Most users know to look for a padlock in the address bar to tell if a website is legitimate. This is especially important for websites where you exchange money and/or sensitive data, such as an e-commerce site. Sadly, this piece of internet advice is now defunct and useless.
Anti-phishing researcher PhishLabs has found 49 percent of all phishing websites during Q3 2018 used a padlock security symbol. This is a method attackers are increasingly using to fool users. Indeed, the rise in padlock symbol use has risen 25 percent quarter-on-quarter.
Attackers are finding easy prey because many users have taken the padlock symbol to mean some guarantee of security. In other words, they never question it. PhishLabs cites data from its 2017 survey that found 80% of respondents think the green lock means a website is safe and legitimate.
The green lock signifies the Secure Sockets Layer (SSL) and the https:// section of the URL address. It is not, however, a security guarantee and only shows that data is only moving between you and the site. It shows that the data is encrypted and can't be read by third parties.
Phishing scams already mimic legitimate services, and this is just another example of how clever these bad actors are getting.
“PhishLabs believes that this can be attributed to both the continued use of SSL certificates by phishers who register their own domain names and create certificates for them, as well as a general increase in SSL due to the Google Chrome browser now displaying ‘Not secure' for web sites that do not use SSL,” said John LaCour, chief technology officer. “The bottom line is that the presence or lack of SSL doesn't tell you anything about a site's legitimacy.”