Trusting HTTPS Could Be Your Biggest Mistake - Here’s Why

You and I have all been there!

You check a website. It looks perfectly legitimate. The URL has a comforting padlock icon next to it. HTTPS? Check again. You breathe easy.

And then? Credentials stolen, accounts compromised, and now the SOC is in full meltdown mode. How the heck did it happen? You are flabbergasted.

Well, step into the deceptive world of HTTPS phishing - a modern twist on a historical scam, where bad actors dress up malicious sites in security theater and watch users fall like dominoes.

Yes, but also... not really.

HTTPS (Hypertext Transfer Protocol Secure) encrypts the connection between your browser and the website you're on. It ensures your data is protected while in transit. But here’s the catch: it does not confirm whether the site you’re connected to is legitimate.

That little padlock icon? It means the site encrypts data and nothing more. And attackers are betting you don’t know that.

Trust is not a browser feature- HTTPS encrypts traffic but says nothing about identity. Strong authentication remains critical, as detailed in the NIST Password Security Guidelines to protect credentials beyond the padlock

According to the Anti-Phishing Working Group (APWG), more than 90% of phishing websites used HTTPS (the padlock) in 2023. That’s not a typo. Ninety percent.

And getting a Domain Validated (DV) SSL certificate, the most common kind used in phishing attacks, is fast, free, and doesn’t require identity verification. Basically, anyone can get one.

Because it preys on misplaced trust.

Surveys show that nearly half of all users think the padlock means a site is safe or trustworthy. Some even think it’s a bookmark, but it's actually not!

So when attackers spin up a fake banking site, slap on a DV certificate, and launch a phishing email campaign, the visual signals scream "safe", but always think before clicking on it (as if your life depends on it). Throw in some “typo-squatting” like go0gle.com or netflx.support, and it’s game over for many users.

These are the tactics cyber criminals love to use for their HTTPS phishing attacks:

• Fake but “secure” websites: The attacker replicates a login page with convincing branding and a valid SSL certificate. You land, you trust, you type, they win.
• Man-in-the-Middle (MITM): Hackers intercept HTTPS traffic or trick the browser into falling back to HTTP, especially if a site uses outdated or misconfigured certs.
• Wildcard certificate abuse: Once a wildcard cert is stolen, attackers can spin up any subdomain they want under that umbrella.

Take Sony Pictures. In 2014, hackers sent phishing emails masked as Apple ID requests sent to Sony employees including the senior executives. Victims clicked, saw the HTTPS padlock, and entered credentials into fake Apple sites. The result? Widespread credential theft and one very messy breach.

Or the March 2025 Netflix phishing campaign. Attackers used AI-generated emails to mimic Netflix messages and had the subject line as: “let’s tackle your payment details”. The email linked to a fake HTTPS login page, and users unknowingly handed over login info and credit card details.

These aren’t mom-and-pop businesses. These are household names with enterprise-grade tools. And they still got duped because padlock trust is a powerful illusion.

Here’s a fun bit of history. In 2017, Chrome started marking HTTPS sites as “Secure.” Great idea in theory. Terrible idea in practice.

People saw that label and assumed the site itself was verified. But “Secure” just meant encrypted. So criminals used HTTPS to make phishing sites look more legitimate and users trusted the wrong thing. Google has since reversed course. The word “Secure” is gone. The padlock is on its way out too. Chrome replaced it with a more neutral “tune” icon starting with the launch of Chrome version 117, in September 2023. On iOS, the padlock icon has been removed entirely without replacement.

A better signal? Maybe. But the damage is done. We trained a generation of users to trust the lock. And now we’re asking them to unlearn it.

Let’s do a quick reality check.

The internet has fully embraced HTTPS. According to Google’s Transparency Report, over 90% of websites now use HTTPS as the default protocol for serving content. On the surface, that’s a win for privacy and data security because encrypted traffic means attackers can’t easily eavesdrop on sensitive information in transit. But here’s the problem: as HTTPS has become the norm, so have the threats that hide behind it.

A 2021 survey by Mimecast found that over half of IT leaders believe employees have picked up poor cybersecurity habits while working remotely - distracted, unsupervised, and often accessing sensitive systems through unsecured devices or networks.

The reality? Encryption doesn’t equal trust. And HTTPS is no longer a signal of legitimacy, it’s just part of the background noise. Encryption alone can’t measure the true business impact of human risk. To translate user behaviour into financial terms and prioritize defences, see Risk Quantification for Cybersecurity Human Risk Management. The threat landscape has evolved, and our assumptions about “what looks safe” need to evolve too.

Security awareness training platforms that send the same old training modules every quarter aren’t enough anymore. Users aren’t just falling for phishing attacks, they’re falling for what they think is secure.

That’s why OutThink was founded: to go beyond awareness to human risk management.

OutThink’s AI-powered phishing simulator delivers real-time, adaptive training that mirrors the tactics real hackers use. It dynamically responds to evolving threat insights, ensuring employees face the latest phishing techniques, from deepfakes to fake login prompts.

You have full control to customize text, images, difficulty levels, and even the sender domains. Or choose from a vast template library with click simulations, credential capture, and email attachment attacks. Better yet, build your own custom phishing templates the Phishing Simulation Studio.

This is hands-on learning that adapts, evolves, and actually prepares users for what’s out there.

HTTPS phishing is so effective because it hijacks what people trust. A symbol. A shortcut. A sense of safety. But security isn’t about icons or acronyms. It’s about awareness, behavior, and context.

At OutThink, we believe it’s time to move from awareness to human risk management. From reactive training to proactive insight. From technical defense to human resilience. Because today, the most dangerous threats don’t just target your systems. They target your people.

Let’s give them the tools to fight back and the knowledge to know when that green padlock is nothing more than a clever disguise.