Checking for a padlock icon or HTTPS designation on a website as an indicator that it is secure and data can safely be shared is no longer a best practice. According to the FBI, cybercriminals are now incorporating website certificates (third-party verification that a site is secure) when they send phishing emails.
According to recent reports, roughly half of all phishing scams are now hosted on websites whose addresses include both the HTTPS designation and the padlock. Experts believe that scammers use the padlock more often because it has become cheaper and easier for websites to use an encrypted connection. Criminals may even be able to get their own certificates to secure pages used in their phishing campaigns, and can often do so without having to reveal information about who they really are. Others may abuse pages hosted on cloud services, which sometimes allow them to automatically obtain the security certificate.
Regardless of how it is occurring, the cybercriminal’s goal is usually the same: lure victims to a malicious website that appears to be secure in order to acquire login credentials or other sensitive information. The good news? There are steps you can take to reduce the chance of falling victim to HTTPS phishing.
If you suspect HTTPS phishing, the FBI encourages you to report suspicious activity to their local field office, in addition to filing a complaint with the IC3 at www.ic3.gov. Note “HTTPS phishing” in the message if the complaint related to this particular type of scam.