You may have heard that you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It's well-meaning advice, but new data shows it is not enough to keep your sensitive information secure.
As it turns out, fraudsters got wise and started adding the padlock, whichin most browsers, to their websites too. That means a padlock is no guarantee that a website is safe.
That's according to data from cybersecurity firm PhishLabs, first reported by security writer Brian Krebs, which shows that almost half of all fraudulent pages have a padlock – meant to indicate that the site is secure – next to the URLs of their websites. Scammers are taking advantage of the fact that many internet users rely on the padlock symbol to decide whether to trust a website, according to an October report from the Anti-Phishing Working Group.
"Phishers are taking advantage of unclear security messaging" around the symbol, the report's authors said.
The upshot is that there's no trick to protect you from the dark side of the internet. You have to be savvier than ever to avoid scammers and check for more than one sign that a website is legitimate.
That means making sure the website's URL is correct and, whenever possible, typing the URL into the browser instead of following the link from an email. Tools like password managers and security software can also help: To stop you from being fooled by an extra convincing scam website, they'll warn you when the URL does not match the legitimate website or stop you from opening to scammy site to begin with .
"Awareness really is key," said Adam Kujawa, director of the research arm of cybersecurity company Malwarebytes. "It's up to the user to say, is this actually legit?"
What the padlock really means
The padlock has always been an imperfect symbol. It's there to tell you something that's specific, and also pretty technical, and that's hard to get across with a simple image.
The lock is supposed to tell you which website sends and receives information from your web browser over an encrypted connection. That's all. You can tell the website has an encrypted connection because it starts with the letters https, not http. These days websites use a standard encryption called TLS. The secure connection makes it so nobody can read your web traffic as it travels through the internet's vast, global infrastructure.
Here's why an encrypted connection: it makes sure that sensitive information like passwords and credit card numbers gets scrambled up so that only the website intended to receive it can read it. That's really important for things like online shopping or signing on to your bank's website.
That's also why it's still true that you should never enter your information if a website does not have a secure connection.
But lots of people do not know the lock means something specific, said John LaCour, Chief Technology Officer at PhishLabs. "We've dumbed thing down to lock 'safe'," he said.
Criminals can use security features too
Scammers who want to trick you into entering sensitive information can put a green padlock on their websites too, and they're doing it more and more. When PhishLabs began collecting data in early 2015, less than half the percentage of phishing websites sported a padlock. The number climbed quickly, up to about 24 percent in late 2017 and now more than 49 percent in the third quarter of 2018.
It makes sense that scammers would be using the padlock more and more, LaCour said. That's because it's gotten easier and cheaper for website creators to use an encrypted connection, thanks to pushes from cybersecurity experts at Google, Electronic Frontier Foundation and other tech heavyweights.
Criminals can now easily obtain certificates that enable the padlock to show up and encryption to take place, and they can do it without revealing very much about who they are.
What's more, changes in major browsers like Chrome and Firefox have made sites without TLS encryptionto users, with a very visible warning that the site is not secure. That provided extra motivation for criminals to show the padlock on their websites, LaCour said, and avoid looking obviously shady.
"The lock does not tell you anything about the legitimacy of the site," he said. "It only tells you that your data is encrypted as it's sent over the internet."
It's not all bad news
It's probably for the best that scammers are using encryption on their phishing websites, said Nick Sullivan, head of cryptography at Cloudflare, a company that, among other things, helps organizations encrypt their websites.
That's because sending valuable information that anyone could intercept and read is always a bad idea, even if your immediate problem is that you've just sent off your bank account information to a scammer in another country.
"There's nothing bad about phishing sites having encryption," Sullivan said.
CNET's Holiday Gift Guide: The place to find the best tech gifts for 2018.
Security: Stay up-to-date on the latest breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.