Phishing Sites Using HTTPS Too

When you see the secure HTTPS protocol at the beginning of a web address, or see the green “secure site” padlock symbol, does this mean that the site is safe?  Unfortunately, the answer is NO.  There is some confusion among computer users about what HTTPS really means.  This confusion is being exploited by cyber-criminals running phishing exploits.

HTTPS or secure hypertext transport protocol is a secure computer connection that uses encryption to keep the conversation between your computer’s web browser and the web server you are accessing private.  This is a communication protocol only.  It only means the connection between computers is secure from eavesdropping.

This does not mean the information on the web site is encrypted, it does not mean the personal information you may be sending to the website is encrypted when stored on the web server.  It most definitely does not mean the information on the web site is “safe” from a cybersecurity standpoint.  A page on an HTTPS web site can still host malicious content and be used to download malware to unsuspecting site visitors.  Or it can be a landing page that is part of a phishing scam used to trick people into providing logon credentials or other personal information.

HTTPS was originally adopted by the financial industry to keep banking and investment transactions private.  Recently, Google started on a quest to encourage (or bully) web site owners into using HTTPS by penalizing old-fashioned HTTP website with lower page rank scores and search result placement.  Getting an encryption security certificate used to be expensive, but those rates have dropped, and companies such as Let’s Encrypt have provided a way to get your security certificate for free.  As a result, more website (including mine) are using HTTPS.

From a phishing perspective, this means that a higher percentage of hijacked websites that are used by phishers to host their landing pages are also using HTTPS.  So unwitting victims of a phishing email click on the link, end up on a “secure” site, and falsely assume this means the phishing email was genuine, or the landing page is legitimate.

A more disturbing trend is that phishing scammers are registering malicious or near-miss spoofing domain names and coupling them with HTTPS encryption.  They are using these maliciously registered HTTPS domain names in phishing exploits to wrap themselves in a cloak of respectability.  A recent study showed that nearly 75% of HTTPS phishing sites are hosted on maliciously-registered domains.

The important take away from this article is that the HTTPS designation means nothing when it comes to web site integrity.  To protect yourself from this variant of phishing just use the same techniques you have already learned.

  • Look for mismatched or unusual domains used in the sender’s email address.
  • Use the hover trick to reveal the destination web address  of embedded links.
  • Check email attachments for malware with
  • Look for near-miss domain names in emails and on web sites.
  • And don’t think that the HTTPS security lock means the site is safe or genuine.

More information:



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.