HTTPS phishing sitesDo you know the key to identifying a fake website versus a legitimate one? It’s something we’ve discussed repeatedly before, and by now many people probably believe that one of the cornerstones of a secure website is HTTPS in the URL and a green lock icon in the address bar. While those are two great indicators that you’re on a secure, legitimate website, unfortunately, as consumer savvy and awareness increase, so does the sophistication of cybercriminals. As such, there may be instances when you encounter phishing websites that utilize these markers of security as part of their ruse. Learn more about why HTTPS phishing sites are a growing phenomenon and how you can protect yourself.

Why are cybercriminals using HTTPS phishing sites?

Secure websites are important, and the past year has seen a significant emphasis on more sites using HTTPS, with browsers like Google Chrome and Mozilla Firefox alerting users when they navigate to a site that does not use HTTPS. New research from cybersecurity company PhishLabs shows that in the third quarter of 2017, its researchers observed that almost 25% of the phishing sites it saw were hosted on HTTPS domains, and many even use their own SSL certificates. Although there has been an overall push in the past year for all websites to adopt HTTPS, PhishLabs discovered that the rate of adoption among cybercriminals running phishing pages was actually much faster than the overall web. Just a year ago, the number of secured phishing sites was at 3%, and two years ago it was less than 1%. The most likely reason for this significant jump in HTTPS phishing sites is simple — adaption. As browsers have introduced features that outright warn people if a site is “not secure” and consumers have been picking up on the more obvious signs of a scam, the likelihood of a generic phishing site fooling people has decreased, so cybercriminals are keeping up with the Joneses and developing their scam pages to pass under the radar.

How can you protect yourself from these advanced phishing scams?

This development in phishing sophistication might leave many people feeling uneasy, which is understandable, but just because some phishing sites are using HTTPS now doesn’t mean that you’re going to fall for one. There are plenty of things to look for to ensure that you’re browsing safely, and the most important lesson you can take away from this is that the presence of HTTPS in a URL or a declaration of safety from your browser doesn’t automatically mean you’re in the clear. You should always do your due diligence to check out other facets of a page before entering any sensitive information, like your credit card details or username and password. These include the rest of the URL itself — a blog post written by Brian Krebs on this topic illustrates this well and provides some great tips on how to parse URLs to ensure that you aren’t getting yourself into a pickle if you click on a link. Always double-check URLs and trust your gut; if something seems off about a website, even if it declares itself secure, don’t continue using it.

When it comes to phishing, the most important way you can protect yourself is to avoid taking any kind of sudden action. Many phishing communications involve some sort of urgency, imploring you to click the link and do something immediately. Regarding any communications you receive with suspicion and taking some time to plan your next move can make all the difference. If you’ve received an email purporting to be from your bank or, resist the temptation to click any links provided in the email. Instead, type the URL of the website into your browser and sign into your account that way. You can also use Google to search for the phone number of the company in question and phone them directly to confirm the legitimacy of any purported problems.

Bottom line, criminals are always going to adapt their efforts accordingly with any advancements made in security, especially when it comes to the online realm. Just think about how many advances have been made in password security recommendations and requirements, due in part to cybercriminals figuring out how to crack less-complicated passwords. Fortunately, cybersecurity experts are working tirelessly to stay in-step and provide the best protection and recommendations possible. Keep reading our technology blog to stay up-to-date on the latest security developments.