For several years now, it has been a widely accepted truth that a green padlock in a website’s URL indicated that the site was secure; however, Krebs on Security reported that "Half of All Phishing Sites Now Have the Padlock."
Krebs warned, "Maybe you were once advised to 'look for the padlock' as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with 'https://'.”
In truth, the padlock is no indication that the site is secure. Rather, it merely conveys the fact that information being exchanged between your browser and the site is encrypted, rendering it illegible to the eyes of a third party. Krebs continued, “The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.”
Unfortunately, users assume that if they see a padlock on a site they visit, the site is secure, making the green padlock a red herring that misleads users into having a false sense of security, according to Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.
“Attackers are always quick to adapt any innovative means to increase the click-through of their phishing sites. It does not cost them anything to get an SSL certificate from Let's Encrypt to obtain the green padlock, said Bilogorskiy. In fact, Let's Encrypt has become the largest certificate issuer in the world with over 380 million certificates issued on 129 million unique domains. That said, I am not surprised that attackers have doubled the number of HTTPS phishing sites in a year.”
The study indicates that there is no real way for an average user to verify that the sites they visit are secure. “Users should also look for character replacement ("punycode"), subdomains, and other inconsistencies in a site's real URL and webpage. You can usually find the real site by Googling the company name, then check it against the suspected phishing URL. Other means of combating phishing usually deal with emails and other means of getting victims to the phishing site,” said Paul Bischoff, privacy advocate at Comparitech.com.