The growing threat of phishing sites with SSLs

The unfortunate reality of being an Internet user is that you must be constantly vigilant. Cybercriminals are becoming more sophisticated by the minute, continually coming up with new methods to trick users into handing over their personal information. Phishing is one of them. 

In this blog post, we’ll talk about the prevalence of phishing scams online, how malicious actors use SSLs in conjunction with these scams, and how you can prevent being ensnared and having your data compromised.  

What is phishing? 

Phishing is an attempt to steal someone’s personal data — passwords, credit card numbers, or banking details, for example — by pretending to be a real institution or company. Typically, people are lured to a very authentic-looking but fake site where they are asked to fill in their information and that information is then used for nefarious purposes. Phishing can take place over the phone or through text, but it most commonly occurs over email. 

Phishing is by no means new, the term was first coined in 1996 and began with an attempt to steal people’s AOL passwords. Now, over two decades later, phishing has become extremely common. Interestingly, although phishing attacks were down by 42% in 2019, it’s still no less of a threat. It has simply become more targeted, and scammers work harder than ever to convince unsuspecting users that they’re the real deal. 

Unfortunately, SSL has become part of the ruse. 

How cybercriminals use SSL

A common practice scammers have adopted in the last few years is using SSL certificates on their fake websites. With Google’s push for “HTTPS everywhere” in recent times, HTTPS and SSL certificates have become more widespread across the web. As of June 2020, 62.3% of all websites use the https protocol. This is great. According to the most recent Anti-Phishing Working Group (APWG) report, in the first quarter of 2020, 75% of all phishing sites used SSL. This is not so great. 

Scammers know that people are becoming more aware of the importance of HTTPS, and look for signs, such as an address bar padlock, that a website has an SSL certificate. However, a website simply having an SSL is not enough to trust it blindly, particularly if it’s requesting you hand over personal information. Beyond a site just having an SSL certificate, it’s important to check the origin of the SSL, and who it was issued to. 

We’ve said it before, but it bears repeating:

Just because a site has an SSL certificate, it doesn’t mean it’s safe to use. Your connection to that site is encrypted and secure, sure. But that doesn’t mean that the content of the site isn’t malicious. 

This is partly why Google has been deprecating many of the former visual indicators of its chrome browser over the past few years, such as the “Secure” wording in the address bar, as well as the EV green bar. While at first these indicators served as a way of encouraging people to adopt HTTPS on their site, these visual indicators can come with the unintended consequence of lulling users into a false sense of safety, especially when scam sites have them. 

How to protect yourself from phishing scams

There are a few things you can do to prevent falling prey to a phishing scam:

  1. Check your spam folder settings

If you’re frequently finding dubious emails in your inbox, it might be a good idea to optimize your spam filter. The occasional phishing email can occasionally find its way into your main inbox, but it shouldn’t be a regular occurrence. 

  1. Find the real site through Google

If you get an email requesting private information that claims to be from an e-commerce store, your bank, or credit card company, don’t click on any hyperlinks included in the email. Instead, Google the site in question and log in from there. If any actions are needed from you, it should inform you once you’re logged into your account. Hover your mouse over the email hyperlink to see the site it links to and compare it to the web address of the real site. Chances are, they’ll be quite different. If you’re still unsure, contact their customer service via official channels to double-check. 

  1. Check its SSL certificate details

If you do end up clicking on a link included in a potentially dodgy email (which we really don’t recommend you do) take a closer look at the SSL certificate. What information can you glean about who the person or organization the certificate was issued to? If information is lacking or sounds suspect, don’t proceed. 

  1. Pay attention to design

While scammers are getting better at posing as real institutions, spoof emails and websites are usually a bit “off” in some way. Watch out for misspellings and strangely phrased sentences. A big red flag is if the email begins with “Dear customer” instead of your actual name. The websites may also have the wrong color scheme or use a grainy, low-quality logo.  

  1. Remember: if an offer sounds too good to be true, it probably is

As nice as it would be for companies to randomly give you a free iPhone or a $500 gift card, the chances of them doing it are unlikely, especially through an email with an all-caps subject line.  

  1. NEVER give personal information to or download anything from an unfamiliar site

This should be implied from the rest of this post, but it bears repeating. If in doubt, don’t give it out.

Wrap up

It’s an unfortunate reality that sometimes SSL certificates are used to make spoof websites seem more authentic. Hopefully, after reading this article you’re better equipped to recognize phishing attempts when you encounter them and know what to look for when judging the legitimacy of an SSL certificate.

Share on Twitter, Facebook, Google+