In an era where online transactions dominate both personal and business activities, digital convenience has become a double-edged sword. While e-commerce platforms and digital banking services have simplified our lives, they’ve also opened the door to increasingly sophisticated cyber fraud. Criminals exploit every weakness from untrained users to unsecured websites to carry out identity theft, phishing, and financial fraud.

Personal transactions carried out on your company’s systems or access to your company’s systems on jeopardised personal devices can lead to a breach of your company’s security. This article aims to empower consumers, employees, and stakeholders with critical awareness and actionable steps to detect and prevent falling victim to fraudulent websites posing as legitimate e-commerce or banking portals.

Understanding the Risk Landscape

Cybercriminals use deceptive tactics to lure users into fake websites that mimic legitimate portals. These sites often look identical to the real ones but are designed to capture your sensitive data, such as login credentials, banking information and personal identification details.

Key threats include:

• Phishing websites: Look-alike URLs that trick users into entering their login details.
• Man-in-the-middle attacks: Hackers intercept unencrypted data between you and the website.
• Spoofed certificates: Fraudulent websites may display misleading security indicators.

To combat these threats, users must develop a keen eye for detail and perform basic checks before proceeding with any online transactions.

5 Essential Steps to Verify a Website’s Authenticity

1. Always Look for the Padlock Icon in the Address Bar

A fundamental step in evaluating a website’s legitimacy is to check for the padlock icon before the URL. This padlock indicates that the website uses HTTPS (Hypertext Transfer Protocol Secure; not just HTTP), which encrypts the connection between your device and the site.

• Legitimate e-commerce and banking portals always use HTTPS.
• Fraudulent or unsecured websites may lack this icon or display a warning.

Tip: Never enter personal information or make payments on sites without the padlock icon.

2. Click on the Padlock to View the Security Status

Merely seeing the padlock icon is not enough; it can sometimes be spoofed. Click on the icon to reveal a message such as “Connection is secure”. This message means the website’s identity has been authenticated by a trusted certificate authority.

3. Confirm the Validity of the Website’s SSL Certificate

A valid SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate assures users that the website is not only encrypted but that its ownership has been verified.

To verify:

• Click on “Certificate is valid”.
• Look at the issuer’s name, such as DigiCert, Sectigo, or Let’s Encrypt.
• Check the validity period to ensure it has not expired or been revoked.

Warning signs:

• Self-signed certificate
• Expired certificate
• Unrecognised issuer

4. Inspect Certificate Details via the “Certificate Viewer”

In the Certificate Viewer panel, users can inspect:

• The Subject: Should match the domain (e.g., bankABC.com).
• The Issuer: Trusted bodies like GlobalSign or DigiCert.
• Public Key: A unique digital signature that helps prevent impersonation.

Warning sign: If the subject name looks unfamiliar, inconsistent, or contains unusual characters, it may indicate a spoofed site.

5. Cross-Check the Website URL and Domain Structure

Even before clicking anything, verify the website’s URL. Official domains are short, clear, and familiar. Fraudulent sites often use tricks like:

• Slight misspellings (e.g., www.arnazon.com instead of www.amazon.com).
• Extra subdomains (login-secure.mybank.verify.com).
• Use of numbers or foreign letters.

When in doubt, type the address manually or search for it using a search engine. The steps are illustrated at the very end of this article.

Why Awareness Matters

Even with robust IT security systems in place, the weakest link is often the user. Fraudulent portals depend on social engineering and trust. By equipping users with practical detection steps, we reduce individual exposure and create a safer digital environment.

Organisations should consider:

• Periodic fraud awareness campaigns.
• Regular training for staff and customers.
• Reporting mechanisms for suspicious portals or phishing attempts.

Conclusion: Trust But Verify

Digital fraud is an ever-evolving threat, but basic awareness and vigilance go a long way. Whether shopping online, accessing a bank account, or logging in to a government portal, follow the five steps as part of your digital hygiene.

Remember: “If something feels off, it probably is”.

Only engage with verified websites, double-check certificates, and avoid entering sensitive data on suspicious platforms. When in doubt, consult your bank, IT security team, or trusted support channel.

How We Can Help

We at Ingenia Consultants Malaysia Sdn Bhd support our clients in navigating the fraud detection and prevention requirements. We specialise in helping our clients comply with these regulatory obligations by developing appropriate policies and procedures.

For any further information, please contact:

Zakrillah Abdul

Head – Payment Service Malaysia

Ingenia Consultants Malaysia Sdn Bhd

zakrillah.abdul@ingenia-consultants.com

Steps On How to Detect Fraudulent E-Commerce and Banking Portals 

The following steps enable customers to detect whether the e-commerce or banking portal is genuine or fraudulent. 

At any respective e-commerce or banking portal, look for the padlock icon  

e-commerce Portal: 

Banking Portal: 

Upon clicking the padlock icon, you will be routed to an information box regarding the website you are accessing. Click on “Connection is secure”. 

It will then route to another information box, which shows that the website has a valid certificate issued by a trusted authority. 

Information on the certificate can be viewed by clicking on the certificate icon  

The “Certificate Viewer” contains valuable information, such as the issuance of the web portal certificate and the certificate and public key number, which is an inimitable, unique number. Each genuine portal has its own certificate issuance.