How to Check If a Website Is Safe to Buy From (And Prove Yours Is)
1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...

How to Check If a Website Is Safe to Buy From (And Prove Yours Is)

Looking to make a purchase online? Want prospective customers to feel confident making purchases on your website? We’ll walk through how to know if a website is safe (and what you can do to help your customers verify that your site is legit).

As of Q2 2020, HelpNet Security reported that more than 18,000 fake websites, on average, were being created daily. Based on that calculation, it means an average of at least 6.57 million fraudulent websites were produced annually. This means your employees need to know how to check if a website is safe to buy from so your company doesn’t get scammed by a fake vendor.

Now, put yourself in your prospective customers’ shoes. They’re trying to figure out whether to do business with your company. There are several questions they may ask about your website:

    • Is this site legit?

    • Is this site safe?

    • If a website has a lock, is it safe?

    • Is this website secure?

Let’s explore what constitutes a “safe” site from a user’s perspective and how to tell if a website is safe to buy from. We’ll also talk about what website admins can do to help prove to visitors that their websites are safe and legit.

Let’s hash it out.

Is This Site Safe? What a Safe Website Entails

When it comes to gauging the safety of a website, there are certain things that users should look out for. Historically, we’d point people to check for the security padlock icon in the browser. (For decades, this icon has served as a way to communicate that a website is secure). However, as we recently shared in another blog post, the secure padlock icon in Chrome will go the way of the Dodo bird with the launch of Chrome version 117 (sometime around September 2023). Why? Because people were misconstruing a secure website for one that was safe. But as we’ll discuss a little later, these terms aren’t synonymous.

When websites use the HTTPS protocol, it means that the website is using encryption to secure the data that transmits between the client and the server. Basically, the website visitor’s browser encrypts the data using an encryption key and the recipient server decrypts it using a decryption key. This is made possible using an SSL/TLS certificate.

So, instead of the secure padlock icon, you’ll instead see a “tune” icon that looks like this:

An example of how the tune icon replacement for the padlock icon will look in Chrome. Original image from Chromium.org that was updated to include information from TheSSLstore.com for this example.
Image caption: A graphic that illustrates how the new tune icon will look in the web address bar in Google Chrome version 117.

But simply stating that a website is secure doesn’t give you the complete picture when it comes to telling whether a website is safe

Why You Must Look Beyond the Padlock

But just because something is encrypted doesn’t automatically mean it’s safe. This is one of the two big reasons why the Google Chrome Security Team says they’ve decided to get rid of the security padlock altogether:

    1. HTTPS should be the default protocol for every website.

    1. People were conflating the lock icon’s secure meaning as being safe.

Safe and Secure Aren’t Synonymous (Safe ≠ Secure)

While there are plenty of words we like to use interchangeably within the industry, secure and safe shouldn’t be two of them. Why? Because even though they sound like they’re the same thing on the surface, the truth is that they’re not.

A secure website means that the website uses an encrypted connection to protect data from interception attacks. These types of attacks occur when an attacker (i.e., a man in the middle) tries to get between two communicating parties to read, modify or steal their data while it’s in transit.  

A safe website, on the other hand, entails that you not only use a secure connection to transmit and receive data, but you know who the party is on the other end of the connection that will receive your sensitive data.

A secure website, without verifiable identity, gives a false sense of security. Even if you use the best encryption algorithm, it won’t do you any good if the person on the other end (i.e., the one with the decryption key) isn’t trustworthy.

For Users: How to Check If a Website Is Safe to Buy From

Now that we know the difference between safe and secure, it’s time to quickly explore some of the ways to check a website’s authenticity and security.

1. Check the Website Domain and URL

If you want to buy something from a website, running the website’s domain or any specific URLs through a website scanner before clicking on it is always a good idea. This practice can help you avoid your computer or mobile device getting infected with malware.

For example, enter a website’s URL into VirusTotal.com’s URL checker tool to see if it shows any worrisome results. For example, we used maliciouswebsitetest.com as an example:

how to check if a website is safe graphic: A screenshot of the VirusTotal.com search results for the test website "http://maliciouswebsitetest.com."
Image caption: A screenshot we captured on VirusTotal.com of testing a malicious website using its URL checker tool.

