Phishing is one of the oldest scams in internet history, yet more than half of phishing sites use free SSL certificates trusted by every browsers and platform. Easy to implement, and extremely effective, phishing has survived the advancement of web security and is getting more sophisticated by the day. Phishing uses manipulation and deception techniques to steal personal and financial information. There isn’t a universal countermeasure to phishing, only your awareness and vigilance when opening suspicious emails and websites. 

A typical phishing scam starts with a fake email from an allegedly genuine company such as your local bank, internet provider, or gaming platform. It looks professional, and ticks all the security boxes, yet it’s a complete hoax. 

The message usually urges you to take immediate action (access a website or change your password) to prevent impending doom. For instance, if you don’t provide your account number, credit card credentials or passwords, something bad will happen. Instead of ignoring this fraud, thousands of users and businesses fall victim to phishing. 

Companies lose millions because nowadays, phishing techniques have become much more complex. Phishers have ditched amateur emails with low-resolution logos, for intricate social engineering schemes to trick even the biggest of organizations. Facebook and Google can attest to that

How phishing sites use free SSL certificates

Phishers have taken tools meant to improve web security and used them to their advantage. According to the Anti-Phishing Working Group (APWG), almost 60% of the phishing sites were using the padlock in Q1 of 2019. The report has concluded that phishing activity, as well as the use of HTTPs protocol, are on a continuous ride with more than half (58%) of phishing websites employing a valid SSL certificate. That’s a significant 12% increase from the Q4 of 2018. 

HTTPS pishing graph

Such a figure should come as no surprise since anyone can install an SSL cert in minutes with the help of Let’s Encrypt or cPanel. It turns out, free Domain Validation SSL certificates have inadvertently helped phishers seem trustworthy.

If we take a closer look at the graph, we can see the sharp migration to HTTPS coincides roughly with Chrome’s decision to flag all HTTP websites as not secure. Phishers had no choice but to adapt, and with several free SSL options available, they didn’t break a sweat. 

HTTPS targeted industries

The APWG study has also analyzed most-target industry sectors, with SAAS/Webmail accounting for 36% of all phishing attacks. That’s another increase from 30 percent in 4Q 2018 and 20.1 percent in 3Q 2018. In more positive news, attacks against cloud storage and file hosting decreased from 11.3 percent of all attacks in Q1 2018 to just 2 percent in 1Q 2019.

Is there light at the end of the tunnel?

Phishing attacks aren’t going anywhere. Free SSL certificates are also here to stay. With more than 80% of the web now encrypted, further studies will again highlight another growth of HTTPS phishing sites. The only way to fight such a huge threat is to raise users’ awareness about it.

Never open files or links from phony emails. Double-check the site’s URL before entering any sensitive data. Do a quick research online to see if other users have reported the potential scam, and don’t repeat their mistakes. If you have an online website or business, get a commercial SSL certificate to look more credible. Officially registered companies can obtain an Extended Validation certificate, specifically designed to prevent phishing attacks.