It was once good advice to “look for the padlock” as a means of determining which shopping, finance, and other sites were legitimate versus those that were phishing. Unfortunately, scammers have caught on to this advice and today, about 50% of phishing websites include the padlock and begin with https://, like the example below:

In reality, this information only signifies that data being transmitted to and from the site is encrypted and can’t be intercepted by third parties. It does not guarantee the site’s legitimacy or that it hasn’t been hijacked.

Instead of relying on the padlock clue, it’s important to carefully examine the full URL to ensure it matches the legitimate site. If an email or another web page invites you to visit a site via a link, think about the context, and consider typing the site’s web address manually instead.

If you receive an email that you suspect is phishing, don’t click any links, download any attachments, or reply. ITS will be continuing phishing education this month using emails that mimic real attacks.

For more information on how to report phishing emails, see the IT Service Portal guide, Reporting a Phishing Message (How-to).

—Peter Lundstedt, ITS