Wednesday, October 21, 2015

Strangers with Candy: How To Determine Legitimate and Credible Websites

I tripped over a hilarious website during some research recently. The site changes something innocent and pure to something very shady. In fact, if you want to see, go to http://www.5z8.info/the-most-dangerous-game_f4a5in_this-page-will-steal-all-of-your-personal-data. Okay - that web address looks pretty scary, but I can honestly say that it will go to something slightly less nefarious: Facebook's homepage. And I promise this goes to Tarleton's website: http://www.5z8.info/asian-brides_u9f6tl_barely-legal.

Ordinarily, I wouldn't encourage you to click on anything you have any slight misgivings about. You should listen to your gut instincts when you see unusual links. That includes anything you receive in your email, particularly when it comes from a stranger "with a nice van offering you candy."

Stranger danger.

In Badgering Us for Badges (and Other Social Engineering Scams), I mentioned some tips on how to spot scams. But how can we tell if someone is truly legitimate? There really are legitimate sites out there, and real people - not robots - telling us exciting news about our university that we may want to mention with a back link to their website. What tell-tale signs are there that we can specifically look at? Is the website legitimate?


Legitimate Ranking Websites

I mentioned in the last article that strangers from college ranking websites may contact you claiming that you ranked # on such-and-such degree and that they offer "quid pro quo." You put their link on your page, but should you investigate them first? (Hint: Scam artists hope you won't investigate!)


Are they even Human?

Read their verbiage and take note of anything that doesn't sound human, looks misspelled or grammatically incorrect, or for that matter, truly relevant to your website. Typically, if you have earned recognition for ranking high on an international or national college ranking system, that should be termed as an award or recognition, not a "resource". If something sounds out of context, then stranger danger.


Good for Them, Bad for Us

Like I mentioned before, resource pages are havens for "mischievous strangers with candy" hoping you'll add their malicious links, so they can infect you (i.e., lower your website search rankings) or others (i.e., steal personal information or hack computers). Being a university, we have the legitimacy and credibility that these strangers need to get more people to list them, boosting their search rankings.


Legitimate and Credible Sources

Are the sources recognizable? Do other prestigious universities reference them? Have you heard of them before, and not just because they landed on the first page results of a Google search?

Actually, it is very easy to find a legitimate website and then find one that looks just slightly different and has less of the credible information you need in order to trust them. Look for the following on their website:


Who is running the show?

Check for an About page of some type that provides a human face or human references, preferably those that link to legitimate firms or major media outlets. If the only information they provide is that they collected data from public databases that hold information about our university, then anyone with a programming background (and a designer keeping up with design/layout trends) can slap a website together and call it legit.

Think about it: just because someone can post our Tarleton logo on their email doesn't make theirs legitimate - they need to come from our domain: tarleton.edu.


Will they sell information to third-party vendors?

Maybe. Maybe not. But you should be able to find something on any law abiding website that details how they use the information you or anyone else provides. Will illegitimate sites try to convince you they have such a page? Yes, they will! And it may not even say "Privacy Policy," but because they know your strong suit is in English, they'll hope you don't read past their synonym trickery.

For example, I've run across a website that replaced their Privacy Policy with a Disclosure Policy. Inside said policy, they included absolutely nothing about what they do with your information, but they most certainly went on and on about disclosing university information for a price (and a lovely position well above the supposedly credibly ranked universities).


What is their methodology? Do they provide true comparison shopping?

Sure, they provide a "methodology," and they list a bunch of schools out on a page, but do the results make any sense? Are schools treated fairly in the result listings?

Don't get fooled by a fancy outline of weighted measurements. Read them. For example, how do you determine "Strength of Faculty?" Do you collect crowd-sourced votes on "Rate My Professor?" Or average the number of degree types held by professors? How about taking the grades of the students in their courses? And if you went that direction, if students make high grades, does that mean the professor taught well or gave their students easy breaks and lots of ways to make up absences and failed exams? Make sure the criteria are defined in a way that makes reasonable sense, something that can be calculated across all universities the same way.

And if they do provide a reasonable methodology, can you easily compare the criteria each are judged on, so you can tell how University A ranked higher than University B?


Are they being misleading?

Just like with the privacy policy, do they make their website do something you didn't quite expect? One example I found took advantage of the fact that we don't pay just as much attention to details as we should. It had a very obvious Quick Search with degree search criteria on it which made me expect to find a list of universities ranked on that degree, however, it went instead to a sign up form.

Normally, when we see sign up forms we think about how the site is going to give us personalized information, like financial aid opportunities. This page had a generic description of the degree itself, along with a randomly generated university, but more importantly, it had a disturbing way of asking for my information to sign up.

Again, if I had not paid attention to this step-by-step process, I wouldn't realize that I was about to put my information in the hands of third-party vendors whom I was giving consent to remove liability for spamming me with texts, emails, phone calls, and junk mail. Yes, they claimed they only required demographic information about me while showing me that the personal information fields were optional, but as soon as I clicked on the Continue button, I realized the personal information fields had all magically become required, and I saw a statement similar to this:
Clicking the "Continue" button below constitutes your express written consent to be contacted by email, phone, text and prerecorded message by [randomly generated university that you didn’t intend to sign up with] at the number(s) you provided, regarding furthering your education. You understand and agree that these calls may be generated using an automated technology
If warning bells haven't rung in your head, you've never had multiple phone calls from recordings or tried to put yourself on the Do Not Call Registry after you were positive you already added yourself months ago.


Let Us Check Your Candy Before You Take a Bite

If you have any misgivings about a request to add a link to your website, don't click the links and don't add the content to your website. Remember: stranger danger. If you think it is legitimate or credible, let Web Services give it a check first. We know their patterns and habits, including the latest trends in social engineering, and we want the best, highest quality sites flowering us with praise. We love praise. And candy. Good, clean chocolate candy... Well, I do, anyway.

-Karole