Beware of the green padlock: it can be a trap

Security Awareness
18 July 2022

It can happen that just when you relax, thinking you are protected from nasty surprises, you are more easily scammed. The confirmation of this elementary principle comes from the results of a study conducted by PhishLabs research laboratories, which tells us that half (49%) of phishing computer scams are hidden right behind the protected HTTPS connection and behind that reassuring green lock that should give us the peace of mind of being on a secure site.

Unfortunately, that peace of mind must be reviewed and perhaps forgotten, because it can be the most insidious of traps.

HTTPS stands for Hypertext Transfer Protocol Secure, and is a protocol that serves to protect data that travels between computers and websites.

Normally, the data transmitted via HTTPS is protected by the Transport Layer Security protocol which provides three levels of protection: Encryption, Data Integrity and Authentication, that is, the user has the guarantee that the exchanged data is encrypted, cannot be modified and is actually communicating with the requested site.

The green padlock is, for everyone, synonymous with safety

Despite this guarantee of a secure connection, however, those who move behind the scenes remain uncontrollable, a detail that exposes us to all kinds of scams.

Today, obtaining an SSL certificate is a very simple operation: even, in many cases, the providers that offer the web hosting service offer it as a free accessory service. In addition, for those moving in the darkest area of the web, it is quite easy to find stolen SSL certificates to buy back. At that point, the criminal will just have to create a nice copy of a website to hide behind, and the trap is set. The scam is ready, and hackers will also benefit from their crime being covered up, since the traffic will be encrypted.

This is often compounded by the internationalisation of domain names to make it more difficult to read URLs and create more confusion among users. In short, it is a major problem for the unsuspecting user who is convinced that they are in safe territory.

What to do if the lock is no longer so reassuring

This is being remedied through software updates that will attempt to block phishing sites regardless of whether they use HTTPS SSL encryption. But this measure will not be able to identify them all. So, caution still remains the best defence as well as the observation of some precautions:


      • pay attention to the type of website and check that while you are operating, there are no pop-ups or windows that refer to unprotected sites,

      • check that there are no misplaced words or suspicious references in the name,

      • privilege direct access to official websites by searching for them online rather than following links that arrive by email or SMS,

      • provide the devices with adequate anti-virus protection,

      • analyse the URLs, comparing them with the databases of phishing websites. A copy and paste of the web address in question into a URL scanner may also be sufficient.

    But the most important thing is that whenever we find ourselves in the situation of entering our private data, passwords or bank details on the web, we must be aware of every click we make and always keep an eye out for danger.

    Having an adequate awareness of each of our digital actions

    Especially in the case of companies or organisations where a single wrong move can put the entire production system at risk and can cause the company itself to lose a lot of money and time, it is important to ensure the correct digital posture by all personnel, without distinction of roles and tasks.

    Human resources trained on the best simulation platforms, continuously updated and “on the ball” are the strongest immune system an organisation can have. Faced with this barrier, there is no antivirus that can compare, and even the fiercest of hackers can run into difficulty sufficient to cause them to give up their malevolent enterprise.


    Articoli correlati

    Digital Operational Resilience Act (DORA)

    Digital Operational Resilience Act (DORA)

    The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and...

    read more