Phishing sites trick users with fake HTTPS padlock

The padlock icon next to a web address used to let users know that a site is legitimate and secure but now new research from PhishLabs suggests that this is no longer the case as have of all phishing scams are now hosted on websites that have the padlock and begin with HTTPS.

The company's research shows that 49 per cent of all phishing sites in Q3 2018 had the padlock security icon next to their web address which is a 25 per cent increase from last year and a 35 per cent increase from last quarter.

The HTTPS at the beginning of a web address (also called the SSL) merely signifies that the data sent between a user's device and the website is encrypted to prevent third parties from accessing it. 

With a legitimate website, this means that the data sent between a user and the site can not be accessed by anyone else. However, if the site happens to be hosting a phishing scam, then encrypting the data sent from a device will not actually protect the user and could very well fool them into thinking the site they've visited is legitimate.

Hidden in plain sight

Cybercriminals have a real knack for devising new ways to trick users and hosting phishing scams on websites that appear secure is quite effective because the idea that the padlock indicates a site is secure is almost ingrained in the minds of many internet users today.

Last year, PhishLabs conducted a survey which found that more than 80 per cent of respondents believed the green lock meant a website is legitimate and/or secure.

The company's CTO, John LaCour explained how Google's move to label sites without SSL certificates as not secure contributed to the rise of phishing sites that appear legitimate, saying:

“PhishLabs believes that this can be attributed to both the continued use of SSL certificates by phishers who register their own domain names and create certificates for them, as well as a general increase in SSL due to the Google Chrome browser now displaying ‘Not secure’ for web sites that do not use SSL. The bottom line is that the presence or lack of SSL doesn’t tell you anything about a site’s legitimacy.”

  • Protect your security online with out top picks for the best antivirus
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.