Trusting HTTPS Could Be Your Biggest Mistake - Here’s Why

Trusting HTTPS Could Be Your Biggest Mistake - Here’s Why

Jun 16

Olivia Debroy
Olivia DebroyOlivia Debroy loves to craft impactful narratives at the intersection of journalism, data, and digital media, leveraging her expertise to tell stories that inform, engage, and inspire. She has reported for leading Indian publications such as The Hindu and Deccan Herald and is currently pursuing her Master’s in Journalism and Mass Communication with a minor in AI & Data Journalism at St. Joseph’s University, Bangalore, where she continues to sharpen her storytelling craft with a focus on data, innovation, and media strategy.
View Profile

You and I have all been there!

You check a website. It looks perfectly legitimate. The URL has a comforting padlock icon next to it. HTTPS? Check again. You breathe easy.

And then? Credentials stolen, accounts compromised, and now the SOC is in full meltdown mode. How the heck did it happen? You are flabbergasted.

Well, step into the deceptive world of HTTPS phishing - a modern twist on a historical scam, where bad actors dress up malicious sites in security theater and watch users fall like dominoes.

Isn’t HTTPS Supposed to Be Secure?

Yes, but also... not really.

HTTPS (Hypertext Transfer Protocol Secure) encrypts the connection between your browser and the website you're on. It ensures your data is protected while in transit. But here’s the catch: it does not confirm whether the site you’re connected to is legitimate.

That little padlock icon? It means the site encrypts data and nothing more. And attackers are betting you don’t know that.

According to the Anti-Phishing Working Group (APWG), more than 90% of phishing websites used HTTPS (the padlock) in 2023. That’s not a typo. Ninety percent.

And getting a Domain Validated (DV) SSL certificate, the most common kind used in phishing attacks, is fast, free, and doesn’t require identity verification. Basically, anyone can get one.

Why HTTPS Phishing Works So Well

Because it preys on misplaced trust.

Surveys show that nearly half of all users think the padlock means a site is safe or trustworthy. Some even think it’s a bookmark, but it's actually not!

So when attackers spin up a fake banking site, slap on a DV certificate, and launch a phishing email campaign, the visual signals scream "safe", but always think before clicking on it (as if your life depends on it). Throw in some “typo-squatting” like go0gle.com or netflx.support, and it’s game over for many users.

The Dirty Tricks Behind HTTPS Phishing

These are the tactics cyber criminals love to use for their HTTPS phishing attacks:

  • Fake but “secure” websites: The attacker replicates a login page with convincing branding and a valid SSL certificate. You land, you trust, you type, they win.
  • Man-in-the-Middle (MITM): Hackers intercept HTTPS traffic or trick the browser into falling back to HTTP, especially if a site uses outdated or misconfigured certs.
  • Wildcard certificate abuse: Once a wildcard cert is stolen, attackers can spin up any subdomain they want under that umbrella.

Even the Big Players Fall for HTTPS Phishing

Take Sony Pictures. In 2014, hackers sent phishing emails masked as Apple ID requests sent to Sony employees including the senior executives. Victims clicked, saw the HTTPS padlock, and entered credentials into fake Apple sites. The result? Widespread credential theft and one very messy breach.

Or the March 2025 Netflix phishing campaign. Attackers used AI-generated emails to mimic Netflix messages and had the subject line as: “let’s tackle your payment details”. The email linked to a fake HTTPS login page, and users unknowingly handed over login info and credit card details.

These aren’t mom-and-pop businesses. These are household names with enterprise-grade tools. And they still got duped because padlock trust is a powerful illusion.

Google Tried, but the Padlock Still Fools Everyone.

Here’s a fun bit of history. In 2017, Chrome started marking HTTPS sites as “Secure.” Great idea in theory. Terrible idea in practice.

People saw that label and assumed the site itself was verified. But “Secure” just meant encrypted. So criminals used HTTPS to make phishing sites look more legitimate and users trusted the wrong thing. Google has since reversed course. The word “Secure” is gone. The padlock is on its way out too. Chrome replaced it with a more neutral “tune” icon starting with the launch of Chrome version 117, in September 2023. On iOS, the padlock icon has been removed entirely without replacement.

