Lock icon in URL isn't always a mark of safety

Are you in the habit of looking for a lock icon next to a URL to ensure a site is legitimate?

The FBI has released a warning that attackers can exploit consumers’ trust in sites that use HTTPS, the acronym in which the “s” stands for secure. And while the lock is important, it only means that traffic to and from the site is private; it doesn't ensure that the site's operator is trustworthy.
The lock icon did carry more weight years ago, when getting an SSL/TLS certificate was a more difficult process, but these certificates are now free and can be acquired by anyone. Attackers are increasingly making sure that their phishing sites have authentic certificates to mimic legitimate websites.
The FBI advises users to be wary of requests in emails, even if they appear to come from known contacts. Some tips to help reduce the likelihood of falling for a phishing attack using HTTPS:

  • Do not simply trust the name on an email; question the intent of the email content.
  • If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
  • Check for misspellings or incorrect domains within a link (for example, if an address that should end in “.edu” ends in “.com” instead.
  • Do not trust a web site just because it has a lock icon or “https” in the browser address bar.

The extra scrutiny takes time, but that’s better than the damage you might incur by falling for a phishing attack.