Phishing Sites Using Lock Symbol to Prove Legitimacy

When accessing a website, the green padlock on the left corner indicates that the connection between the website and user is secure. Security experts have all been recommending that users only access websites where there is a site identity button or a padlock appearing in the address bar. A padlock and https:// shows up in the web address when the website is using secure sockets layer or SSL; signifying the traffic being passed through is encrypted. A green or gray lock represents that the site is secure. Whereas, a gray circle with an ‘i’ means ‘not secure’ and a red triangle with an ‘!’ means that the site is dangerous. These symbols have been used and recommended for users for several years. However, recent research by PhishLabs says that the once recommended symbol used to determine the reputability of a site is no longer genuine.

The recent study found that 49 percent of all phishing sites in the third quarter of 2018 had a padlock symbol in the address bar. This is a 25 percent increase since last year and a 25 percent increase since the second quarter of 2018. This shows that cyber criminals have found a way around the padlock. This change correlates with the release of the Google Chrome 68 update that was released July 2018. This update required that the all websites that used a HTTP connection would show a ‘not secure’ symbol next to the address bar. Therefore, all authentic websites were forced to use HTTPS and SSL. By google chrome putting their foot down, illegitimate phishing websites were probably not visited as frequently, as users became more aware. Phishers are quickly adapting to the changing environment and using SSL for their fake websites.

John LaCour from PhishLabs stated the following:

“PhishLabs believes that this can be attributed to both the continued use of SSL certificates by phishers who register their own domain names and create certificates for them, as well as a general increase in SSL due to the Google Chrome browser now displaying ‘Not secure’ for web sites that do not use SSL. The bottom line is that the presence or lack of SSL doesn’t tell you anything about a site’s legitimacy.”

Users should not put their entire faith and trust into the padlock and HTTPS. Simply, looking at the icon is not an indication on whether the site is legitimate or not. Instead, using your best judgement and not inputting your personal information into suspicious websites, even if they have a padlock is recommended.


If you suspect that you or your organization have been victim to a phishing scam contact LIFARS as soon as possible. Our highly trained team will assist you.