Encryption Is No Longer the Hallmark of A Secure Webpage
Now that most phishing sites use HTTPS to appear safe, ‘Look For The Lock’ has become misleading advice.
- In recent years, the number of cybercriminals using HTTPS certificates on phishing sites jumped from next to none to nearly all.
- It’s important that companies understand the full extent to which cybercriminals exploit their brands — even going so far as to turn internet security features against trusting customers.
- Teaching customers about HTTPS phishing can help prevent them from falling victim to damaging brand impersonation attacks, while protecting your brand’s reputation in the process.
“Look for the padlock” has long been an internet mantra aimed to help web surfers determine whether it’s safe to share data. But that trusty little lock icon — the signature of an HTTPS certificate — has since become the norm, including for cybercriminals. HTTPS certificates have never been easier to obtain, search engines deemphasize sites without a certificate and most web browsers will actively display a “website isn’t secure” message on sites without a padlock to deter users from visiting. If anyone wants their website to be seen, they have no choice but to put a padlock on their page.
On one hand, ubiquitous HTTPS requirements can help make the internet a safer place. On the other, normalization may come at the expense of security. A recent study found that most phishing sites now use HTTPS, misleading visitors into thinking the established “secure” connection means the site is legitimate.
Encrypted? Yes. Trustworthy? Not necessarily.
Most Phishing Websites Now Use HTTPS Encryption
According to the Anti-Phishing Working Group (APWG) Phishing Activity Trends Report: 4th Quarter 2020, about 84% of email phishing attacks clicked through to malicious websites that were “protected” by the HTTPS encryption protocol, up from only 10% in the first quarter of 2017. It’s not surprising: HTTPS has virtually become the default setting for websites. It’s an internet prerequisite that gives on-trend bad actors incentive to get an SSL/TLS certificate — especially when some certificates can be obtained at little to no cost, and sometimes no authentication.
Part of the problem is that not all HTTPS certificates are created equal. There are three main types, each of which provide decreasing levels of validation: Extended Validation (EV), Organizational Validation (OV) and Domain Validation (DV). EV and OV both verify the identity of the certificate applicant, with additional verification steps and more rigorous standards for EV. DV certificates, on the other hand, do nothing more than verify that the owner of the certificate controls the domain it protects. They can be obtained for free and without identification verification, unlike EV and OV.
Unsurprisingly, 89% of certificates used by phishers were DV, according to the same APWG report. DV enables anonymous entities — including bad actors — to freely put a padlock on their site. While a DV certificate does not indicate illegitimacy, it does help cybercriminals provide internet users with direct, encrypted connections to fake websites designed to launch phishing attacks, deploy malware, harvest personal data or any other potentially damaging cyberattack.
Another part of the problem is the misleading guidance average web surfers receive about the padlock. For example, despite a 2019 FBI warning regarding the fact that cybercriminals exploit “secure” websites in phishing campaigns, online safety advice on USA.gov directs readers to “only trust encrypted sites that begin with ‘https’ (the ‘s’ means they’re secure)” because “they convert your information into a code that prevents exposure to potential scammers” — with no mention that the site could be a fake site.
Furthermore, it’s unlikely most internet users know the difference between EV, OV and DV certificates, let alone how to determine which certificate the site has in place. They just know to look for the lock.
HTTPS Phishing Is a Threat to Brands, Not Just Individuals
It’s clear that HTTPS phishing can negatively affect the experiences of internet users by turning a universal security feature against them. But it can also be damaging for brands and their marketing campaigns. A padlock on a page adds a layer of perceived legitimacy, making it easier for cybercriminals to create spoofed websites that exploit a brand’s likeness — and the trust of that brand’s customers. To hook customers, links to these “secure” phishing websites might appear in spoofed emails, in search engines or as partner links on other websites. And to an untrained eye, they look like the real thing. After all, a phishing site with a padlock is less likely to seem, well, fishy.
Despite the fact any data entered into a malicious HTTPS site is encrypted and therefore protected from man in the middle attacks, the site owner gains direct access to it — be it credentials or any other personal information. Similarly, HTTPS phishing websites might include free downloads that drop malware or launch keylogging tools, or links that can launch malicious background programs once clicked. And if there’s a data-harvesting plugin installed on the page, even simply loading the HTTPS-protected site could be enough to wreak havoc.
Of course, any customer who falls victim to such an attack may be less likely to trust your brand in the future. Based on findings discussed in Mimecast’s The State of Brand Protection 2021 (SOBP) report, about half of consumers would stop spending money on brands they use regularly — or are familiar with — if they fell victim to a phishing attack involving that brand. But trust isn’t the only issue. “Marketers may feel lost leads are a far more tangible pain point,” according to the SOBP. “Every clickthrough from a faked email to a spoofed web page can steal away from a marketer’s lead.”
Transparent Guidelines Can Help Protect Your Customers and Your Brand
A company’s online brand protection strategy must take into account the fact that HTTPS phishing is a very real threat. And doing so requires customer education. Consumers are taught that the padlock is safe without understanding why, what it means or how it works. While it’s not that HTTPS itself isn’t safe or a good indicator of whether you can securely share data, it’s important to explain that it’s not the only indicator.
As described in SOBP, transparency can reassure customers and demonstrate that your brand is actively working in their best interests, thus building brand equity. For example, consider offering explanations of why and how your site uses HTTPS, along with basic cyber hygiene tips such as how to verify website authenticity, how to spot EV certificates compared to the less secure DV certificates, and reminders not to enter credentials or any other personal information onto a website unless the visitor is certain of its authenticity.
The Bottom Line
It’s not that HTTPS technology is no longer secure; it’s that cybercriminals are turning an internet security feature against internet users to launch phishing or malware campaigns that can simultaneously wreak havoc on customers and portray brands in a negative light. If the site looks like yours — down to the padlock — it’s all the more likely innocent victims will click, given years of instruction to simply “look for the lock.” Unfortunately, that has become misleading advice. Today, companies have an increasing obligation to keep their customers informed.
 Phishing Activity Trends Report 4th Quarter 2020, APWG
 “Cyber Actors Exploit 'Secure' Websites In Phishing Campaigns,” FBI
 “Online Safety,” USA.gov
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!