There has been a marked increase in phishing attacks that share a link to a malicious HTTPS URL, rather than a standard HTTP site. There is a major difference between HTTP and HTTPS and that is the latter is much more secure. The reason is due to an HTTPS website using Transport Layer Security (TLS) to encrypt HTTP requests and responses and also digitally sign those requests and responses, as opposed to an HTTP site that uses hypertext structured text which is not encrypted.

When a user visits an HTTP site, any information disclosed on that site can be intercepted and viewed. So if credit card details are supplied for a purchase, they could be intercepted by someone other than the website owner. With HTTPS sites, which use Hypertext Transfer Protocol Secure, the connection between the browser and the website is encrypted and cannot be decrypted without authentication.  When a site uses HTTPS, it is accompanied by a padlock sign in the browser indicating to the user that the connection is secure.

Adoption of HTTPS has been growing and public awareness of the importance of only disclosing sensitive information if the site starts with HTTPS has been growing, but while HTTPS prevents the interception of data in transit and indicates the connection is secure, that does not mean that the site is safe. A cybercriminal cannot intercept data on an HTTPS site, but if they are hosting phishing content on an HTTPS site, they will be able to capture data as it is entered.

The problem is that many Internet users understand the need to have that padlock and they even check that the site starts with HTTPS, but they mistakenly believe the site is safe when that is not necessarily the case. Cybercriminals take advantage of this.

Domain registrars and certificate issuing authorities have controls in place to prevent SLL certificates from being issued for malicious websites, but those controls are often bypassed. Attacks are also conducted on legitimate HTTPS sites and once access is gained, phishing content is uploaded and the sites are used for phishing attacks without the owners being aware. The vast majority of phishing websites now use HTTPS, so HTTPS is most definitely not an indication of safe browsing. That should be covered in security awareness training to help dispel the myth that HTTPS is secure.

Key Elements of Phishing Defense

So how can businesses protect against phishing? Four main anti-phishing controls should be considered, three of which are technical controls. First, there is a spam filtering solution, which will scan all inbound emails and look for signs of phishing, including malicious links to phishing content that have been embedded in the emails. For the best protection, you should consider SpamTitan Plus, which has the fastest detection rates of malicious URLs thanks to the inclusion of all major phishing feeds and AI-based detection for identifying zero-day attacks. Fewer phishing emails in inboxes means fewer opportunities for employees to click.

The second main technical control is a web filter. A web filter – such as WebTitan – is used to carefully control what sites a user can visit. When a URL is identified as malicious, the web filter is updated and any attempt to click that URL will see the connection to the URL refused. Web filters are also used to control the categories of content that can be accessed to provide even greater protection. With policies in place, Internet access is restricted to those websites that are vital for business operations.

The last main technical control is 2-factor or multi-factor authentication. Phishing attempts usually seek credentials, and if credentials are compromised they can be used to access an account. 2-factor and multi-factor authentication protect against unauthorized access by requiring a password and an additional form of authentication before access to the account will be granted. A password may be obtained in a phishing attack, but 2FA or MFA acts as an additional layer of protection to prevent the password from granting access to the account.

The final measure that businesses should use is security awareness training for all members of the workforce. The workforce should be trained on security best practices and the red flags to look for in emails, text messages, and other communications. By training the workforce how to recognize threats, if a threat is encountered, it can be avoided. SafeTitan can be used by businesses to easily create security awareness training courses for the entire workforce, customized to be relevant to each employee. The platform also includes phishing simulations to improve security awareness and identify individuals who have gaps in their knowledge to allow further training to be provided.

If you have a security program with all four of these elements, your business will be well protected against phishing attacks. Speak with TitanHQ for more information and to register for a free trial of one or all of these solutions.