You may have heard you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It’s well-meaning advice, but new data shows it isn’t enough to keep your sensitive information secure.
As it turns out, fraudsters got wise and started adding the padlock, which until recently was a bright green in most browsers, to their websites too. That means a padlock is no guarantee that a website is safe.
That’s according to data from cybersecurity firm PhishLabs, first reported by security writer Brian Krebs, which shows that almost half of all fraudulent pages have a padlock — meant to indicate that the site is secure — next to the URLs of their websites. Scammers are taking advantage of the fact that many internet users rely on the padlock symbol to decide whether to trust a website, according to an October report from the Anti-Phishing Working Group.
“Phishers are taking advantage of unclear security messaging” around the symbol, the report’s authors said.
The upshot is that there’s no one trick to protect you from the dark side of the internet. You have to be savvier than ever to avoid scammers and check for more than one sign that a website is legitimate.
That means making sure the website’s URL is correct and, whenever possible, typing the URL into the browser instead of following a link from an email. Tools like password managers and security software can also help: To stop you from being fooled by an extra convincing scam website, they’ll warn you when a URL doesn’t match the legitimate website or stop you from opening a scammy site to begin with.
“Awareness really is key,” said Adam Kujawa, director of the research arm of cybersecurity company Malwarebytes. “It’s up to the user to say, is this actually legit?”
What the padlock really means
The padlock has always been an imperfect symbol. It’s there to tell you something that’s specific, and also pretty technical, and that’s hard to get across with a simple image.
The lock is supposed to tell you that a website sends and receives information from your web browser over an encrypted connection. That’s all. You can tell a website has an encrypted connection because it starts with the letters https, not http. These days websites use an encryption standard called TLS. The secure connection makes it so nobody can read your web traffic as it travels through the internet’s vast, global infrastructure.
The lock doesn’t tell you anything about the legitimacy of the site.
PhishLabs CTO John LaCour
Here’s why an encrypted connection good thing: it makes sure that sensitive information like passwords and credit card numbers gets scrambled up so that only the website intended to receive it can read it. That’s really important for things like online shopping or signing on to your bank’s website.
That’s also why it’s still true that you should never enter your information if a website doesn’t have a secure connection.
But lots of people don’t know the lock means something so specific, said John LaCour, Chief Technology Officer at PhishLabs. “We’ve dumbed thing down to lock meaning ‘safe’,” he said.
Criminals can use security features too
Scammers who want to trick you into entering sensitive information can put a green padlock on their websites too, and they’re doing it more and more. When PhishLabs began collecting data in early 2015, less than half a percent of phishing websites sported a padlock. The number climbed quickly, up to about 24 percent in late 2017 and now more than 49 percent in the third quarter of 2018.
It makes sense that scammers would be using the padlock more and more, LaCour said. That’s because it’s gotten easier and cheaper for website creators to use an encrypted connection, thanks to pushes from cybersecurity experts at Google, Electronic Frontier Foundation and other tech heavyweights.
Criminals can now easily obtain certificates that enable the padlock to show up and encryption to take place, and they can do it without revealing very much about who they are.
What’s more, changes at major browsers like Chrome and Firefox have made sites without TLS encryption look much more dangerous to users, with a very visible warning that the site isn’t secure. That provided extra motivation for criminals to show the padlock on their websites, LaCour said, and avoid looking obviously shady.
“The lock doesn’t tell you anything about the legitimacy of the site,” he said. “It only tells you that your data is encrypted as it’s sent over the internet.”
It’s not all bad news
It’s probably for the best that scammers are using encryption on their phishing websites, said Nick Sullivan, head of cryptography at Cloudflare, a company that, among other things, helps organizations encrypt their websites.
That’s because sending valuable information that anyone could intercept and read is always a bad idea, even if your immediate problem is that you’ve just sent off your bank account information to a scammer in another country.
“There’s nothing bad about phishing sites having encryption,” Sullivan said.