The FBI Warns: Don’t Trust a Website Just Because You See a Padlock Icon or HTTPS in the Address Bar

You’ve likely been advised to check for the padlock icon or HTTPS designation on a website as an indicator that it is secure and you can safely share your data. Well, that may be changing. According to the FBI, cybercriminals are more often incorporating website certificates—third-party verification that a site is secure—when they send phishing emails. There are steps you can take to reduce the likelihood of falling victim to HTTPS phishing, and they rely on your attention and common sense.

It’s Estimated That Half of All Phishing Sites Now Have the Padlock Icon

One report found that roughly half of all phishing scams are now hosted on websites whose addresses include both the padlock and HTTPS designation.

So what’s going on?

Theories vary, but some experts believe that scammers use the padlock more often because it’s become easier and cheaper for website creators to use an encrypted connection. Criminals may be able to get their own certificates to secure pages used in their phishing campaigns, and they can often do so without having to reveal much information about who they really are. Other bad actors may abuse pages hosted on cloud services, which sometimes allow them to automatically inherit the security certificate.

However it’s occurring, the criminal’s goal is typically the same: to lure victims to a malicious website that appears to be secure in order to acquire the victim’s login or other sensitive information.

Steps to Help Reduce the Risk of Falling Victim to HTTPS Phishing

Fortunately, there are steps to help reduce the likelihood of falling victim to an HTTPS scam. Perhaps the most important advice is this: consumers have to be more diligent than ever by checking for more than one sign that a website is legitimate.

What to Do if You Suspect HTTPS Phishing 

The FBI encourages victims to report suspicious activity to their local FBI field office, as well as file a complaint with the IC3 at If the complaint relates to this particular scam, the FBI recommends noting “HTTPS phishing” in the message.