It is common for individuals to see the “padlock icon” on their browser bar when visiting a website, and assume they are safe. Sadly, this assumption is no longer valid. As we approach Data Privacy Day (January 28, 2019) many companies are taking extra steps to train employees about steps they can take to protect themselves – and their organizations. Here’s one to pass along to the team.

The padlock on the browser bar typically accompanies a website address that begins with “https://”. This Secure Sockets Layer (or SSL) signifies that information sent to and from the website will be encrypted and therefore (relatively) secure from unauthorized access. What the padlock and SSL do not signify, however, is that the website and its owners have themselves been vetted and are secure. In fact, according to a recent study, 49% of phishing sites now use SSL certificates and therefore sport that secure-looking padlock icon. This figure is up from less than 3% only 2 years ago. Phishers, who make a living by looking legitimate when they are not, have realized that they can qualify for the padlock icon while still pursuing their phishing goals. It gives them an appearance of legitimacy that is misleading to the casual observer. They rely on the common misunderstanding that encrypted communication with a website means the website is inherently legitimate.

Putting it Into Practice: Don’t be fooled! It’s important to know what the padlock icon and “https” do and do not mean. If you visit an unfamiliar website, look for the padlock, but also inspect the site to make sure it is authentic and legitimate. The bad guys keep adapting, and we have to do the same.