A better signal? Maybe. But the damage is done. We trained a generation of users to trust the lock. And now we’re asking them to unlearn it.

HTTPS Is Everywhere, so Are the Threats

Let’s do a quick reality check.

The internet has fully embraced HTTPS. According to Google’s Transparency Report, over 90% of websites now use HTTPS as the default protocol for serving content. On the surface, that’s a win for privacy and data security because encrypted traffic means attackers can’t easily eavesdrop on sensitive information in transit. But here’s the problem: as HTTPS has become the norm, so have the threats that hide behind it.

A 2021 survey by Mimecast found that over half of IT leaders believe employees have picked up poor cybersecurity habits while working remotely - distracted, unsupervised, and often accessing sensitive systems through unsecured devices or networks.

The reality? Encryption doesn’t equal trust. And HTTPS is no longer a signal of legitimacy, it’s just part of the background noise. The threat landscape has evolved, and our assumptions about “what looks safe” need to evolve too.

Outthink Knows Humans Are the Main Attack Surface

Security awareness training platforms that send the same old training modules every quarter aren’t enough anymore. Users aren’t just falling for phishing attacks, they’re falling for what they think is secure.

That’s why OutThink was founded: to go beyond awareness to human risk management.

OutThink’s AI-powered phishing simulator delivers real-time, adaptive training that mirrors the tactics real hackers use. It dynamically responds to evolving threat insights, ensuring employees face the latest phishing techniques, from deepfakes to fake login prompts.

You have full control to customize text, images, difficulty levels, and even the sender domains. Or choose from a vast template library with click simulations, credential capture, and email attachment attacks. Better yet, build your own custom phishing templates the Phishing Simulation Studio.

This is hands-on learning that adapts, evolves, and actually prepares users for what’s out there.

Trust Is Not a Browser Feature

HTTPS phishing is so effective because it hijacks what people trust. A symbol. A shortcut. A sense of safety. But security isn’t about icons or acronyms. It’s about awareness, behavior, and context.

At OutThink, we believe it’s time to move from awareness to human risk management. From reactive training to proactive insight. From technical defense to human resilience. Because today, the most dangerous threats don’t just target your systems. They target your people.

Let’s give them the tools to fight back and the knowledge to know when that green padlock is nothing more than a clever disguise.

Share

Build Phishing Resilience With OutThink

Related Articles
It’s Time to Make Peace With Imperfection in Cybersecurity Human Risk Management
Thea Mannix
27/06/2025

It’s Time to Make Peace With Imperfection in Cybersecurity Human Risk Management

Read More about AI-Native Cybersecurity Human Risk Management
Why I Refused to Say “People Are the Weakest Link in Cyber”
Jane Frankland
26/06/2025

Why I Refused to Say “People Are the Weakest Link in Cyber”

Read More about AI-Native Cybersecurity Human Risk Management
Can Your People Outthink a Deepfake?
Olivia Debroy
19/06/2025

Can Your People Outthink a Deepfake?

Read More about AI-Native Cybersecurity Human Risk Management
Trusting HTTPS Could Be Your Biggest Mistake - Here’s Why
Olivia Debroy
16/06/2025

Trusting HTTPS Could Be Your Biggest Mistake - Here’s Why

Read More about AI-Native Cybersecurity Human Risk Management
The Human Risk Behind Scareware Attacks
Olivia Debroy
13/06/2025

The Human Risk Behind Scareware Attacks

Read More about AI-Native Cybersecurity Human Risk Management
Why Whaling Attacks Are the Caviar of Cybercrime
Olivia Debroy
10/06/2025

Why Whaling Attacks Are the Caviar of Cybercrime

Read More about AI-Native Cybersecurity Human Risk Management
Biometrics Are Here: Are We Ready for the Human Risks?
Olivia Debroy
06/06/2025

Biometrics Are Here: Are We Ready for the Human Risks?

Read More about AI-Native Cybersecurity Human Risk Management
I’m a Human Risk Manager (I Think?)
John Scott
03/06/2025

I’m a Human Risk Manager (I Think?)