If you receive a link containing a shortened URL (e.g., bit.ly, tinyurl, goo.gl, etc.), you can use a URL expander tool as well to parse short URLs into their full versions. For example, we took the shortened URL https://bit.ly/3ME9e3D and expanded it to read https://thesslstore.com/blog.  

A screenshot of a short URL being converted or expanded to the full URL
Image caption A screenshot captured using CheckShortURL.com’s website URL expander tool.

2. Check the SSL/TLS Certificate to Verify the Website’s Digital Identity

It’s now more important than ever for consumers and employees alike to evaluate the digital identity of a website and the organization that owns it. Why? Because if you don’t know who you’re connecting to, you could find yourself the victim of identity theft, fraudulent purchases, or a more significant data breach.

Once you’re on a website, you can check the site’s SSL/TLS certificate information. When using an organization validation (OV) or extended validation (EV) certificate, your organization’s validated digital identity becomes tied to the domain. For example, TheSSLstore.com’s website security certificate shows our Common Name (CN), organization name (O), location (L), State (S), and other information:

how to tell if a website is safe to buy from graphic: Information from the Senate.gov website's SSL/TLS certificate. It shows that Senate.gov is the common name for the U.S. Senate (organization information) that's located in Washington (location) in the District of Columbia, US
Image caption: A side-by-side screenshot that shows the SSL/TLS certificate information for the U.S. Senate’s official website (Senate.gov).

Don’t see any information that looks like this? It likely means that the website is using a domain validation (DV) certificate. This means that the certificate authority (CA) that issued it only verified that the certificate requestor has control of the domain; it didn’t do any digging or additional digital identity verification of the company itself.

It’s not uncommon for legitimate businesses to use DV certificates. Not every website needs a higher level of validation (e.g., informational websites that don’t collect sensitive data). But it’s important to note that these minimum validation certificates are also commonly used by cybercriminals because they’re free (or can be purchased at low costs) and don’t require business validation. In fact, PhishLabs’ analysis of phishing websites in Q1 2021 showed that more than 94% of phishing websites used domain validated (DV) SSL/TLS certificates.

3. Think Critically and Carefully Evaluate What You’re Seeing

Now that you’ve run through these first checks, the next step is to look at the website’s contents with a critical eye. Read the content, review the products and prices, and ask yourself: does it add up?

    • Does the website look professional? Most phishing websites contain lots of spelling and grammatical errors. In some cases, they may even contain extremely vague copy, filler text (lorem ipsum), and a bunch of stock images. Evaluate the content to see if anything feels “off.”

    • Are the website’s offers too good to be true? If you know that an authentic product is going to cost several hundred dollars (or thousands of dollars) but you see this website is selling it for significantly less, that’s a major red flag. Phishing websites are notorious for listing fake offers for products or services to entice people into sharing their personal and financial details through a phony purchase. It’s best to be skeptical and err on the side of caution.

    • What are you being asked to do or share? Evaluate the website’s purpose or what it’s attempting to get you to do. Ask yourself whether the information being requested is appropriate to the situation. For example, if you’re buying a new smartphone, there’s no reason it should be asking for information about where you went to high school or your mother’s maiden name. These types of information are used as security prompt responses, indicating that whoever controls the website may be phishing for information.

4. Read Reviews and News About the Company

Another great way to tell if a website is safe is to read the reviews left by others. Of course, this isn’t foolproof, as bad guys can post fake reviews online or hire people to do it for them. But it’s still an extra verification method because someone who gets scammed will inevitably post negative reviews on sites like Yelp, Trustpilot, Consumer Reports, Angie’s List, and others.

You also can check websites like the Better Business Bureau (BBB) to see if any complaints have been lodged against the website or company in the past few years.

5. Check the Company’s Info Against Official Databases and Resources

Still not enough? You can take things even further and check the legitimacy of the domain’s owner. In the U.S., you can do this by checking the records of the state that the company claims to be registered in. For example, we can search the state of Utah’s Division of Corporations and Commercial Code database for information on the certificate authority DigiCert, Inc.:  

A screenshot of the state of Utah's Division of Corporations and Commercial Code website. It shows the registered company information for DigiCert, Inc.
Image caption: A screenshot of DigiCert, Inc.’s registered company information that’s available through Utah’s state government website.

For more information on how to determine if a website is fake or a scam, check out our other related resource.

For Website Admins: How to Show Your Website Is Legitimate (and Safe to Buy From)

Now, it’s time to flip the script and look at things from the perspective of website owners and administrators. If you’re looking for ways to make your website more authentic, then the best way to achieve that is through digital trust.

