Alert for Employee Education: FBI Issues Warning About Exploitation of “Secure” Websites
Thursday, June 20, 2019
FBI Alert HTTPS Phishing and Cyber Crimes
Print Mail Download i

We all have been trained to look at website addresses with a critical eye to make sure they have “https,” as those websites are supposed to be secure. The “s” at the end signifies to us that it is secure. The lock at the beginning of the website address is supposed to signify that it is a secure website. This is something that I mention when I offer employee education to clients—they should only open websites that are secure and locked.

Not anymore. On June 10, 2019, the FBI’s Internet Crime Complaint Center (IC3), issued an alert called “Cyber Actors Exploit ‘Secure’ Websites in Phishing Campaigns.” The alert states that cybercriminals are “banking on the public’s trust of ’https‘ and the lock icon. They are more frequently incorporating website certificates—third party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts. These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.”

In other words, the cyber criminals are spoofing the HTTPS address and the lock icon, just as they are spoofing domain names, signature lines, email addresses and telephone numbers. I guess we shouldn’t be surprised. But it is important that your employees are aware of this new alert and that they be super cautious about trusting the lock icon and the “https” designation.

According to the FBI alert, “[T]he following steps can help reduce the likelihood of falling victim to HTTPS phishing:

  • Do not simply trust the name on an email: question the intent of the email content.

  • If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.

  • Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).

  • Do not trust a website just because it has a lock icon or “https” in the browser address bar.

Victim Reporting

“The FBI encourages victims to report information concerning suspicious or criminal activity to their local FBI field office, and file a complaint with the IC3 at www.ic3.gov. If your complaint pertains to this particular scheme, please note “HTTPS phishing” in the body of the complaint.”

I am incorporating this information into employee training—you may wish to consider doing the same.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

FTC Votes to Finalize Rule Banning Non-Compete Agreements Nationwide
by: Ian T. Clarke-Fisher , Trevor L. Bradley
Cisco Releases Updates to Vulnerabilities in Firewall Platforms
by: Linn F. Freedman
USPTO Issues Guidance on Use of AI Based Tools
by: Daniel J. Lass
California Trap & Trace Class Actions on the Rise in the Age of Website Trackers
by: Kathryn M. Rattigan
Aid Package Signed by President Biden Includes Divestiture of TikTok Requirement
by: Linn F. Freedman
Privacy Tip #395 – GM Faces Class Action for Collecting + Disclosing Drivers’ Data Without Consent
by: Linn F. Freedman
AI, Government Contractors, and Employment Discrimination
by: Data Privacy & Cybersecurity Robinson Cole
Chicago’s Application of Parking Regulations Violates RLUIPA
by: Eden (Hunter) Yerby
The Department of Education Releases Significant Revisions to Title IX Regulations
by: Kathleen E. Dion , Seth B. Orkand
Privacy Tip #394 – Colorado Amends Privacy Law to Include Neurodata
by: Linn F. Freedman

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins