Telling a legitimate website from a fake or scam site can be difficult. Unfortunately, it is becoming more difficult over time.

When you go to a site that has a padlock icon next to the site name, it means the site is secured with a digital certificate. This means that any information sent between your browser and the website is sent securely, and can’t be intercepted and read by someone else while the information is in transit.
EECU website url

Example of the EECU website with the padlock icon.

t used to be that scammers and thieves did not bother to buy digital certificates for their fake websites. Partly because they did not care if the information was transmitted securely, partly because certificates cost money they didn’t want to spend, and partly because it created an additional paper trail linking a fraudulent website to an owner. So in general, if you saw a padlock icon, it probably meant the site was legitimate.

Unfortunately, the scammers have caught on to this and know that people are more likely to trust a “secure” site that features the padlock icon. Because of this, they are increasingly securing their fake sites with digital certificates. According to online security company PhishLabs, 49% of all phishing sites features the padlock icon in Q3 of 2018. A year ago, only 25% of phishing sites had the padlock icon.

Here is an example of a site that looks like the PayPal login site and has the padlock. However, if you looked closely at the URL (which we have blacked out to protect the curious from themselves), you would notice the URL does not mention PayPal at all, while the legitimate PayPal site is found at
Paypal screen

Example of a fake version of the Paypal website, that still has the padlock icon.

So what can you do to protect yourself from this and similar scams? Here are a few simple tips:
  1. Do not automatically assume that the lock icon means a site is safe. Look at the site name in the address bar and verify that it matches the name of the site you are expecting exactly. Scammers can use things like subtle misspellings to trick you into believing you are on the right site. For instance, site names like or might appear correct with just a quick glance.
  2. Be wary of links in emails. If you receive an email you were not expecting, don’t open any attachments or click on any links.
  3. Use your bookmarks/favorites to access sites that require logins rather than using a link in an email or another website, even if it appears the link appears legitimate.
  4. Don’t let your curiosity get the best of you. Scammer frequently get people to go to infected sites or open infected attachments by using intriguing pictures or captions that make us want to find out more. These scam links can be even be found on social media or in the “sponsored links” section of legitimate web sites.
  5. Use common sense. You aren’t required to open every email sent to you, or click on every link. If it sounds too good to be true or too mysterious (“#5 will shock you?”),

Find your local financial center or ATM