FBI Warning on TLS-secured Websites

FBI Seal

Last year, Google Chrome went through a process of branding unencrypted HTTP websites as “unsafe,” promoting HTTPS websites as the gold standard for online security. While a positive change, this update hasn’t discouraged some hackers from trying to steal data and phish unsuspecting users by banking on their trust of TLS-secure sites, according to a new warning from the FBI.

With malware sites often disguising themselves as safe, encrypted pages, it’s even more important for users to know how to distinguish trustworthy sites from unsafe ones. Unfortunately, as data thieves and hackers become sneakier in finding ways to steal data, users can’t continue to trust HTTPS websites to be legitimate, even if they are encrypted, TLS-secure sites.

If you want to learn more about the FBI warning and how to better protect yourself from cyber threats online, here’s what you need to know.

What is this FBI Warning About?

After Chrome started urging users to trust only TLS-secure websites in its 2018 update, a sense of false security took over. In the midst of all the confusion, hackers saw a chance to move in on HTTPS websites, either corrupting secure sites or finding ways to secure TLS certificates for malware and phishing sites and extensions. Because the discussion around the Chrome update was centered around heightened security, many users today believe that it’s enough to see the green secure lock symbol before the URL to trust a website. That’s why it’s so important to pay close attention to a site’s URL to make sure it hasn’t been corrupted. In some cases, hackers could even use a page’s certified status to trick visitors into thinking it’s a legitimate, protected site.

How Do I Stay Safe?

The best way to stay safe is to make sure you question any and every site that asks for your information unprompted. If you receive an email from an unknown source, the FBI recommends that you check for obvious red flags like spelling errors and domain names before responding. When shopping online, always make sure that you’re checking out through a secure service like Shopify, PayPal, or Stripe. If a pop-up or email asks you to verify your information, make sure it’s a legitimate request rather than a skillful piece of malware designed to trick you into sharing private information. Always use two-step verification when you can to make sure you have that extra layer of protection when checking out or exchanging any sensitive information, identification details, or completing an online payment.

How Do I Keep My Customers Safe?

If you run a business online, the best thing you can do to protect your users or customers is to make sure all your server’s security settings are up to date and that you’re using an Extended Validation (EV) SSL/TLS certificate which verifies and displays your organization legal name. Not only should you be cautious of phishing emails, but you should tell your customers to be on the lookout for emails asking for personal information. Pay attention to updates and don’t let them go ignored for too long. Letting your site go unprotected for too long could open you up to a phishing attack, and if you’re running a small business, you never want to put your customers or subscribers in peril.