
Trusting HTTPS Could Be Your Biggest Mistake - Hereās Why
Jun 16

Experience OutThink
You and I have all been there!
You check a website. It looks perfectly legitimate. The URL has a comforting padlock icon next to it. HTTPS? Check again. You breathe easy.
And then? Credentials stolen, accounts compromised, and now the SOC is in full meltdown mode. How the heck did it happen? You are flabbergasted.
Well, step into the deceptive world of HTTPS phishing - a modern twist on a historical scam, where bad actors dress up malicious sites in security theater and watch users fall like dominoes.
Isnāt HTTPS Supposed to Be Secure?
Yes, but also... not really.
HTTPS (Hypertext Transfer Protocol Secure) encrypts the connection between your browser and the website you're on. It ensures your data is protected while in transit. But hereās the catch: it does not confirm whether the site youāre connected to is legitimate.
That little padlock icon? It means the site encrypts data and nothing more. And attackers are betting you donāt know that.
Trust is not a browser feature- HTTPS encrypts traffic but says nothing about identity. Strong authentication remains critical, as detailed in theĀ NIST Password Security GuidelinesĀ to protect credentials beyond the padlock
According to the Anti-Phishing Working Group (APWG), more than 90% of phishing websites used HTTPS (the padlock) in 2023. Thatās not a typo. Ninety percent.
And getting a Domain Validated (DV) SSL certificate, the most common kind used in phishing attacks, is fast, free, and doesnāt require identity verification. Basically, anyone can get one.
Why HTTPS Phishing Works So Well
Because it preys on misplaced trust.
Surveys show that nearly half of all users think the padlock means a site is safe or trustworthy. Some even think itās a bookmark, but it's actually not!
So when attackers spin up a fake banking site, slap on a DV certificate, and launch a phishing email campaign, the visual signals scream "safe", but always think before clicking on it (as if your life depends on it). Throw in some ātypo-squattingā like go0gle.com or netflx.support, and itās game over for many users.
The Dirty Tricks Behind HTTPS Phishing
These are the tactics cyber criminals love to use for their HTTPS phishing attacks:
- Fake but āsecureā websites: The attacker replicates a login page with convincing branding and a valid SSL certificate. You land, you trust, you type, they win.
- Man-in-the-Middle (MITM): Hackers intercept HTTPS traffic or trick the browser into falling back to HTTP, especially if a site uses outdated or misconfigured certs.
- Wildcard certificate abuse: Once a wildcard cert is stolen, attackers can spin up any subdomain they want under that umbrella.
Even the Big Players Fall for HTTPS Phishing
Take Sony Pictures. In 2014, hackers sent phishing emails masked as Apple ID requests sent to Sony employees including the senior executives. Victims clicked, saw the HTTPS padlock, and entered credentials into fake Apple sites. The result? Widespread credential theft and one very messy breach.
Or the March 2025 Netflix phishing campaign. Attackers used AI-generated emails to mimic Netflix messages and had the subject line as: āletās tackle your payment detailsā. The email linked to a fake HTTPS login page, and users unknowingly handed over login info and credit card details.
These arenāt mom-and-pop businesses. These are household names with enterprise-grade tools. And they still got duped because padlock trust is a powerful illusion.
Google Tried, but the Padlock Still Fools Everyone.
Hereās a fun bit of history. In 2017, Chrome started marking HTTPS sites as āSecure.ā Great idea in theory. Terrible idea in practice.
People saw that label and assumed the site itself was verified. But āSecureā just meant encrypted. So criminals used HTTPS to make phishing sites look more legitimate and users trusted the wrong thing. Google has since reversed course. The word āSecureā is gone. The padlock is on its way out too. Chrome replaced it with a more neutral ātuneā icon starting with the launch of Chrome version 117, in September 2023. On iOS, the padlock icon has been removed entirely without replacement.
A better signal? Maybe. But the damage is done. We trained a generation of users to trust the lock. And now weāre asking them to unlearn it.
HTTPS Is Everywhere, so Are the Threats
Letās do a quick reality check.
The internet has fully embraced HTTPS. According to Googleās Transparency Report, over 90% of websites now use HTTPS as the default protocol for serving content. On the surface, thatās a win for privacy and data security because encrypted traffic means attackers canāt easily eavesdrop on sensitive information in transit. But hereās the problem: as HTTPS has become the norm, so have the threats that hide behind it.
A 2021 survey by Mimecast found that over half of IT leaders believe employees have picked up poor cybersecurity habits while working remotely - distracted, unsupervised, and often accessing sensitive systems through unsecured devices or networks.
The reality? Encryption doesnāt equal trust. And HTTPS is no longer a signal of legitimacy, itās just part of the background noise. Encryption alone canāt measure the true business impact of human risk. To translate user behaviour into financial terms and prioritize defences, seeĀ Risk Quantification for Cybersecurity Human Risk Management. The threat landscape has evolved, and our assumptions about āwhat looks safeā need to evolve too.
Outthink Knows Humans Are the Main Attack Surface
Security awareness training platforms that send the same old training modules every quarter arenāt enough anymore. Users arenāt just falling for phishing attacks, theyāre falling for what they think is secure.
Thatās why OutThink was founded: to go beyond awareness to human risk management.
OutThinkās AI-powered phishing simulator delivers real-time, adaptive training that mirrors the tactics real hackers use. It dynamically responds to evolving threat insights, ensuring employees face the latest phishing techniques, from deepfakes to fake login prompts.
You have full control to customize text, images, difficulty levels, and even the sender domains. Or choose from a vast template library with click simulations, credential capture, and email attachment attacks. Better yet, build your own custom phishing templates the Phishing Simulation Studio.
This is hands-on learning that adapts, evolves, and actually prepares users for whatās out there.
Trust Is Not a Browser Feature
HTTPS phishing is so effective because it hijacks what people trust. A symbol. A shortcut. A sense of safety. But security isnāt about icons or acronyms. Itās about awareness, behavior, and context.
At OutThink, we believe itās time to move from awareness to human risk management. From reactive training to proactive insight. From technical defense to human resilience. Because today, the most dangerous threats donāt just target your systems. They target your people.
Letās give them the tools to fight back and the knowledge to know when that green padlock is nothing more than a clever disguise.
