If you’re looking for ways to make your website more authentic, then the best way to achieve that is through digital trust.

Digital trust is the foundation of internet security, and it's primarily founded upon public key infrastructure (PKI). This includes everything from the standards, processes, CAs, digital certificates, and cryptographic keys that comprise the PKI ecosystem. But why is establishing digital trust vital? Consider the following.

Baymard Institute's research shows that the average online shopping cart abandonment rate in 2023 is 69.99%. Now, consider that Baymard's other research shows that 18% of consumers will abandon their cart during checkout if they don't trust the website with their credit card information. This means that nearly one in five customers will walk away if they don't feel safe using your website.

So, how can you put digital trust to use to prove your website's authenticity, security, and safety?

The first step you can take is to buy and install a business validation SSL/TLS certificate on your web server. This will ensure that the connection between your website and the visitor's web client is secure and encrypted. This way, the sensitive data is protected against interception attacks and compromise while in transit.

Enabling HTTPS also brings your organization one step closer to compliance with industry security and data privacy standards and regulations. This includes regulations like:

Although the encryption is the same regardless of which type of SSL/TLS certificate you use, there is a difference in the level of digital identity a certificate can provide. For example, a DV certificate offers the minimum level of validation (and identity assurance), whereas OV or EV certificates offer higher levels of validation.

For companies that collect any sensitive data, it's crucial that you should have an OV certificate as a minimum. If your company handles highly sensitive data (i.e., financial information, intellectual property, medical or insurance-related information), then you’d be best served using an EV certificate. Using an EV certificate shows you’ve undergone the most stringent validation checks, so users can feel more confident doing business with your website.

When you purchase an SSL/TLS certificate from major brands like DigiCert and Sectigo, then you also get something known as a site seal. This is a visual security mark that goes on your website and helps garner greater levels of trust with your customers. They typically fall within one of two categories.

Here's a screenshot of the verified information that displays when you click on TheSSLstore.com's DigiCert Secured Smart Seal:

Although it doesn't directly help you prove your website is safe to buy from, securing domains related to your company's name can help you avoid issues down the road relating to domain spoofing attacks. You can purchase these look-alike domains, enable HTTPS on them, and set them to redirect to your company's real website.

Why bother going to all this trouble? Cybercriminals will often buy look-alike domains to impersonate your brand and trick customers into believing they’re your legitimate website. Purchasing and securing those domains before bad guys do means bad guys have one less way to try to target your customers and tarnish your good name.

It's now more important than ever to ensure that you use secure, safe websites. As a user, this means looking for digital identity verifications and carefully evaluating the online stores you buy from to determine if they’re using encrypted connections.

As a website owner, this means providing ways for users to check your website's authenticity. This involves asserting your digital identity in a verifiable way using trusted third parties. Not only is it generally a best practice to use HTTPS from a trust perspective, but it's also a compliance requirement.

We hope you’ve found this information useful. As always, if you have additional thoughts you’d like to contribute, be sure to share them in the comments section below.

2 5.00 secure safe Does the website look professional? Are the website's offers too good to be true? What are you being asked to do or share? basic site seal premium site seal