web browser padlocks aren't trustworthy

Over the years, web users – particularly online shoppers – have come to rely on the innocuous web browser padlocks and HTTPS in their address bar to identify legitimate online stores from fraudulent websites. Unfortunately, these visible indicators are no longer enough to guarantee that a website is safe from all threats such as phishing scams and malware.

Anti-Phishing Working Group’s Study Shows That Web Browser Padlocks Aren’t Trustworthy

Cybercriminals rely on the public’s trust of HTTPS and web browser padlocks to improve the success rate of their phishing attacks by securing and legitimizing fake websites with free SSL solutions like Let’s Encrypt, commodity domain-validated, or wildcard certificates. This means while a connection to a website may be candidly secure, the site itself may be a trap with the padlock giving the website visitor a false sense of security

In this article, we’ll look at how phishing websites are abusing SSL certificates to scam web users and why we cannot simply rely on web browser padlocks any longer. We’ll also introduce alternative solutions to protect ourselves further from falling victim to these cyber attacks. 

browser padlocks

Phishing websites are using free SSL protection to lure victims

Phishing has long been a major cybersecurity vulnerability. But since the COVID-19 pandemic struck, the frequency of phishing websites has increased by over 350%. Google responded to this rise in phishing websites by insisting that all websites adopt digital certificates and encrypt server-to-browser and browser-to-server communications to protect their visitors’ sensitive data and information.

However, this wasn’t a problem for cybercriminals. In fact, it worked in their favor as they started to use SSL encryption and web browser padlocks to lure their victims into a false sense of security. The Anti-Phishing Working Group (APWG) has reported that 78% of all phishing sites use SSL protection with SaaS and webmail sites being the biggest targets, accounting for 35% of all phishing attacks.

phishing website

Premium SSL certificates maximize consumer confidence and conversion

The emergence of free basic SSL certificates has contributed to the increased abuse of SSL protection. While this is a great concept for small business owners and startups, cybercriminals are actively installing these free SSL certificates so they can trick visitors by displaying an SSL broswer padlock icon. Indeed, several identified phishing websites use free domain-validated certificates from a certificate authority that issues free SSL certificates.  

With all this in mind, getting the highest level of authentication with premium SSL certificates not only protects users and website owners against phishing attacks but goes the extra mile to show visitors that their safety is of paramount importance. 

Sites that are protected by premium SSL certificates are at least 93% safer than DV websites that come with more basic encryption. When visitors are confident that a website is encrypted and secure, they are more likely to convert into a buyer. 

Six alternative secure solutions

1. Patch up security loopholes with up-to-date web browsers

Making a habit of using and updating the latest version of your web browser can ensure that the latest internet security patches are being applied. Security patches are used to patch up exposed security loopholes that hackers and phishers may be looking to exploit.

One of the best ways to ensure that your web browsers constantly remain patched is to use Dynamic Application Security Testing tools, which will constantly analyze your browser for vulnerabilities while it is running. The purpose behind this is to detect attacks at an early stage so they can be quickly prevented. Most DAST tools will be placed in between your backend server and front end browser and then use a crawling feature to detect security holes.

2. Enhance detection with Artificial Intelligence (AI)

Artificial intelligence can offer smart solutions to detect incoming phishing attacks. This is because AI integrates machine learning capabilities and behavioral analysis to further enhance the detection of phishing attacks. Its continuous learning capabilities are constantly updating and improving its ability to detect the most recent phishing threats. AI can also assist with the collection and storage of data.

3. Filter malicious emails with email automation services

A secure email gateway is essential when it comes to eliminating phishing attacks. Catching malicious and harmful emails with spam filtering features and anti-virus protection before they reach the inbox is something that is offered in many email automation services. 

Some gateways even inform users when accounts have been compromised, meaning that they are able to stop fraudulent emails from being sent to your contacts from your email accounts.

4. Block access to phishing pages using website filtering

Another effective way of protecting yourself from accessing phishing websites is through website filtering. Web filtering can be done through DNS or web proxy filtering. These filters work by classifying web pages into various categories and using anti-virus systems to probe pages for threats. These features then protect you from accessing phishing pages.

5. Eliminate human error

Staying informed on new cybersecurity strategies and solutions can prevent you from falling victim. Educating staff and employees on how to make cybersecurity a top priority is one of the most effective methods of eliminating phishing attacks as human error is the biggest threat to businesses falling victim to cyber-attacks. One such cybersecurity method you can teach your employees is to always use a VPN.

6. Protect information from being stolen with a VPN

One of the most effective security measures to protect your website is to use a VPN or virtual private network. In fact, you should make it a rule for your employees to always use a VPN when they are using the internet through your company network. 

This is because a VPN will both mask your employees’ IP address and encrypt any and all data you send over the network. The most secure consumer VPNs today accomplish this thanks to advanced encryption protocols such as L2TP and IPsec that conceal your data from hackers, criminals, and anyone else who might want to steal and monetize your information.


Having risen in number greatly during the pandemic, phishing attacks and scams now represent the most common cyber threat to website owners, organizations, and their users. 

And with phishers continuing to install free SSL certificates onto their fake websites to lure unsuspecting web users, there is a crystal clear need for alternative methods of online security to protect yourself, your business, and your customers from leaked data and expensive fines. 

Sam Bocetta

Sam Bocetta

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography. Currently working as part-time cybersecurity coordinator at assignyourwriter.co.uk.