Is the Green Padlock icon for real?


Image via Pixabay

A recent post by highlighted a very nefarious security trick that fraudsters have been using to fool web visitors into thinking the website they're visiting is safe. Maybe you've seen it before, but what we're talking about is the small green padlock symbol usually found at the top of website. And while it seems like it'd be a legit security badge, experts warn that it's not always what it seems. 

According to data from cybersecurity firm PhishLabs, first reported by security writer Brian Krebs,  almost half of all fraudulent pages have a padlock -- meant to indicate that the site is secure -- next to the URLs of their websites. Scammers are taking advantage of the fact that many internet users rely on the padlock symbol to decide whether to trust a website, according to an October report from the Anti-Phishing Working Group. 

"Phishers are taking advantage of unclear security messaging" around the symbol, the report's authors said. 

According to CNET:

Making sure the website's URL is correct and, whenever possible, typing the URL into the browser instead of following a link from an email. Tools like password managers and security software can also help: To stop you from being fooled by an extra convincing scam website, they'll warn you when a URL doesn't match the legitimate website or stop you from opening a scammy site to begin with."

"Awareness really is key," said Adam Kujawa, director of the research arm of cybersecurity company Malwarebytes. "It's up to the user to say, is this actually legit?"

The lock is supposed to tell you that a website sends and receives information from your web browser over an encrypted connection. That's all. You can tell a website has an encrypted connection because it starts with the letters https, not http. These days websites use an encryption standard called TLS. The secure connection makes it so nobody can read your web traffic as it travels through the internet's vast, global infrastructure. Scammers who want to trick you into entering sensitive information can put a green padlock on their websites too, and they're doing it more and more. When PhishLabs began collecting data in early 2015, less than half a percent of phishing websites sported a padlock. The number climbed quickly, up to about 24 percent in late 2017 and now more than 49 percent in the third quarter of 2018. It makes sense that scammers would be using the padlock more and more, LaCour said. That's because it's gotten easier and cheaper for website creators to use an encrypted connection, thanks to pushes from cybersecurity experts at Google, Electronic Frontier Foundation and other tech heavyweights. 

Criminals can now easily obtain certificates that enable the padlock to show up and encryption to take place, and they can do it without revealing very much about who they are. What's more, changes at major browsers like Chrome and Firefox have made sites without TLS encryption look much more dangerous to users, with a very visible warning that the site isn't secure. That provided extra motivation for criminals to show the padlock on their websites, LaCour said, and avoid looking obviously shady."

The takeaway? Be savvy, smart and always be careful when entering personal data anywhere online, especially on websites you're not already familiar with. 

Back to Blog