We’ve mentioned this before, but the misconception has surfaced again, and it’s worth mentioning again. Looking for the padlock as a sign of a secure legitimate website isn’t an accurate indication that a site is malware free. Recent research indicates that nearly half of all phishing sites display the padlock and a web address that begins with https.
Data from PhishLabs show that 49% of all phishing sites in third quarter 2018 had the lock icon. This is up 25% from a year ago. Since a majority of users take “look for the lock” to heart, this new finding is significant. 80% of the respondents to a PhishLabs survey believed the lock indicated a legitimate and safe website.
Remind employees that the https portion of the address signifies that the data being transmitted is encrypted and so can’t be read by third parties. The padlock itself signifies nothing more than this. Its appearance may mean nothing more than that criminals are just lending some bogus credibility to their site. John LaCour, chief technology officer for PhishLabs, said, “The bottom line is that the presence or lack of SSL doesn’t tell you anything about a site’s legitimacy.”
Web browser vendors working in partnership with security organizations do try to flag suspect sites with red warnings. That’s good, but of course not all phishing sites are spotted and flagged.
So there’s no simple fix for phishing. Neither the presence of a padlock nor the absence of a flag mean that a site is safe. What can help an organization adapt to the social engineering their employees face is focused, interactive security awareness training. That would include training that reminds employees not to permit themselves to be lulled into a false sense of security. If it seems phishy, be suspicious. And do remind people not to take the padlock too seriously.
KrebsOnSecurity has the story: https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/