[ETERNAL VIGILANCE] Is it Safe to Click?
Your mouse hovers over a link... your finger is poised to click… but you stop to think. Is there danger lurking behind that click? Do you know how to tell right away if a website (or link) is going to lead you into a world of hurt? A single click can lead to an unwanted download, a malware infection, stolen login credentials, ransomware, or identity theft. Here are some practical tips and tools you can use to click smarter…
How To Tell If a Link or Website May Be Dangerous
The quotation “Eternal vigilance is the price of liberty,” dates back to the late 1790s. And though there is some argument over who said it first, it’s a particularly relevant dictum in this Internet Age. The human race has never enjoyed more liberty of ideas, communication, and personal action than we have since the World-Wide Web emerged as The Great Enabler.
But the need for constant vigilance against danger on the Web is also at an all-time high. Every click of a link has the potential to deliver a malware or ransomware infection, silently and instantly. Every new site that we visit stands a good chance of being a trap whose jaws can close on us so subtly we don’t notice until we’re swallowed.
Even sites we have visited a thousand times and know well can be mimicked with frightening accuracy by the bad guys. (See Here's Why Phishing is Getting Worse.) Eternal vigilance is, indeed, the price we must pay for the vast liberty the Web gives us.
We cannot rely on other people to keep us safe out there on the Web. Software alone cannot outwit the evil but highly intelligent and adaptable people who wish to do us harm. So-called “reputation services” such as Web of Trust are not much use, especially against brand-new rogue sites that have no reputation yet. The labels and reviews that WoT members assign to sites are often polluted by personal vendettas, branding good sites as bad; worse, the bad guys brand each other’s sites as “good.”
Chrome, Firefox, Edge, and Safari web browsers have anti-phishing and anti-malware capabilities, meant to protect users from clicking malicious links. But there's no guarantee those filters are perfect, or 100% up to date.
Even the software that’s supposed to sniff out potentially malicious websites can suffer from false positives, branding legitimate ones as harmful. This happened to me recently, when McAfee slapped AskBobRankin.com with “suspicious content”, “potentially unwanted programs”, and “malicious website” labels that blocked their users from visiting. It took three weeks and 14 emails with McAfee support to convince them otherwise. I had to show them evidence that 79 other link checkers, and every other major security vendor showed my site as safe and malware-free. (See I'm Positive... It's a False Positive! for that story.)
Telltale Signs A Site May Be Dangerous
Nobody looks out for you as well as you can. So here is what to look out for, when you encounter a suspicious link, an unknown website, or a familiar one that just doesn’t seem right.
Raise your shields immediately if a website asks you to do something that seems unnecessary or out of the ordinary. You shouldn’t have to install a browser plug-in in order to view a site’s content. Registration of a username and password should never require a credit card, even if the site swears the card won’t be charged. A game or survey that asks where you bank, where you live, who your family members are, your pet’s name, and other questions you would find impertinent from a stranger should set your alarms ringing. (Those are common ways for scammers to get the answers to your security questions.)
If you see a message asking you to login and verify your account credentials (login, password, account number or social security number) be extra wary. Your bank or financial institution should never ask you for that information by email.
Unexpected email from strangers should always be approached cautiously. So should email that seems to be from someone you know (or a company you do business with) if it is “out of character” in timing, topic, or tone. If anything seems “off” about an email, put down that mouse and back away slowly.
Do not click on any links in a suspicious email. Instead, hover your cursor over the link and right-click to reveal a drop-down menu. Select the option to “copy link address” without opening the Web page to which it links. Then go check out that URL (web page address).
Look Before You Leap Think Before You Click
The Google Transparency Report is a great place to start, because it reports on websites, and not just individual pages. The Zulu URL Risk Analyzer is a good tool to examine a specific web site. Just paste the suspect URL into the Analyzer’s input box and it will scan the target site for malicious content.
Virus Total scans a site (or a download) using multiple antivirus engines. If the site or file has been scanned before and deemed malicious, Virus Total will warn you. Remember above when I said that I was able to provide 79 reasons why McAfee should unblock my site? VirusTotal checks dozens of sources to see if any have reported unsafe content. You can check a website, or upload a file of your own to be scanned.
If a URL has been shortened, it must be fully expanded before it can be scanned by Virus Total or another URL-checker. You don’t want to expand a shortened URL by actually fetching its target Web address; that could infect you with malware. Instead, copy the shortened URL to your clipboard and paste it into the form at Unshorten.it. The expanded URL will appear below the shortened one, and you can copy the latter to any place you wish.
Note: When using a smartphone, you can't place the mouse cursor over a link as you can on a desktop. Instead, press and hold the link, and you'll get a popup which allows you to view, copy, or share the link address without opening it.
A “secure connection” is vital when exchanging sensitive information, such a credit card details, with any site. Look at your browser’s address bar for the “https://” protocol symbol. The “s” in it means the current connection is secured with encryption so only you and the server to which you are connected can read the information exchanged. Your browser should warn you if a web server does not have a valid “digital certificate” to make secured connections. The certificate may - or may not - also authenticate the identity of the server and/or its owners.
Digital certificates are sold by “certificate authorities,” such as Verisign or Comodo. To create differentiated products and make more profit, certificate authorities sell different levels of certificates. A basic certificate secures an https connection, but provides no assurances about the server or the people who own it. A more expensive one may indicate that the certificate authority has verified the legitimacy of the server. The most expensive “extended validation certificates” deliver the authority’s assurance that it has thoroughly verified the business or people who own the server, too; that is the most trustworthy certificate. See Comodo’s explanation of the different types of digital certificates. When you understand them, you will be able to tell what level of trustworthiness a certificate offers.
What has been your experience with suspicious websites, emails, etc. How do you protect yourself? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 20 Jul 2021
|For Fun: Buy Bob a Snickers.|
This is How Spammers Get Your Email Address
The Top Twenty
Geekly Update - 22 July 2021
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [ETERNAL VIGILANCE] Is it Safe to Click? (Posted: 20 Jul 2021)
Copyright © 2005 - Bob Rankin - All Rights Reserved