Why HTTPS can no longer be trusted – 50% of phishing sites have SSL

January 21, 2020

HTTPS is an authentication protocol designed for accessing a website with an encrypted connection to make it more secure and trusted. It was created to protect page authenticity and keep user communications, identity, and web browsing information private. HTTPS levages Secure Sockets Layer (SSL) which is a standard security technology for establishing an encrypted link between a web server and browser.

The premise is good however, unfortunately, this is no longer a sign of a trusted website as nearly half of all phishing sites begin with https://.

Whether you’ve received phishing training or not, most people know or have been told to only interact/visit https websites, especially if you are logging into a site or making a financial transaction.

Below is an example of a real phishing website detected by Graphus for one of our customers.


As you can see the url starts with https and the browser has confirmed this is a secure site. For this particular phishing attack, the SSL certificate was procured through GoDaddy on November 28, 2018 at 9:15am EST. The email was sent to our customer on November 28, 2018 at 10:30am EST, nearly one hour later.

Nearly five hours later, around 2:25pm EST, the site was detected by the browser as a phishing site. As we’ve talked about before, 16 minutes is the average time it takes the first employee to click on a phishing URL so five hours is a long time for employees to open, click, and provide credentials.


Luckily for our customer, Graphus detected this attack instantly and generated an alert. They also had EmployeeShield activated, which is our interactive warning banner. One of the recipients was able to identify this as a phishing attack and quarantined the message from all inboxes. The ability for recipients to take action when an attack comes in and quarantine the message from all of the inboxes that received that message, instantly, is just one of the advantages Graphus offers. Not just from their inbox, but all inboxes. We talk more about how this works in our case study, “In the race against phishing attacks, seconds matter”.

Detecting and mitigating highly targeted and zero-day attacks is what Graphus specializes in.