Skip to main content

Home HTTPS phishing

HTTPS phishing

(also SSL phishing)

HTTPS phishing definition

HTTPS phishing is a type of cyberattack where attackers impersonate a trusted website that uses the HTTPS protocol to deceive victims into providing sensitive information. Despite the legitimate look and feel of these fraudulent sites – including the padlock icon indicating a secure HTTPS connection – the data entered there is sent directly to the malicious actors.

See also: angler phishing, anti-phishing service, QR code phishing, spear phishing, SSL encryption

HTTPS phishing examples

  • Online banking: Attackers might replicate a bank's online login page using HTTPS. Unsuspecting users enter their credentials, which are then captured by the fraudsters.
  • E-commerce fraud: Attackers create a fraudulent e-commerce site with HTTPS. Customers enter their payment details, which are subsequently stolen.

Advantages and disadvantages of HTTPS phishing (for attackers)


  • Efficacy: The presence of the padlock icon can lead users to believe a site is secure, making HTTPS phishing often more successful than HTTP phishing.
  • Data interception: Attackers can potentially intercept sensitive data, including login credentials, credit card information, and personal identifiers.


  • Detection: Modern web browsers and security tools are getting better at detecting phishing attempts, even on HTTPS sites.
  • Implementation complexity: Setting up a credible HTTPS phishing site requires more technical know-how compared to a standard HTTP phishing attack.

Tips to avoid HTTPS phishing

  • Verify the site's URL: Ensure the URL matches the website you intended to visit. Phishing sites often use URLs similar to, but not identical to, the legitimate ones.
  • Install and regularly update a reputable security solution: This will help detect and block phishing attempts.
  • Don't trust a site solely because it uses HTTPS: Remember, a padlock icon doesn't necessarily mean the site is legitimate — it just means the data is encrypted.