Detecting Fake SSL Certificates: Hotel Website Security Guide

During our research, we encountered a case where a customer of a five-star hotel in Antalya entered their credit card information into a fake booking site after seeing the padlock icon and "secure connection" text. Looking at the site, everything seemed normal: HTTPS connection, valid certificate, familiar design. However, the site was entirely fraudulent.

This case highlights a reality that the hospitality industry is increasingly facing: an SSL certificate is no longer a guarantee of security on its own.

An SSL (Secure Sockets Layer) certificate encrypts data traffic between the user's browser and the web server. The padlock icon in the browser address bar and the "https://" prefix indicate that this encryption is active.

Anyone can obtain a certificate. Thanks to free certificate providers like Let's Encrypt, fraudsters can obtain a valid SSL certificate for a fake site in minutes. The padlock icon only says that the connection is encrypted; not who operates the site.

Our clients are often surprised when they learn this. They say, "But there was a lock." Unfortunately, the lock is no longer sufficient assurance.

Understanding certificate types is the most practical way to distinguish between reliable and fake sites.

DV certificates only verify that the owner of that domain made the application. No identity check is performed. The certificate authority only says "this person controls the domain"; it doesn't ask "who is this person?" Free services like Let's Encrypt and similar ones provide DV certificates. They take a few minutes to issue, are free, and do not require any documents.

Fraudsters almost exclusively use DV certificates. When we analyzed fake hotel sites, we found that the vast majority used DV certificates obtained from free providers like Let's Encrypt or ZeroSSL.

OV certificates require the certificate authority to verify the applying organization through document review. Company registration documents, address verification, and in some cases, telephone confirmation are requested. The legal name of the organization appears in the certificate.

It is not possible for fraudsters to obtain an OV certificate without establishing a fake company. Therefore, even fake sites wanting to appear legitimate have to prefer DV over OV. For hotels wanting to establish a corporate certificate policy, OV is recommended as the minimum standard.

EV certificates are subject to the strictest validation process. The certificate authority separately verifies the legal existence, physical address, operational status, and identity of the authorized representative of the organization. This process can take from a few days to two weeks and is paid.

Some browsers show the organization name in green text in the address bar on EV-certified sites. Although this visual indicator is not active in all browsers today, EV certificates still offer the strongest identity assurance. Large financial institutions, government agencies, and international hotel chains generally prefer EV.

In our industry observations, we see that no fake hotel site uses an EV certificate. The identity verification barrier is at an insurmountable level.

• DV: Anyone can get it, free, instant. No identity guarantee.
• OV: Corporate validation required, paid, takes days. Basic identity assurance exists.
• EV: Most comprehensive validation, highest trust. Impossible on fake sites.

Certificate Transparency is an open system that keeps SSL certificates under audit. Launched by Google in 2013 and supported under the Google Transparency Report, this system forces all certificate authorities to add every certificate they issue to a publicly accessible logbook.

This system means: when someone obtains a certificate for a combination of "your hotel name + different domain", this information drops into the public CT logs. And by monitoring these logs, you can detect new fake sites within hours of them being set up.

Industry experts state that this mechanism is the most reliable early warning system in fake site tracking. Fraudsters set up the page quickly and spread it slowly; CT logs, on the other hand, keep almost instant records. For more information, you can look at our certificate-transparency-log-izleme article.

Most of the time, fake sites use slightly altered versions of the original domain name. Instead of "hillsidebeachclub.com", something like "hillsidebeachclubb.com" or "hillside-beachclub.com". For more information on this typosquatting technique, check out our otel-domain-guvenligi-typosquatting article.

The certificate is discovered for this fake domain name. The padlock icon is real, but the address is wrong.

Go to the "View Certificate" option by clicking the padlock icon in the browser. From there, check the following information:

• Issued to: Is it the correct hotel name or a random name?
• For which domain: Does it match the domain name in the address bar?
• Issued by: Is it a recognized certificate authority? (Known authorities: DigiCert, Sectigo, Let's Encrypt)
• Valid from: Is it a very new certificate? Fake sites usually use short-term certificates.

crt.sh is a public CT log search engine and can be used for free. By searching your domain name, you can see which certificates have been obtained for that name or similar names.

One of our clients found 11 separate SSL certificate records for their own hotel when they used this tool for the first time; 9 of them belonged to completely fake sites.

Regularly scan not only your main domain but all variations your brand could be written as in CT logs. In our research, we've seen that the vast majority of fake sites use different combinations of the hotel name: "city + hotel name", "hotel name + reservation", "hotel name + booking", etc.

Extended Validation (EV) certificates require the certificate authority to physically verify the organization's identity. In some browsers, it shows the organization name in the address bar. It is much harder for fraudsters to obtain this type of certificate.

When you detect a fake site, don't just settle for sending a takedown request. Also report it to Google Safe Browsing, Netcraft, and Microsoft SmartScreen. This way, the site begins to be shown with a "dangerous site" warning in users' browsers.

Manual scanning is not sustainable for every hotel. Industry experts emphasize that CT log monitoring should be done automatically 24/7. Otherwise, a fake site can remain online for weeks without being noticed.

1. Research the suspicious domain you found on crt.sh with WHOIS.
2. Do not visit the site—clear browser history and cache.
3. Send the complaint to the registrar (domain registration company) where the domain name is registered.
4. Notify the CA (certificate authority) providing the certificate.
5. Also forward the complaint to the BTK in Turkey.

Is every site with an SSL certificate safe? No. An SSL certificate only shows that the connection is encrypted. Fraudsters can also obtain certificates for free in minutes. For security, it's necessary to separately verify the domain name, certificate type, and identity of the site owner.

What is the practical difference between a DV certificate and an EV certificate? A DV certificate only verifies domain control and anyone can get it in a few minutes. An EV certificate, on the other hand, comprehensively verifies the legal identity of the organization; fake sites cannot pass this process. To offer your guests the strongest assurance, choose EV.

How often do I need to check CT logs? Real-time monitoring systems should be used to be instantly informed when a new certificate similar to your brand name is obtained. In manual checking, it's recommended to scan your brand via crt.sh at least once a week.

Can I have the SSL certificate used on a fake site revoked? Yes. You can request revocation by sending a phishing or abuse report to the CA (certificate authority) providing the certificate. Let's Encrypt and major CAs usually evaluate such reports within 24-48 hours.

Instantly check all SSL certificates registered in your hotel's name with our free tool. You can see how many fake certificates were found within a few minutes.