The FBI’s Internet Crime Complaint Center (IC3) released a PSA warning that attackers are exploiting people’s trust in sites that use HTTPS. Cybersecurity training has in the past rightly encouraged users to look for the lock icon next to the URL in the browser, but many users still believe this icon is proof that the site they’re on is legitimate.
While the lock is important, it only means that traffic to and from the site is private; the lock DOES NOT ENSURE that the SITE’s operator is trustworthy.
The following steps can help reduce the likelihood of falling victim to HTTPS phishing:
- Do not simply trust the name on an email: question the intent of the email content.
- If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
- Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
- Do not trust a website just because it has a lock icon or “https” in the browser address bar.
See the Public Service Announcement (PSA) here.