This New Phishing Scheme Could Fool You With A False Sense of Security


When you're browsing the Internet these days, you may realize the majority of sites you visit have a green padlock in the left part of the address bar, meant to indicate it's HTTPS status. 

That HTTPS status, which indicates the website is encrypted, is important for people looking to stay secure as they swim the often murky waters of the Internet.  But what happens when that symbol of security is increasingly fake?

Phishing research and defense firm PhishLabs has published research indicating that hackers and criminals are becoming more likely to adopt HTTPS. About 24% of the sites that a phishing email is trying to get you to click are encrypted. 

"That's up from less than three percent at this time last year, and less than one percent two years ago." wrote Phishlabs.

Why the increase? Websites overall are increasingly being encrypted, thanks to initiatives from Let's Encrypt and Google, so it would make sense that sites meant to steal user information would also jump on the encyrption bandwagon. The rate of HTTPS adoption on phishing sites is rising much faster than over HTTPS adoption, however. 

Instead, the HTTPS is being used to make the site seem more legitimate in order to lure victims. 

"The attackers are making that choice even though this is not needed to complete the crime," Crane Hassold, a threat intelligence manager at PhishLabs, told Wired. 

The number of phishing sites with HTTPS is only likely to grow. So the next time you get an email that gives you pause, don't be fooled an encrypted site. Instead, follow these tips to help you avoid taking the bait.