HTTPS (HTTP Secure) is an adaptation of the hypertext transfer protocol (HTTP), the basis of the World Wide Web. Netscape initially created it in 1994 for use in its browser. It aimed to safely establish connections and transfer data on websites. Since its inception, the number of pages adopting it has not ceased. Statoperator estimates that, of the million websites visited in the world, more than 315,000 use HTTPS. But does HTTPS really make a website safe? How can you be safe from attacks?
How does HTTPS work?
HTTPS pages use SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols to encrypt connections. As a result, servers and clients connect ng HTTP, but with an SSL or TLS connection which encrypts data requests, connections and transfers. In theory, this makes websites with a simple HTTP safer, as being encrypted reduces the chances of a third-party carrying out attacks or interfering with connections. You can identify an HTTPS website by the green padlock next to its URL in a browser.
The dangers of phishing
Just because the transfer of information is encrypted in HTTPS does not necessarily mean that the website you are visiting is safe. The clearest example of this is phishing. A website could spoof the identity of another original website to try to gather user data and take advantage of said data. It could then attempt to obtain an HTTPS certificate that prevents third-parties from intervening in the transfer of data. As a matter of fact, nearly 25% of phishing attacks are carried out on HTTPS websites.
Therefore phishing implies a serious risk for all corporate settings: employees that do not take the necessary precautionary measures and become victims of a phishing attack could be handing over confidential information, such as banking details, which could put your company at serious risk.
How to prevent phishing attacks
Perry Carpenter is Chief Evangelist and Strategy Officer at KnowBe4, one of the most popular business cybersecurity and simulated phishing platforms. He believes that, in general users are “the weakest link“. Attackers trick employees to click on dangerous links or download malware.
The best way to prevent phishing attacks is education and awareness training, beginning by encouraging good cybersecurity habits at a company. By doing this, employees become a line of defense when firewalls and detection systems fail to detect a threat.
One way to teach good habits is by simulating phishing attacks. These usually simulate email attacks, since 91% of phishing attacks are carried out through email. But it is also advisable to practice with fake websites. Obviously, it is also a good idea to use examples of phishing attacks carried out with HTTPS websites.These simulations allow users to make mistakes risk-free and, with practice, learn how to recognize common characteristics of phishing attacks.
The most important patterns employees should recognize to prevent phishing attacks are:
- Email subjects: according to a study from KnowBe4, security alerts, vacation and sick time policy and package delivery are the most common phishing email subjects. Employees should learn the defining traits of authentic emails from their company and from providers in their contact list.
- URL: this is a very distinctive trait. A URL of a fraudulent website often contains terms that are similar to the original website. Sometimes they only vary slightly. It’s important for employees to pay special attention to the URL to make sure it is authentic.
- Language: although it is not a defining trait, many phishing emails and websites are written in a different language than companies use or are poor translations.
- Forms and data requests: before giving away company data through a form or responding to a request, employees should make sure there are no other habitual channels for sending information and, of course, they should verify they website’s authenticity.
In any case, the best advice to stay protected from phishing attacks is for everyone involved at an organization to be careful. Making sure all content is authentic is always a good idea. Lastly, if these preventative measures fail, it is also advisable to have a comprehensive solution that offers real-time monitoring of your corporate network and prevents attacks before they occur, such as Panda Adaptive Defense. In case of human error, these types of solutions minimize the impact of a phishing attack on a company.