Recent research from PhishLabs shows that more than 50% of phishing sites now use SSL certificates. This fact isn’t really surprising considering that phishing sites depend fundamentally on being confused for the genuine sites they mimic. The closer the phishing site is to the actual site, the more effective it is in its mission. Adding an SSL certificate puts a lock icon and https to the web address; which in their absence, are important tip-offs that the site isn’t on the up and up.
As Brian Krebs points out, for more than two decades, the average internet user has been told to “look for the lock,” so this technique may make a real difference in how many people fall prey to these scams.
The good news is we all have the opportunity to do better. The industry already has a solution in place that is approved by the appropriate standards bodies, supported by browsers, and in production today. It’s Extended Validation (EV) SSL, which displays a company-branded address adjacent to the URL in popular browsers. With EV, the company name that appears in this bar is based on authentication techniques that are known to be effective, unlike the Domain Validation (DV) certificates on the phishing sites, which have no company identity authentication at all.
Unfortunately, far too many sites have failed to step up to providing EV SSL, even though it requires a trivial extra expenditure of time and money. Had sites systematically done so in recent years, then the effectiveness of phishing attacks would be radically reduced. Sure the phishers would include DV certs on their sites, but that important company name would be missing.
It’s not too late. Research indicates that site visitors have a more positive brand impression of a company that used the branded address bar on its site and that they’re more likely to engage in transactions on these sites, including purchasing, filling in forms, and signing up for new accounts. Companies employing the branded-address bar receive these benefits today - enjoying the added bonus of providing an unambiguous differentiator between their own, real sites and phishers’ fakes.