A new study from security firm PhishLabs Inc. has found that nearly half of all phishing sites now deploy Secure Sockets Layer protection complete with a padlock icon in the browser bar in an attempt to give people a false sense of protection.

Detailed today by security research Brian Krebs, the report found that 49 percent of phishing sites started with “https://” in the third quarter, up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018.

The reasoning behind the move towards secure sites is attributed to a belief that many internet users have taken “look for the lock” advice to be a sign that a site is safe. A previous survey is said to have found that 80 percent of respondents believed a green lock indicated a website was either legitimate and/or safe.

Although it’s sound advice to check to make sure a site is secure when undertaking transactions online, any site can employ SSL encryption. The number of sites doing so has also exponentially increased after Google LLC decided to mark any site without an HTTPS extension as being not secure in July as well as ranking those sites down in their search results.

Paul Bischoff, privacy advocate at Comparitech.com, told SiliconANGLE that the study goes to show that there’s no one way to identify a phishing website.

“Making sure the site has a valid SSL certificate indicated by HTTPS and a padlock in the URL bar is just one step,” Bischoff explained. “Users should also look for character replacement (‘punycode’), subdomains and other inconsistencies in a site’s real URL and web page. You can usually find the real site by Googling the company name, then check it against the suspected phishing URL.”

Bischoff noted that the PhishLabs study brings up an interesting discussion about the role of certificate authorities and browser makers.

“Certificate authorities like Let’s Encrypt make the web safer by making it cheap and easy for websites to use HTTPS, but they also lower the barrier for criminals,” Bischoff said. “HTTPS instills trust in site visitors, so some argue certificate authorities should vet who they sell SSL certificates to. On the other hand, many experts argue that browser makers misrepresent what HTTPS accomplishes: encryption and authentication. It does not necessarily verify that the website owner is a legitimate entity.”

Image: Pixabay