Over the years, web users – particularly online shoppers – have come to rely on the innocuous web browser padlocks and HTTPS in their address bar to identify legitimate online stores from fraudulent websites. Unfortunately, these visible indicators are no longer enough to guarantee that a website is safe from all threats such as phishing scams and malware.
Anti-Phishing Working Group’s Study Shows That Web Browser Padlocks Aren’t Trustworthy
Cybercriminals rely on the public’s trust of HTTPS and web browser padlocks to improve the success rate of their phishing attacks by securing and legitimizing fake websites with free SSL solutions like Let’s Encrypt, commodity domain-validated, or wildcard certificates. This means while a connection to a website may be candidly secure, the site itself may be a trap with the padlock giving the website visitor a false sense of security.
In this article, we’ll look at how phishing websites are abusing SSL certificates to scam web users and why we cannot simply rely on web browser padlocks any longer. We’ll also introduce alternative solutions to protect ourselves further from falling victim to these cyber attacks.
Phishing websites are using free SSL protection to lure victims
Phishing has long been a major cybersecurity vulnerability. But since the COVID-19 pandemic struck, the frequency of phishing websites has increased by over 350%. Google responded to this rise in phishing websites by insisting that all websites adopt digital certificates and encrypt server-to-browser and browser-to-server communications to protect their visitors’ sensitive data and information.
However, this wasn’t a problem for cybercriminals. In fact, it worked in their favor as they started to use SSL encryption and web browser padlocks to lure their victims into a false sense of security. The Anti-Phishing Working Group (APWG) has reported that 78% of all phishing sites use SSL protection with SaaS and webmail sites being the biggest targets, accounting for 35% of all phishing attacks.
Premium SSL certificates maximize consumer confidence and conversion
The emergence of free basic SSL certificates has contributed to the increased abuse of SSL protection. While this is a great concept for small business owners and startups, cybercriminals are actively installing these free SSL certificates so they can trick visitors by displaying an SSL broswer padlock icon. Indeed, several identified phishing websites use free domain-validated certificates from a certificate authority that issues free SSL certificates.
With all this in mind, getting the highest level of authentication with premium SSL certificates not only protects users and website owners against phishing attacks but goes the extra mile to show visitors that their safety is of paramount importance.
Sites that are protected by premium SSL certificates are at least 93% safer than DV websites that come with more basic encryption. When visitors are confident that a website is encrypted and secure, they are more likely to convert into a buyer.
Six alternative secure solutions
1. Patch up security loopholes with up-to-date web browsers
One of the best ways to ensure that your web browsers constantly remain patched is to use Dynamic Application Security Testing tools, which will constantly analyze your browser for vulnerabilities while it is running. The purpose behind this is to detect attacks at an early stage so they can be quickly prevented. Most DAST tools will be placed in between your backend server and front end browser and then use a crawling feature to detect security holes.
2. Enhance detection with Artificial Intelligence (AI)
3. Filter malicious emails with email automation services
Some gateways even inform users when accounts have been compromised, meaning that they are able to stop fraudulent emails from being sent to your contacts from your email accounts.
4. Block access to phishing pages using website filtering
5. Eliminate human error
6. Protect information from being stolen with a VPN
This is because a VPN will both mask your employees’ IP address and encrypt any and all data you send over the network. The most secure consumer VPNs today accomplish this thanks to advanced encryption protocols such as L2TP and IPsec that conceal your data from hackers, criminals, and anyone else who might want to steal and monetize your information.
And with phishers continuing to install free SSL certificates onto their fake websites to lure unsuspecting web users, there is a crystal clear need for alternative methods of online security to protect yourself, your business, and your customers from leaked data and expensive fines.
Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.