Hidden Content
It may look legit, but keep your guard up anyway.

You may have heard you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It's well-meaning advice, but new data shows it isn't enough to keep your sensitive information secure.
As it turns out, fraudsters got wise and started adding the padlock, which until recently was a bright green in most browsers, to their websites too. That means a padlock is no guarantee that a website is safe.
That's according to data from cybersecurity firm PhishLabs, first reported by security writer Brian Krebs, which shows that almost half of all fraudulent pages have a padlock -- meant to indicate that the site is secure -- next to the URLs of their websites.
The upshot is that there's no one trick to protect you from the dark side of the internet. You have to be savvier than ever to avoid scammers and check for more than one sign that a website is legitimate.
That means making sure the website's URL is correct and, whenever possible, typing the URL into the browser instead of following a link from an email. Tools like password managers and security software can also help: To stop you from being fooled by an extra convincing scam website, they'll warn you when a URL doesn't match the legitimate website or stop you from opening a scammy site to begin with.
"Awareness really is key," said Adam Kujawa, director of the research arm of cybersecurity company Malwarebytes. "It's up to the user to say, is this actually legit?"

What the padlock really means
The padlock has always been an imperfect symbol. It's there to tell you something that's specific, and also pretty technical, and that's hard to get across with a simple image.
The lock is supposed to tell you that a website sends and receives information from your web browser over a secure, encrypted connection. Websites with secure connections start with the letters https, not http, and these days they use an encryption standard called TLS. The secure connection makes it so nobody can read your web traffic as it travels through the internet's vast, global infrastructure.
The lock doesn't tell you anything about the legitimacy of the site.
PhishLabs CTO John LaCour
Here's why that's a good thing: it makes sure that sensitive information like passwords and credit card numbers gets scrambled up so that only the website intended to receive it can read it. That's really important for things like online shopping or signing on to your bank's website.
That's also why it's still true that you should never enter your information if a website doesn't have a secure connection.
For many people, though, the padlock just means a website is generally safe. That's not true for a lot of reasons.

Criminals can use security features too
Scammers who want to trick you into entering sensitive information can put a green padlock on their websites too, and they're doing it more and more. When PhishLabs began collecting data in early 2015, less than half a percent of phishing websites sported a padlock. The number climbed quickly, up to about 24 percent in late 2017 and now more than 49 percent in the final quarter of 2018.
It makes sense that scammers would be using the padlock more and more, said PhishLabs Chief Technology Officer John LaCour. That's because it's gotten easier and cheaper for website creators to use an encrypted connection, thanks to pushes from cybersecurity experts at Google, Electronic Frontier Foundation and other tech heavyweights.
Criminals can now easily obtain certificates that enable the padlock to show up and encryption to take place, and they can do it without revealing very much about who they are.
What's more, changes at major browsers like Chrome and Firefox have made sites without TLS encryption look much more dangerous to users, with a very visible warning that the site isn't secure. That provided extra motivation for criminals to show the padlock on their websites, LaCour said, and avoid looking obviously shady.
"The lock doesn't tell you anything about the legitimacy of the site," he said. "It only tells you that your data is encrypted as it's sent over the internet."

It's not all bad news
It's probably for the best that scammers are using encryption on their phishing websites, said Nick Sullivan, head of cryptography at Cloudflare, a company that, among other things, helps organizations encrypt their websites.
That's because sending valuable information that anyone could intercept and read is always a bad idea, even if your immediate problem is that you've just sent off your bank account information to a scammer in another country.
"There's nothing bad about phishing sites having encryption," Sullivan said.