HTTPS Phishing Scams


It is now a “best practice” to secure your website with HTTPS. As a matter of fact, as of 2017 Google Chrome started displaying a “not secure” message if you visit a website that uses the standard HTTP and not HTTPS.

July 2019 Update: Certain versions of Firefox will display any HTTP site connection as “Not Secure” by default starting in October of 2019. 

This standard is being exploited by criminals, and you should use caution when visiting even sites that use the HTTPS protocol.

What is HTTPS?

HTTP, meaning “hypertext transfer protocol,” is the first part of a URL. It relates to how transference of data occurs from a server to your screen. HTTPS, the S stands for “Secure,” encrypts the data transferred with the purchase of a security certificate.

What’s the risk?

Cyber criminals have been using phishing attacks for several year now to lure unsuspecting emails recipients to malicious websites that collect personal information. These phishing attacks are made to look even more reliable by using URLs with HTTPS in front, imitating a trustworthy company. Just because a website has HTTPS and is marked as secure doesn’t mean that you should enter into its forms any personal information.

Protect yourself

We recommend a keen eye and cautious spirit to thwart phishing attempts.

  • Do not click on links from emails without first verifying that the email is legitimate.
  • Call an email contact to verify that they sent you an email.
  • Check for misspelled links.
  • Do not blindly fill out forms on any website – HTTP or HTTPS alike.

If you fall victim to phishing attempt, it is important to report this activity to IT to mitigate damage and to the FBI. You can file a complaint with the IC3 at WWW.IC3.GOV. If you know it, note the type of attack as the subject of the report.