Phishing sites trick users with fake HTTPS padlock

News
By
published

Half of all phishing sites now have padlocks, but are anything but secure

The padlock icon next to a web address used to let users know that a site is legitimate and secure but now new research from PhishLabs suggests that this is no longer the case as have of all phishing scams are now hosted on websites that have the padlock and begin with HTTPS.

The company's research shows that 49 per cent of all phishing sites in Q3 2018 had the padlock security icon next to their web address which is a 25 per cent increase from last year and a 35 per cent increase from last quarter.

The HTTPS at the beginning of a web address (also called the SSL) merely signifies that the data sent between a user's device and the website is encrypted to prevent third parties from accessing it. 

With a legitimate website, this means that the data sent between a user and the site can not be accessed by anyone else. However, if the site happens to be hosting a phishing scam, then encrypting the data sent from a device will not actually protect the user and could very well fool them into thinking the site they've visited is legitimate.

Hidden in plain sight

Cybercriminals have a real knack for devising new ways to trick users and hosting phishing scams on websites that appear secure is quite effective because the idea that the padlock indicates a site is secure is almost ingrained in the minds of many internet users today.

Last year, PhishLabs conducted a survey which found that more than 80 per cent of respondents believed the green lock meant a website is legitimate and/or secure.

The company's CTO, John LaCour explained how Google's move to label sites without SSL certificates as not secure contributed to the rise of phishing sites that appear legitimate, saying:

“PhishLabs believes that this can be attributed to both the continued use of SSL certificates by phishers who register their own domain names and create certificates for them, as well as a general increase in SSL due to the Google Chrome browser now displaying ‘Not secure’ for web sites that do not use SSL. The bottom line is that the presence or lack of SSL doesn’t tell you anything about a site’s legitimacy.”

  • Protect your security online with out top picks for the best antivirus
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
How to prevent cyberattacks
NTT admits hackers accessed details of almost 18,000 corporate customers in cyberattack
Latest in News
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to 'X'. Social media application technology concept.
X is down again – here's everything we know about Twitter's third outage of the day
Nvidia geforce rtx 3050
RTX 5050 rumors detail full spec of desktop graphics card, suggesting Nvidia may use slower video RAM – but I wouldn’t panic yet
OnePlus 13
OnePlus is ditching the Alert Slider for an iPhone-style customizable button - and I’ll be sad to see it go
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
Q Acoustics Q SUB80, QSUB100 and QSUB120 subwoofers
Q Acoustics wants to bring the bass to your post-Oscars movie catch-up
Hospital
Major Oracle outage hits US Federal health record systems
More about security
A hacker wearing a hoodie sitting at a computer, his face hidden.

Experts warn this critical PHP vulnerability could be set to become a global problem
botnet

Another top security camera maker is seeing devices hijacked into botnet
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to 'X'. Social media application technology concept.

X is down again – here's everything we know about Twitter's third outage of the day
See more latest
Most Popular
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to 'X'. Social media application technology concept.
X is down again – here's everything we know about Twitter's third outage of the day
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 11 (game #373)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Tuesday, March 11 (game #639)
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 11 (game #1142)
botnet
Another top security camera maker is seeing devices hijacked into botnet
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
OnePlus 13
OnePlus is ditching the Alert Slider for an iPhone-style customizable button - and I’ll be sad to see it go
Nvidia geforce rtx 3050
RTX 5050 rumors detail full spec of desktop graphics card, suggesting Nvidia may use slower video RAM – but I wouldn’t panic yet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide