Why you can’t solely trust the green padlock

For many internet users the little green lock icon on the URL bar gives a sense of confidence when browsing the internet online. They believe that they are safe from the scammers who are constantly trying to find ways to obtain sensitive information such as full names, addresses and credit card information. Unfortunately the misconception behind this icon may be doing some harm as it creates a false sense of security for users.

Obtaining an SSL certificate, then vs now

In the past, for a webmaster to obtain an SSL certificate they would have to fill out long tedious documents and pay exorbitant fees. If there was any small error in the documents then the webmaster would have to start the approval process again. The process seemed just as if not more tedious as getting a passport.

Now a days SSL is easy, tools such as Certbot allow webmasters to obtain a certificate within minutes and most web hosts automate the process without charge. While this ease has made the internet a safer place for all its users in general it has also made it easier for anyone including scammers to make a website that shows the green lock.

What does the lock mean

The lock it’s self serves two purposes, it ensures that:

  1. The connection between the user and the web site is encrypted and;
  2. The server is the domain it claims to be

However it doesn’t assure that the website is not a phishing site. (The double negative is intended)

Where can things go wrong

Meet Alice, Alice is a internet user who just received an email from her bank (Example Bank) claiming that there are suspected fraudulent transactions on her account. The email provides a handy link example-bank.com to quickly login and check. Alice who is aware of Phishing emails (Fake emails from scammers attempting to steal data) is suspicious of the link so she clicks it with caution (what ever that means). The website appears to look correct and and contains the green lock of approval. Alice proceeds to login, once she does she receives a error message asking to try again later. A couple of days pass and Alice receives a call from (Example bank) about suspicious bank transfers, she is told to go to examplebank.com and check the transfers.

What Happened?

It turns out that the email was fake the link was to a phishing site. The scammers has deceptively used a similar URL example-bank.com whereas the legitimate webpage was examplebank.com. Once Alice “Logged in” the scammers were able to transfer money out of her account.

What Can be done

  • Think twice before click on email links: Even if an email looks authentic navigate to the companies webpage using a search engine.
    • Sometimes their are exceptions where the link may be the only way to access something. In that case.
      1. Go to the website using a search engine.
      2. login to that website.
      3. Click the link. (Note: this link can potentially be malicious I’ve warned you)
    • If the webpage asks you to login again it is most likely a phishing site

  • Enable 2 Factor Authentication (2FA): 2FA is an additional security check (such as a code via SMS, email or app) which prevents those with a only a password gaining access to an account.
    • Note: 2FA is not a substitute for a poor password choice and if you believe someone has your password you SHOULD change the password instead of relying on 2FA to keep the account secure.


The Green pad lock is great, but users need to remember that even phishing sites can have one. While they prevent scammers from tampering with connections we still must make sure the webpage we are accessing isn’t the scammer’s in the first place. Utilising search engines and 2FA can go along way to preventing being scammed through phishing attempts.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.