Fraudster-created sites, impersonating Apple’s iTunes, Halifax and Natwest, have been falsely issued security certificates to dupe users into handing over their details
Fraudsters are increasingly using fake authentication certificates to trick web users into visiting banking sites used in phishing attacks, according to a new report.
Secure Sockets Layer (SSL) certificates are data files which independently verify secure connections between a web server and a browser, and are typically used in sites dealing with sensitive traffic such as financial transactions. Their presence is indicated by a padlock icon in front of the site’s url, designed to reassure the user their passwords and other data is being protected.
Fraudulent sites impersonating banks including Natwest and Halifax have been wrongly issued the authentication certificates, which can instill users with false confidence when inputting their details, internet services siteNetcraft has claimed. The Bank of America has also been imitated under the fake url .
Domain names designed to imitate legitimate sites, including, and , have been issued hundreds of SSL certificates by content delivery network CloudFlare, Symantec and GoDaddy within one month, the site reported.
The vast majority were issued by CloudFlare, accounting for 40 per cent of SSL certificates used in phishing attacks with misleading domain names throughout August.
Online banking fraud is estimated to cost the Uk £60.4m per year. Natwest advises its customers to be vigilant in replying to emails which claim to be from the bank, checking the email address properly. Hovering your mouse cursor over a link will reveal the real web address a link will direct you to, which will be different from the bank’s actual site address if it’s a scam. If you’re unsure whether an email request claiming to be from your bank is genuine, contact an advistor before clicking anything or entering any details.
Natwest customers were targeted by a phishing email scam back in June 2012, when a fake email purporting to be sent by RBS head Stephen Hester encouraging customers to input their account details was circulated.
Scammers have also sent emails with attachments containing malware designed to access information stored on a computer, Financial Fraud Action UK warned in April.
Financial Fraud Action UK’s top tips for staying safe online
– Be on the lookout for unexpected invoices or unusual payment requests.
– Avoid enabling any macros on an untrusted document.
– If you’re suspicious – don’t reply to the email but instead call your supplier on the number that you have on file to check the authenticity of the invoice.
– Ensure you have the latest anti-virus and security updates installed on your computer and consider using high-level macro security settings in software applications.
– Ensure strong firewalls are in place to help detect malware and prevent data leaving the network without permission.
– Consider using a separate computer dedicated to making online payments to minimise security risks.