Read More about AI-Native Cybersecurity Human Risk Management
How Microsoft’s ‘Passwordless by Default’ Might Save Security
Olivia Debroy
28/05/2025

How Microsoft’s ‘Passwordless by Default’ Might Save Security

Read More about AI-Native Cybersecurity Human Risk Management
The Cyber Risk Within: Insider Threats
Olivia Debroy
26/05/2025

The Cyber Risk Within: Insider Threats

Read More about AI-Native Cybersecurity Human Risk Management
What Is ‘Human Risk’ in Cyber?
Olivia Debroy
22/05/2025

What Is ‘Human Risk’ in Cyber?

Read More about AI-Native Cybersecurity Human Risk Management
What if Agentic AI Could Stop Human Risks Before They Happen?
Olivia Debroy
19/05/2025

What if Agentic AI Could Stop Human Risks Before They Happen?

Read More about AI-Native Cybersecurity Human Risk Management
How to Run a Cybersecurity Awareness Training Program in Academia
Ravi Miranda
15/05/2025

How to Run a Cybersecurity Awareness Training Program in Academia

Read More about AI-Native Cybersecurity Human Risk Management
Phishing in 2025: Cybercriminals Are Smarter Than You Know
Olivia Debroy
14/05/2025

Phishing in 2025: Cybercriminals Are Smarter Than You Know

Read More about AI-Native Cybersecurity Human Risk Management
Why Cybersecurity Human Risk Management Benefits CISOs
Gry Evita Sivertsen
29/04/2025

Why Cybersecurity Human Risk Management Benefits CISOs

Read More about AI-Native Cybersecurity Human Risk Management
The Strategic Role of Adaptive Security Awareness Training Content
Roberto Ishmael Pennino
21/04/2025

The Strategic Role of Adaptive Security Awareness Training Content

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity's Comfort Zone Problem
Jane Frankland
15/04/2025

Cybersecurity's Comfort Zone Problem

Read More about AI-Native Cybersecurity Human Risk Management
Turning Employees into Payment Security Champions: Your Guide to Free PCI Awareness Training
Roberto Ishmael Pennino
11/04/2025

Turning Employees into Payment Security Champions: Your Guide to Free PCI Awareness Training

Read More about AI-Native Cybersecurity Human Risk Management
AI Phishing: The Rising Threat of Intelligent Cyber Deception
Roberto Ishmael Pennino
02/04/2025

AI Phishing: The Rising Threat of Intelligent Cyber Deception

Read More about AI-Native Cybersecurity Human Risk Management
What Maslow’s Hierarchy of Needs Reveals About Cybersecurity Flaws
Jane Frankland
01/04/2025

What Maslow’s Hierarchy of Needs Reveals About Cybersecurity Flaws

Read More about AI-Native Cybersecurity Human Risk Management
Smishing: The Phishing Attack That Lives in Your Pocket
Roberto Ishmael Pennino
24/03/2025

Smishing: The Phishing Attack That Lives in Your Pocket

Read More about AI-Native Cybersecurity Human Risk Management
How Adaptive Security Awareness Training Drives Better Cybersecurity Outcomes: The Science
Rory Attwood
11/03/2025

How Adaptive Security Awareness Training Drives Better Cybersecurity Outcomes: The Science

Read More about AI-Native Cybersecurity Human Risk Management
Quishing: When QR Codes Become Cyber Traps - Your Essential Guide to Protection
Roberto Ishmael Pennino
10/03/2025

Quishing: When QR Codes Become Cyber Traps - Your Essential Guide to Protection

Read More about AI-Native Cybersecurity Human Risk Management
Domain Spoofing: The Cyber Trick You Can’t Afford to Ignore
Roberto Ishmael Pennino
10/03/2025

Domain Spoofing: The Cyber Trick You Can’t Afford to Ignore

Read More about AI-Native Cybersecurity Human Risk Management
PIPEDA Compliance: Why PIPEDA Training is Important
Roberto Ishmael Pennino
21/02/2025

