Half of phishing sites trick you into thinking they're 'secure'

You can't assume the padlock means a site is legitimate.

You can't assume that a site is honest because it has that "secure" padlock in the address bar, and PhishLabs just illustrated why. The anti-phishing company has determined that 49 percent of all known phishing sites used Secure Sockets Layer protection (and thus displayed the padlock) as of the third quarter of 2018. That's a sharp rise from 35 percent in the second quarter, and a steep climb from 25 percent a year earlier. They'll still try to trick you into handing over vital details -- it's just that their web traffic will be encrypted while they do it.

PhishLabs' John LaCour links the sharp rise to both the attackers themselves and their response to software decisions. Many phishers are buying web domains and promptly creating SSL certificates for them. And while Google was helpful when it started warning Chrome users about non-secure sites, that likely prompted phishers to secure their sites in an attempt to avoid those alerts.

To some extent, browser developers are tackling the issue by blocking known phishing sites regardless of whether or not they use encryption. They can't catch every site, though. To some extent, the best defense against the rise of 'secure' phishing sites is simply to dispel assumptions. You want to always question the legitimacy of unexpected requests for your sign-ins and personal info, even if they appear authentic on the surface.