By now many people know that “https” before a web address means that the site is secure. However, they may not understand what “secure” actually means. Even the U.S. government doesn’t seem to fully understand it, as the Census Bureau site includes this false statement: “The https:// ensures that you are connecting to the official website…”
Secure websites use the https prefix and will show a locked padlock in the browser address bar. The https in a web address (also called “Secure Sockets Layer” or SSL) merely indicates that the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties. However, it does not mean that the site itself is legitimate or protected from hackers and it does not prove that the site is trustworthy. While it stands to reason that consumers should never transmit sensitive information to a site that is not secure, the presence of https in the address does not mean that the site can be trusted.
The FBI recommends that consumers take the following steps to avoid becoming victims of a scam involving https sites:
- Do not trust the name on an email. Question the intent of the email content.
- If you receive a suspicious email with a link that appears to come from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
- Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead, or the domain name includes a zero in place of an “O”).
- Do not trust a website just because it has a lock icon or “https” in the browser address bar.