Brian Krebs, from KrebsOnSecurity sums it up perfectly, “Maybe you were once advised to ‘look for the padlock’ as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.”

Sad trombone.

As Krebs goes on to explain, that added “s” after “http” is just signaling that any data passing from your browser to the site you’re going to is not visible to third parties. Adding the “s” does not add legitimacy or actual security. And that padlock might as well be a tattoo.

Just as hackers and those on the dark web have adopted more sophisticated means to target victims or promote their wares, they’ve also tuned in to common or best practices of legitimate businesses and websites.

Get the full story at KrebsOnSecurity.