Digital trust is the foundation of internet security, and it’s primarily founded upon public key infrastructure (PKI). This includes everything from the standards, processes, CAs, digital certificates, and cryptographic keys that comprise the PKI ecosystem. But why is establishing digital trust vital? Consider the following.

Baymard Institute’s research shows that the average online shopping cart abandonment rate in 2023 is 69.99%. Now, consider that Baymard’s other research shows that 18% of consumers will abandon their cart during checkout if they don’t trust the website with their credit card information. This means that nearly one in five customers will walk away if they don’t feel safe using your website.

So, how can you put digital trust to use to prove your website’s authenticity, security, and safety?

1. Add HTTPS to Your Website (I.e., Install an SSL/TLS Certificate)

The first step you can take is to buy and install a business validation SSL/TLS certificate on your web server. This will ensure that the connection between your website and the visitor’s web client is secure and encrypted. This way, the sensitive data is protected against interception attacks and compromise while in transit.

Enabling HTTPS also brings your organization one step closer to compliance with industry security and data privacy standards and regulations. This includes regulations like:

    • General Data Protection Regulation (GDPR) for organizations that collect personally identifiable information (PII) relating to people located within the European Union, and

Although the encryption is the same regardless of which type of SSL/TLS certificate you use, there is a difference in the level of digital identity a certificate can provide. For example, a DV certificate offers the minimum level of validation (and identity assurance), whereas OV or EV certificates offer higher levels of validation.

For companies that collect any sensitive data, it’s crucial that you should have an OV certificate as a minimum. If your company handles highly sensitive data (i.e., financial information, intellectual property, medical or insurance-related information), then you’d be best served using an EV certificate. Using an EV certificate shows you’ve undergone the most stringent validation checks, so users can feel more confident doing business with your website. 

2. Add a Smart Site Seal to Provide Another Layer of Digital Identity Verification

When you purchase an SSL/TLS certificate from major brands like DigiCert and Sectigo, then you also get something known as a site seal. This is a visual security mark that goes on your website and helps garner greater levels of trust with your customers. They typically fall within one of two categories.

    • A basic site seal is, traditionally, a static graphic that can’t be clicked on or interacted with. Using one of these small images is the most basic way to offer assurance that your website is encrypted and safe.

A screenshot of four traditional smart seals.
Image caption: Several examples of traditional website security site seals.

    • A premium site seal, on the other hand, is a dynamic element that offers greater assurance of security. For example, DigiCert’s Secured Smart Seal integrates animation and certificate data within the seal. It’s clickable, so users can engage with it to display current information about the certificate and the organization that it was issued to. This makes it harder to fake.

https://www.youtube.com/watch?v=XheF4VMgeJs

Here’s a screenshot of the verified information that displays when you click on TheSSLstore.com’s DigiCert Secured Smart Seal:

how to check if a website is safe to buy from graphic: An example screenshot that shows the verified organizational information that displays on websites using a DigiCert Secured Smart Seal.
Image caption: A example of the types of verified information that displays when you engage with DigiCert’s Secured smart seal.

3. Secure Similar Domains to Protect Your Brand and Reputation

Although it doesn’t directly help you prove your website is safe to buy from, securing domains related to your company’s name can help you avoid issues down the road relating to domain spoofing attacks. You can purchase these look-alike domains, enable HTTPS on them, and set them to redirect to your company’s real website.

Why bother going to all this trouble? Cybercriminals will often buy look-alike domains to impersonate your brand and trick customers into believing they’re your legitimate website. Purchasing and securing those domains before bad guys do means bad guys have one less way to try to target your customers and tarnish your good name.  

Final Thoughts on Knowing (or Proving) a Website Is Safe to Buy From

It’s now more important than ever to ensure that you use secure, safe websites. As a user, this means looking for digital identity verifications and carefully evaluating the online stores you buy from to determine if they’re using encrypted connections.

As a website owner, this means providing ways for users to check your website’s authenticity. This involves asserting your digital identity in a verifiable way using trusted third parties. Not only is it generally a best practice to use HTTPS from a trust perspective, but it’s also a compliance requirement.

We hope you’ve found this information useful. As always, if you have additional thoughts you’d like to contribute, be sure to share them in the comments section below.

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.