FBI: Don't Trust HTTPS or Padlock on Websites

The FBI issued a public service announcement warning people not to trust a website simply because it shows HTTPS or a padlock icon in the browser bar. For years, users were taught that the padlock meant a site was safe. That’s never been true, and attackers know it.

What HTTPS Actually Means

HTTPS encrypts the connection between your browser and the website server. That’s it. It means nobody can intercept the data in transit. It does not mean the website itself is legitimate, safe, or trustworthy.

Attackers can obtain SSL certificates for free, which means phishing sites, credential-harvesting pages, and malware distribution sites all display the same padlock icon as your bank’s website. The FBI found that a growing number of phishing campaigns specifically use HTTPS to appear more credible to victims.

Why This Matters for Businesses

Employees who rely on the padlock as a trust signal are exactly the targets phishing campaigns are designed for. A convincing login page with HTTPS and a familiar-looking domain is often all it takes to steal credentials, and those credentials can lead to business email compromise, wire fraud, or full network access.

Once credentials are stolen, attackers can use password reuse and credential stuffing to move deeper into business systems. This is why the FBI emphasized that user education is the one security control attackers can’t bypass. An employee trained to verify URLs, recognize social engineering tactics, and report suspicious messages is far harder to exploit than one who simply looks for a padlock.

What You Can Do

• Deploy security awareness training that includes phishing simulations with HTTPS-enabled fake sites
• Implement email filtering that scans links before they reach employee inboxes
• Enable multi-factor authentication so stolen credentials alone aren’t enough to access your systems
• Teach employees to verify URLs: look at the actual domain name, not the padlock