PIPEDA Compliance: Why PIPEDA Training is Important

Read More about AI-Native Cybersecurity Human Risk Management
CCPA Training: Building a Culture of Privacy and Compliance
Roberto Ishmael Pennino
10/02/2025

CCPA Training: Building a Culture of Privacy and Compliance

Read More about AI-Native Cybersecurity Human Risk Management
Data Privacy Week: How Convention 108 Paved the Way for Modern Privacy Laws
Roberto Ishmael Pennino
31/01/2025

Data Privacy Week: How Convention 108 Paved the Way for Modern Privacy Laws

Read More about AI-Native Cybersecurity Human Risk Management
TISAX Training: Strengthening Automotive Information Security and Compliance
Roberto Ishmael Pennino
27/01/2025

TISAX Training: Strengthening Automotive Information Security and Compliance

Read More about AI-Native Cybersecurity Human Risk Management
GDPR Training: Building a Culture of Compliance
Roberto Ishmael Pennino
20/01/2025

GDPR Training: Building a Culture of Compliance

Read More about AI-Native Cybersecurity Human Risk Management
What Is DORA? DORA Training for Compliance
Dr. Charlotte Jupp
20/01/2025

What Is DORA? DORA Training for Compliance

Read More about AI-Native Cybersecurity Human Risk Management
Risk Quantification for Cybersecurity Human Risk Management
Lev Lesokhin
13/12/2024

Risk Quantification for Cybersecurity Human Risk Management

Read More about AI-Native Cybersecurity Human Risk Management
Adaptive SAT: The Future Is Now
Roberto Ishmael Pennino
12/11/2024

Adaptive SAT: The Future Is Now

Read More about AI-Native Cybersecurity Human Risk Management
NIST Recommends New Guidelines for Password Security
Roberto Ishmael Pennino
11/11/2024

NIST Recommends New Guidelines for Password Security

Read More about AI-Native Cybersecurity Human Risk Management
Empowering Organizations with Adaptive Security Awareness Training
Roberto Ishmael Pennino
07/11/2024

Empowering Organizations with Adaptive Security Awareness Training

Read More about AI-Native Cybersecurity Human Risk Management
Why Humans Should Be the New Frontline in Cyber Defense
Roberto Ishmael Pennino
06/11/2024

Why Humans Should Be the New Frontline in Cyber Defense

Read More about AI-Native Cybersecurity Human Risk Management
Behavioral Analytics Are Changing Cybersecurity
Roberto Ishmael Pennino
04/11/2024

Behavioral Analytics Are Changing Cybersecurity

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity Awareness Month 2024: Your Security Journey Doesn't End Here
Roberto Ishmael Pennino
01/11/2024

Cybersecurity Awareness Month 2024: Your Security Journey Doesn't End Here

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity Awareness Training for Remote Workforces
Roberto Ishmael Pennino
25/10/2024

Cybersecurity Awareness Training for Remote Workforces

Read More about AI-Native Cybersecurity Human Risk Management
Would You Skip an Update if You Knew What It Could Cost You?
Roberto Ishmael Pennino
24/10/2024

Would You Skip an Update if You Knew What It Could Cost You?

Read More about AI-Native Cybersecurity Human Risk Management
Why Every Cyber Strategy Fails Without This Element
Roberto Ishmael Pennino
22/10/2024

Why Every Cyber Strategy Fails Without This Element

Read More about AI-Native Cybersecurity Human Risk Management
Your Password Isn't Enough: Why Your Digital Life Needs Multifactor Authentication Today
Roberto Ishmael Pennino
21/10/2024

Your Password Isn't Enough: Why Your Digital Life Needs Multifactor Authentication Today

Read More about AI-Native Cybersecurity Human Risk Management
Is Your Cybersecurity Working From Home Too?
Roberto Ishmael Pennino
18/10/2024

Is Your Cybersecurity Working From Home Too?

