You’ve likely been advised to check for the padlock icon or HTTPS designation on a website as an indicator that it is secure and you can safely share your data. Well, that may be changing. According to the FBI, cybercriminals are more often incorporating website certificates—third-party verification that a site is secure—when they send phishing emails. There are steps you can take to reduce the likelihood of falling victim to HTTPS phishing, and they rely on your attention and common sense.
It’s Estimated That Half of All Phishing Sites Now Have the Padlock Icon
One report found that roughly half of all phishing scams are now hosted on websites whose addresses include both the padlock and HTTPS designation.
So what’s going on?
Theories vary, but some experts believe that scammers use the padlock more often because it’s become easier and cheaper for website creators to use an encrypted connection. Criminals may be able to get their own certificates to secure pages used in their phishing campaigns, and they can often do so without having to reveal much information about who they really are. Other bad actors may abuse pages hosted on cloud services, which sometimes allow them to automatically inherit the security certificate.
However it’s occurring, the criminal’s goal is typically the same: to lure victims to a malicious website that appears to be secure in order to acquire the victim’s login or other sensitive information.
Steps to Help Reduce the Risk of Falling Victim to HTTPS Phishing
Fortunately, there are steps to help reduce the likelihood of falling victim to an HTTPS scam. Perhaps the most important advice is this: consumers have to be more diligent than ever by checking for more than one sign that a website is legitimate.
- The FBI advises not to trust a website just because it has a padlock icon or HTTPS in the address bar.
- If you receive a suspicious email with a link, even from someone you know, first confirm that the message is legitimate by calling or emailing the person yourself. Never reply directly to suspicious emails.
- Check to make sure a website’s URL is correct. For example, look for misspellings or wrong domains, such as a .net domain that would normally be a .com domain. It’s a best practice to type the URL of the website you want to visit directly into the browser instead of following a link you received in an email.
- Consider installing tools like a password manager or security software. Those tools sometimes include features that can warn you when a URL doesn’t match the legitimate website or can prevent you from opening a scam site.
What to Do if You Suspect HTTPS Phishing
The FBI encourages victims to report suspicious activity to their local FBI field office, as well as file a complaint with the IC3 at www.ic3.gov. If the complaint relates to this particular scam, the FBI recommends noting “HTTPS phishing” in the message.