FBI Warning: Don’t Trust a Website just Because you see a Padlock Icon or HTTPS in the Address Bar

FBI Warning: Don’t Trust a Website just Because you see a Padlock Icon or HTTPS in the Address Bar

Checking for a padlock icon or HTTPS designation on a website as an indicator that it is secure and data can safely be shared is no longer a best practice. According to the FBI, cybercriminals are now incorporating website certificates (third-party verification that a site is secure) when they send phishing emails.

According to recent reports, roughly half of all phishing scams are now hosted on websites whose addresses include both the HTTPS designation and the padlock. Experts believe that scammers use the padlock more often because it has become cheaper and easier for websites to use an encrypted connection. Criminals may even be able to get their own certificates to secure pages used in their phishing campaigns, and can often do so without having to reveal information about who they really are. Others may abuse pages hosted on cloud services, which sometimes allow them to automatically obtain the security certificate.

Regardless of how it is occurring, the cybercriminal’s goal is usually the same: lure victims to a malicious website that appears to be secure in order to acquire login credentials or other sensitive information. The good news? There are steps you can take to reduce the chance of falling victim to HTTPS phishing.

  • Do not trust a website just because it has a padlock icon or HTTPS in the address bar.
  • If you receive a suspicious email containing a link (even from someone you know), confirm that the message is legitimate by calling or emailing the person directly. NEVER reply directly to suspicious emails.
  • Check to make sure a website’s URL is correct. Look for misspellings or wrong domains, such as a .net domain that would usually be a .com domain. Type the URL of the website you wish to visit directly into the browser instead of using a link you received in an email.
  • Install tools such as a password manager or security software. They sometimes include features that can warn you when a URL doesn’t match the legitimate website or can prevent you from opening a scam site.

If you suspect HTTPS phishing, the FBI encourages you to report suspicious activity to their local field office, in addition to filing a complaint with the IC3 at www.ic3.gov. Note “HTTPS phishing” in the message if the complaint related to this particular type of scam.

MedCareComplete offers services to protect your digital health. Contact us today to get started!

For more tips and tricks on protecting your physical, digital and financial health, follow us:

leave a comment

Your email address will not be published.