Phishing Part II: Secure Sites - Are you talking to whom you think you are?

With the rise of phishing attacks and the increase in the popularity of internet banking the opportunities for fraudulent access to bank accounts have grown greatly. These attacks often come in the form of an email claiming the internet banking terms and conditions have changed or your internet banking password needs updating. The email directs you to a website that looks identical to the bank’s website. However, the web address is false and it will not be a verified secure site.

A secure site, such as a bank’s online banking site, uses the https protocol. This creates an encrypted connection between your web browser and the bank’s web server, securing your account details. However, a problem arises if you are not connected to the site you think you are! If you are tricked into going to a website that appears to be your bank’s site and enter in your details, the perpetrators of the scam now have your internet banking details.

In order to avoid this problem you need to be careful about the site you are looking at. If the site doesn’t have https:// at the front of the web address in the location bar, it isn’t genuine. For example it should say (the actual address will be different unless you are a Westpac customer). If it doesn’t you should be suspicious and contact your bank for support.

The fraudulent site may be a secure https:// site however. In this case it will have a padlock, which you can see next to the address bar in the screen picture above. (In your browser the padlock may be in a different location on the screen).

You can verify the details of the site provider by clicking the padlock. This will pop up a window displaying information about the secure site’s certificate. A certificate is issued by an organization known as a certificate authority. To complicate matters, anyone can run their own certificate authority. However, for a site to be verified without displaying a popup warning window, the certificate authority's own certificate, in this case Verisign Trust Network, must be installed in your web browser. Only reputable CA's certificates are shipped with the main browsers.


With a little bit of care and common sense you can protect yourself from these scams.