Conventional wisdom presumes that a website is safe to visit if a padlock icon appears next to its URL and it starts with HTTPS (rather than HTTP), meaning that its information is encrypted. However, few people realize that hackers can exploit this protective measure and use it to execute malicious attacks.
How hackers use encryption to carry out phishing scams
According to recent research, 24% of phishing scams in 2017 used web encryption—a remarkable increase from the previous year’s 3%. Unfortunately, this means many HTTPS sites are not truly safe.
What's most alarming about this emerging trend is that it allows scammers to dupe their victims by sending malicious messages that look legitimate and secure. For example, if you receive an email claiming to be from Amazon that includes a link to an encrypted website, there’s a slightly higher chance you’ll believe this email is the real deal. Clearly, if you’ve never purchased anything from Amazon, you’d know that this is a fake—but there are millions of Amazon customers who could be taken in by this type of attack.
Does encryption mean a safer internet?
With organizations like the Internet Security Research Group and Google promoting encryption, the world wide web should theoretically be a safer place. Unfortunately, however, that’s not always (or even usually) the case. In fact, it seems that the increase in encrypted websites is inspiring an upsurge in encrypted phishing sites.
What you can do to protect yourself
Despite this increasingly popular phishing tactic, encryption is still an essential security tool that every business must implement, and websites with HTTPS are still generally safer than unencrypted ones.
This is why it’s more important than ever to be vigilant when surfing the web and checking emails. If you receive a message from PayPal asking you to verify your bank account details or password by clicking on a seemingly secure link, be cautious. Many phishing attacks are easy to detect, but some are not.
Likewise, exercise extreme caution when responding to requests for sensitive data. Consider the source of the message, think before clicking, and don’t hesitate to seek advice from your IT Security team when you have any doubts.
While there is no single solution that can guarantee your business's protection from phishing and other social engineering attacks, cybersecurity awareness training for end users—including everyone from front line staff to C-suite executives—is an essential (and cost-effective) first step. Want to learn more about how you can protect your business from hacks and breaches? Contact us today.