The FBI’s Internet Crime Complaint Center (IC3) released a PSA warning that attackers are exploiting people’s trust in sites that use HTTPS. Cybersecurity training has in the past rightly encouraged users to look for the lock icon next to the URL in the browser, but many users still believe this icon is proof that the site they’re on is legitimate. While the lock is important, it only means that traffic to and from the site is private; it doesn’t ensure that the site’s operator is trustworthy.
The lock icon did carry more weight years ago, when getting an SSL/TLS certificate was a more difficult process, but these certificates are now free and can be acquired by anyone. Attackers are increasingly making sure that their phishing sites have authentic certificates to mimic legitimate websites.
The FBI advises users to be wary of requests in emails, even if they appear to come from known contacts. Scrutinize links carefully and “question the intent of the email content,” rather than taking emails at face value. If you receive a suspicious request, “confirm the email is legitimate by calling or emailing the contact.”
This type of diligence may add a few minutes to your day, but it’s trivial compared to the damage that can be caused by falling for a phishing attack. New-school security awareness training can build a culture of security within your organization, so that your employees will recognize potential red flags out of habit.
IC3 has the story: https://www.ic3.gov/media/2019/190610.aspx