A big thank you to Dave Raffensperger and Andrew Chi for this series of security tips! I’ll add links at the bottom of each post to the other posts in the series as they’re published. Here’s the second of several tips to keep your digital life secure.
Security tip: Check the web address and lock icon
Phishing is a cyber-attack which tries to trick you to enter your password at a faked login page. Attackers will often set up a website that looks just like your bank’s site, for example, but it is actually run by hackers to steal your password.
So, how can you tell if a site is really your bank’s website or put up by someone faking it? The most important way is to look at the web address (URL) of the site. It should be 1) spelled correctly and 2) use a verified secure connection.
1. Make sure the web address is correct
A mailing address, like “100 Lake Hart Dr., Orlando, FL, USA,” has different parts and a web address, like “https://accounts.google.com/ServiceLogin,” has different parts, too. This chart compares web address parts to a mailing address:
|Web Address Part||Google Mail Login||Meaning|
|Protocol, i.e., whether the connection is secured||https://||“https://” means “HTTP Secure”; blank or just plain “http://” means a non-secured web connection|
|Subdomain (think city)||accounts.||The “accounts” part of the “Google” site|
|Domain (think state)||The main site name. The entity that controls “Google.com,” for example, also controls all subdomains like “calendar.google.com,” etc.|
|Top-level domain (think country)||.com||The ending for website domains can be “.com” (commercial), “.org” (organization) or something for a country like “.de” (Deutschland, i.e. Germany).|
|Web page (think street address)||/ServiceLogin||This tells you the page of the website you’re visiting.|
Attackers will exploit people’s confusion about these different parts to make fraudulent sites look real. To see a harmless example of this difference in addresses, go to both calendar.google.com (the official calendar application from Google) and google.calendar.com (the “google” part of calendar.com).
Here’s an example of what a fraudulent website could look like that’s trying to capture your Google login and password. It would look exactly like a Google login site except that the website address is actually a part of “example.com” not a part of “Google.com” so you shouldn’t trust this site because it doesn’t really come from Google. In this hypothetical case, the people at “example.com” could steal your password.
Basically, it’s important to check that the web address (domain) is correct, like “cru.org” or “Google.com” before you enter your password.
2. Make sure the website uses a secure connection
Going back to the parts of a web address, the first part, “https://” means “HTTP Secure” which contrasts with regular “http://”. For regular, non-secured websites, the “http://” does not show in the web address bar and means the data is not specifically secured when it’s sent to you. This is normal for sites with no passwords and/or financial transactions.
You can tell a website is using a secure connection because it will show a lock icon next to it. Here’s an example in Chrome of the Google Login screen with the lock icon.
On Safari on an iPad, the “https://” is left out, but you know it’s a secure connection because of the lock icon next to the web address.
You should only enter your password in a web page that uses a secure connection, because it’s possible that someone is intercepting your password if the login page uses only “http://” in the URL.
In addition, if your browser can’t verify the secure connection, don’t enter your password. Your web browser partners with security companies to verify each secure website that you visit. Your browser will warn you if the verification of the website failed.
Here’s what that looks like in Chrome when a sites’s secure connection doesn’t check out.
Here’s what that warning looks like in Safari on an iPad:
Don’t enter your password if your web browser gives a warning that the site’s secure connection can’t be verified.
Dave Raffensperger is on Cru staff in Boston. He and his wife, Erin, are brand-new parents to a sweet little girl. Congratulations, Dave and Erin!
Andrew Chi is a Ph.D. candidate in Computer Science at UNC-Chapel Hill.
NOTES: The Security Series:
- Use a Password Manager
- Check the Web Address and Lock Icon
- Use Two-Step Authentication
- Beware What Programs You Install