Categories
Cookies and tracking Web content Website whinging

Trust

Trust in websites is under attack as has been for some time now.  These days it is really very hard to know what website to trust and which to avoid, which produce valid, trustable news stores and which are fake, even which product reviews are valid and which are misleadingly good and may even have been paid for. Fake websites include those that wish, among other things to deprive you of your hard earned cash, or persuade you that voting ‘x’ is what you must do.

A recent win for Microsoft in a private trademark case highlights part of the issue and I have witnessed similar first hand. It transpired that scammers had passed themselves off as Microsoft or Microsoft partners and used various trademarks owned by Microsoft. This was all related to those well known ‘your computer has a virus’ type phonecalls and pop-up adverts. I have worked on cases regarding academic integrity and websites passing off as our own and so this case is interesting to me. However, it serves to highlight just how easy it is to get someone to trust you by throwing up a website which looks identical to a company that you do trust, or at least you know of.

To make matters worse of there are now so many domain variants available that it is very difficult to fully protect one’s brand. Again, I was very active here in the past and I could, for example buy and activate domains similar to those used by people who created websites to pass off as our own. It was not helped one bit when Nominet decided to sell single-letter domains such as ‘a.uk’ where typo-squatting was then made easy, for example mistyping xyz.ac.uk as xyz.a.uk. Some years ago the Ascension Islands opened up their ‘.ac’ domain, again causing confusion where people would register xyz.ac hoping to trap typo’s from xyz.ac.uk. Just how far one goes buying any domains that come close to your own is a very difficult question and can result in large spends.

Encryption, aimed at promoting trust and security does not really help. While it is laudable that one can obtain digital certificates for free, when coupled with domain squatting this can result in trust being placed where it really should not. 

This is not limited to websites. Whoever thought it a good idea to allow people using IP telephony to put their actual phone number into the system on trust was just daft. You can no longer assume that a call comes from the number shown in the caller-ID, and if someone by chance or design fakes their number to be one already in your contacts lists, well, you can see that going badly for the recipient.

So, where are we? Well, anyone can throw up a website, for free or very little cost. Anyone can grab the design of a valid website and repurpose it as their own scammer base. Anyone can buy just about any domain regardless of how close it is to a real company URL, set up email addresses and either wait for hits or advertise the fake website somehow. And this is without doing anything actually half clever like using malware. And it does not stop there. I worked on a case where a website had a valid-looking address in the City of London. Calls to the building management (on office block with lots of various companies) found no such name on record. In the event I was close to retirement and let this one slide, but I can just imagine some mailroom employee diverting any received post to the scammer. My longest running case took seven years but I finally had a foreign-based fake website closed down after radically disrupting their ‘business’.

To answer my ‘where are we?’ question in part all I can say is it has become very hard to trust any information on the web, and that’s a crying shame. The scammers are like a virus – they are killing their host. How we can stop people becoming a victim I do not know. For myself, I begin by trusting nothing and I use my decades of experience to parse what I see and determine whether or not it is valid. Mobile phone calls from numbers not in my contacts are ignored. URLs in SMS message or emails are NEVER clicked. If I can be bothered to I will investigate – obfuscated URLs, those where someone is attempting to be clever by mixing letters to look like something real, or adding to real-looking domains can be easier to read if pasted into a text-editor. Anything that comes from the bank will also appear in their app and so can be checked.

And don’t get me started on cookies!