Read More about AI-Native Cybersecurity Human Risk Management
Human Risk Management Gets Adaptive
Lev Lesokhin
08/10/2024

Human Risk Management Gets Adaptive

Read More about AI-Native Cybersecurity Human Risk Management
Your Cybersecurity Is Only as Strong as Your People
Roberto Ishmael Pennino
08/10/2024

Your Cybersecurity Is Only as Strong as Your People

Read More about AI-Native Cybersecurity Human Risk Management
The Email That Could Cost You Everything: Your Essential Guide to Recognizing Phishing in 2024
Roberto Ishmael Pennino
07/10/2024

The Email That Could Cost You Everything: Your Essential Guide to Recognizing Phishing in 2024

Read More about AI-Native Cybersecurity Human Risk Management
How Ready Is Your Workforce for a Real Phishing Attack?
Roberto Ishmael Pennino
01/10/2024

How Ready Is Your Workforce for a Real Phishing Attack?

Read More about AI-Native Cybersecurity Human Risk Management
What is Cybersecurity Human Risk Management? What You Need to Know
Lev Lesokhin
23/09/2024

What is Cybersecurity Human Risk Management? What You Need to Know

Read More about AI-Native Cybersecurity Human Risk Management
Engagement Strategies for Cybersecurity Human Risk Management
Lev Lesokhin
16/08/2024

Engagement Strategies for Cybersecurity Human Risk Management

Read More about AI-Native Cybersecurity Human Risk Management
Enhance Your Phishing Training With Outthink
Lavinia Manocha
02/08/2024

Enhance Your Phishing Training With Outthink

Read More about AI-Native Cybersecurity Human Risk Management
Adaptive Security Awareness Training for Frontline Workers
Lavinia Manocha
26/07/2024

Adaptive Security Awareness Training for Frontline Workers

Read More about AI-Native Cybersecurity Human Risk Management
The Role of Security Awareness Training After IT Outages
Lev Lesokhin
26/07/2024

The Role of Security Awareness Training After IT Outages

Read More about AI-Native Cybersecurity Human Risk Management
Human Risk Management's Eight Dimensions of Secure Behavior Segmentation
Lev Lesokhin
25/07/2024

Human Risk Management's Eight Dimensions of Secure Behavior Segmentation

Read More about AI-Native Cybersecurity Human Risk Management
State-Sponsored Phishing Attacks Target 40,000 Corporate Users: What This Means for Protecting Your Business
Lev Lesokhin
18/07/2024

State-Sponsored Phishing Attacks Target 40,000 Corporate Users: What This Means for Protecting Your Business

Read More about AI-Native Cybersecurity Human Risk Management
Adaptive Security Awareness Training: Unlearning and Relearning Routines
Lev Lesokhin
10/07/2024

Adaptive Security Awareness Training: Unlearning and Relearning Routines

Read More about AI-Native Cybersecurity Human Risk Management
Did You Think Your Password Was Secure? Let’s Talk Password Security
Lev Lesokhin
24/05/2024

Did You Think Your Password Was Secure? Let’s Talk Password Security

Read More about AI-Native Cybersecurity Human Risk Management
Rethinking Security Awareness: Towards a Cybersecurity Human Risk Management Framework
Lev Lesokhin
23/05/2024

Rethinking Security Awareness: Towards a Cybersecurity Human Risk Management Framework

Read More about AI-Native Cybersecurity Human Risk Management
Password Security: Why the UK is Banning Generic Passwords
Lev Lesokhin
17/05/2024

Password Security: Why the UK is Banning Generic Passwords

Read More about AI-Native Cybersecurity Human Risk Management
Instagram Security Awareness Training: A Step-by-Step Guide
Lev Lesokhin
10/05/2024

Instagram Security Awareness Training: A Step-by-Step Guide

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity Human Risk Management Forum Kicks Off in London
Lev Lesokhin
18/04/2024

Cybersecurity Human Risk Management Forum Kicks Off in London

Read More about AI-Native Cybersecurity Human Risk Management
Gamification Can Enhance Security Awareness Training – Badges and Leaderboards Are Just the First Step
Rory Attwood
31/01/2024

Gamification Can Enhance Security Awareness Training – Badges and Leaderboards Are Just the First Step

Read More about AI-Native Cybersecurity Human Risk Management