HTTPS won’t save you: Phishers exploit “safe” domains

Nearly 25% of phishing sites used HTTPS domains in the third quarter of 2017, which represents an almost 100% increase over the previous quarter, according to a study by PhishLabs.

HTTPS domains, which display web addresses as “https://” as opposed to “http://” and include a green lock icon, were once a reliable sign that a website was legitimate. Crane Hassold, PhishLabs’ threat intelligence manager, told cybersecurity reporter Brian Krebs that “your average Internet user has been taught for years to simply ‘look for the lock icon’ in the browser address bar as assurance that a site is safe.”

This advice was given because it took time and money for a website to gain an SSL certificate, which gives them an HTTPS domain. Many legitimate sites went to the effort to assure customers that the site was secure, but criminal hackers rarely did, because they typically have many sites that only exist for a short period of time.

Although most sites with an HTTPS domain were secure, to say that this is what made a site legitimate is specious reasoning: the green lock is not an indication of security at all. This is a commonly held misconception, with PhishLabs’ poll finding that more than 80% of respondents mistakenly believed the green padlock symbol meant a website was legitimate or secure.

So, what does the green padlock mean? As Krebs writes, it indicates that “the communication between your browser and the Web site in question is encrypted; it does little to ensure that you really are communicating with the site you believe you are visiting.”

Learn to be skeptical

Gaining SSL certificates is just another way phishers are manipulating people into thinking their sites are legitimate. The best advice is to trust nothing from an unsolicited email: links can be manipulated, they can go to bogus sites, the “from” field can be forged, attachments can contain malware, and legitimate information in an email could have been bought or stolen.

Phishing emails are full of information designed to trick you, and as long as you remember that – and are aware of how prominent phishing emails are – it should be easy to avoid falling for a few pieces of information that look legitimate.

If the message is unsolicited, be suspicious. Don’t click anything in the email. Instead, go to the site the email is ostensibly from manually (type in the address or whatever you’d normally do to access the site) and log in. Any legitimate issue will be flagged up on your account, but if it hasn’t and you’re still concerned, use the contact information from the site to contact the company.

The extra effort it takes to log in manually is negligible, and getting into the habit will help you bypass even the most sophisticated of phishing tricks. Phishers are trying to get you to be careless, typically suggesting you need to take action urgently. They do this because if you don’t fall for their bait right away, you’re more likely to realise that it’s a scam (or forget about it) and scam sites are usually shut down relatively promptly.

You can learn more about staying secure with our phishing infographic. It outlines the various forms that phishing attacks can take, explains the damage they can cause, and provides an annotated example of a scam email, showing you what to look out for.

We also offer simulated phishing attacks to help organizations identify whether their employees are susceptible to phishing scams, and a staff awareness course to help employees understand the threat of phishing.

Find out more about phishing >>