Krebs on Security reports that research from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in Q3 used https and showed up in browsers as secure sites, but this does not explicitly mean they are safe sites to send your data to.
Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that 50% of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.
This alarming shift is notable because a majority of Internet users have taken the age-old “look for the lock” advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe.
In reality, the https:// part of the address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can’t be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.