HTTPS or locks on websites can’t be trusted

The FBI has warned users that “HTTPS” and a lock icon on a website cannot be trusted enough to prove a website’s authenticity.

In a public service announcement, the FBI’s Internet Crime Complaint Center (IC3) announced that cyber criminals are “banking on the public’s trust of “https” and lock icon[s]”.

Cyber criminals are incorporating website certificates when sending potential victims emails that imitate trustworthy companies or contacts – which in turn lead cyber criminals to acquire sensitive logins or other information by “luring” victims to “a malicious website that looks secure”.

This methodology to exploit victims is not new. A study from PhishLabs Inc. found that 49% of phishing sites now deploy Secure Sockets Layer protection with a lock icon to give people a false sense of protection.

It has been recommended to users to help reduce the likelihood of falling victim to HTTPS phishing by:

  • Not trusting the name of an email and question the intent of the email content.
  • Confirming an email is legitimate if received with a link from a known contact.
  • Checking for misspellings or wrong domains within a link.
  • Not trusting a website just because it has a lock icon or “HTTPS” in the browser address bar.

Corin Imai, senior security adviser at DomainTools stated:

“Thankfully, education is the single security measure against which criminals can’t work around: an aware user, who has been trained to look for misspellings in the URL of a web page and knows not to trust a padlock icon, is much harder to lure into giving away personal information or clicking on malware-spreading links.”

She added:

“Organisations should therefore invest in solid training programs, which cannot be limited to a one-day workshop on what a phishing scam looks like, but need to be continuous, thorough and impactful.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.