For years, you’ve been told to look at any given web address to make sure it starts with an HTTPS designation. That HTTP — or Hypertext Transfer Protocol — is how your browser talks to the website. The “s” at the end indicates that it is now Hypertext Transfer Protocol Secure, meaning that the communication between your browser and the website is, well, now secure. Also, you are told to look for the “lock” icon in the address bar. That, combined with the HTTPS designation, are supposed to indicate the web traffic is encrypted and that visitors can share data safely.
Unfortunately, cyber criminals are also banking on the public’s trust of HTTPS and the lock icon. The FBI’s Internet Crime Complaint Center is reporting that fraudsters are now more frequently incorporating website certificates — third-party verification that a site is secure — when they send potential victims emails that imitate trustworthy companies or email contacts. These phishing schemes are used to acquire sensitive logins or other information by luring victims to a malicious website that looks secure.
The following steps can help reduce the likelihood of falling victim to HTTPS phishing:
- Do not simply trust the name on an email; question the intent of the email content.
- If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
- Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
- Do not trust a website just because it has a lock icon or “HTTPS” in the browser address bar.
As always, if you have been the victim of an online fraud, report it to the FBI’s Internet Crime Complaint Center at ic3.gov or call your local FBI office.