Don't Be Fooled by Padlocks and SSL Certificates

If you check for the green padlock symbol in your browser to ensure you’re accessing a safe and legitimate site, you’re not alone. According to a 2018 PhishLabs survey, more than 80% of those surveyed thought the green padlock in the address bar guaranteed the legitimacy/safety of a website. The reality is the padlock doesn’t mean the site is legitimate and it doesn’t mean you’re safe from hackers.

Don’t Trust the Padlock

We’ve all been taught to verify the legitimacy of a website by checking for the green padlock before, say, making a purchase. That little icon means the site is safe, right? Not exactly. It means the website, with an address that usually begins with “https://” has a Secure Sockets Layer (SSL) certificate, which means what exactly?

Certificate authorities give an SSL certificate to signify that the data sent to and from a site is encrypted, theoretically making it secure from unauthorized access. What it doesn’t show is whether the actual sites are vetted and secure. A recent study shows that 49% of phishing sites now use SSL certificates, which means the green padlock shows up in the address bar. It seems cybercriminals got smart and created phishing sites that meet SSL certificate standards so that they can appear as legitimate sites to the untrained eye.

It All Comes Back to Cybersecurity Training

It’s been said since the dawn of security best practices but bears repeating—employee cybersecurity training is the first line of defense in protecting your organization from social engineering/phishing attacks. And training must be ongoing, as the prevalence of phishing sites with padlocks shows—the cybercriminals are constantly adapting, and organizations must train staff to do the same. For example, it is crucial to teach all staff what the green padlock does and does not mean in relation to security, and that they should look for the padlock when visiting an unfamiliar site, but also take the time to inspect the site for authenticity and legitimacy.

With regular cybersecurity training as a core component of your information security strategy, you can inform staff as new threats emerge, ensuring educated, aware, and vigilant employees are working to keep your business safe.