Up to a quarter of major European banks are not providing best practise phishing protection to their customers according to a survey from Sectigo, a cyber security analyst firm.
The firm looked at banking websites and rated them based on the presence of SSL certificate verifications provided by a Certificate Authority (CA), which confirm that a website is authentic and legitimate.
- Each bank’s website was rated according to the type of certificate used to secure the home and login pages for the bank’s online banking service.
- Full marks were awarded for the presence of Extended Validation (EV) SSL certificates and the maximum level of identity verification on the home and login pages.
- Websites without an EV certificate on the home and/or login pages received a lesser rating.
An Extended Validation Certificate (EV) is a certificate used for HTTPS websites and software that proves the organisation that provides the sites/software are who they claim to be.
In Europe, 25% of banks did not receive the highest rating but thankfully there wasn’t one single bank that warranted a ‘not secure’ status.
What does this mean in practice?
Cyber criminals often create counterfeit websites to trick people into unknowingly providing valuable information such as account logins, credit card numbers and personally identifiable information that can be used for identity theft.
- A website using an EV SSL Certificate displays security indicators directly in the browser address bar, such as a padlock, HTTPS, and the verified company name and country.
- A website that doesn’t display these signs suggests it’s a counterfeit website or as the Sectigo survey shows, a bank that isn’t paying full attention to its online presence.
Given the widespread use of phishing campaigns and counterfeit web pages it’s recommended that you check the following points when logging onto a site in which you might make a payment or enter sensitive data:
- Look for the full company name at the left of the address bar to ensure the site is legitimate.
- Don’t enter credit card numbers, personal information, logins, or other sensitive data on any web page that is not secured with a certificate, that is, displaying a padlock in the browser bar.
- Avoid clicking on links in emails that you weren’t expecting and which attempt to get you to enter personal information. These are typically phishing emails.