On June 10, the US Federal Bureau of Investigation (FBI) issued a public warning about the rise in HTTPS phishing cases. A few weeks ago, the Anti-Phishing Working Group released a report saying that 58% of the phishing sites they tracked in the first quarter of 2019 used HTTPS, and some even estimated it to be as high as 90 %.
It’s hard not to attribute it to a free SSL certificate. It’s a good thing to provide a free certificate. We appreciate it, but as the FBI points out, the existence of phishing has forced people to change the way they look at security.
Sites beginning with “https” should provide privacy and security for visitors. After all, the “S” in HTTPS (Hypertext Transfer Protocol) stands for “Secure.” In fact, the focus of cybersecurity training is to encourage people to look for lock identifiers in the browser address bar of these secure websites. The presence and lock icons of “https” should indicate that web traffic is encrypted and that visitors can share data securely. Unfortunately, cybercriminals use the public’s trust in “https” and lock icons. They apply for a certificate, create a third-party securely certified website, design a website, imitate a trusted company or email contact to send email to potential victims and entice users to a sensitive, malicious website to gain sensitive Login or other information.
According to the FBI alert, “The following steps can help reduce the likelihood of falling victim to HTTPS phishing:
- Do not simply trust the name on an email: question the intent of the email content.
- If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
- Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
- Do not trust a website just because it has a lock icon or “https” in the browser address bar.
“The FBI encourages victims to report information concerning suspicious or criminal activity to their local FBI field office, and file a complaint with the IC3 at www.ic3.gov. If your complaint pertains to this particular scheme, please note “HTTPS phishing” in the body of the complaint.”