The FBI has issued a warning about the use of TLS-secured websites in phishing campaigns. In the context of phishing awareness training, users are usually told to avoid websites that do not use HTTPS and/or lack a valid TLS certificate, which means that there is no “padlock” next to the browser’s address bar. While it is good practice not to trust sites without a valid certificate, the presence of a padlock in no way guarantees that a certain domain is used for legitimate purposes.

Based on the knowledge that users nevertheless tend to trust websites with a padlock, threat actors are “more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts, ” the PSA by the FBI reads. “These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.”

The FBI urges users to follow these recommendations:

• “Do not simply trust the name on an email: question the intent of the email content.
• If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
• Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
• Do not trust a website just because it has a lock icon or ‘https’ in the browser address bar.”

Read more: FBI Issues Warning on ‘Secure’ Websites Used For Phishing