The padlock is a lie — or more precisely, it's a half-truth that has become dangerous. HTTPS tells you that the connection between your browser and the server is encrypted. It says nothing about whether the server belongs to who you think it does, whether the site is legitimate, or whether submitting your credentials will result in them being stolen.
Attackers have known this for years. The vast majority of phishing sites now use valid HTTPS certificates. Users were trained to "look for the padlock," so attackers got the padlock. The evaluation has to go further.
Start With the URL, Not the Page Content
Phishing and fraudulent sites invest heavily in making the page look right — logo, color scheme, layout. The URL is harder to fake convincingly, and it's where the clearest technical signals live.
What to actually check in the URL:
The domain. Not just the recognizable brand name somewhere in the URL — the actual registered domain. In https://secure.paypal-login.verify-account.com, the domain is verify-account.com. PayPal appearing as a subdomain or in a path segment doesn't make this a PayPal website.
The TLD and domain structure. Legitimate services don't typically move to unusual top-level domains or hyphenated brand variations. paypal.com and paypal-secure.com are fundamentally different websites even if they look similar at a glance.
The structure before the domain. Subdomains are easy to create. login.legitimate-service.com is a legitimate subdomain. legitimate-service.malicious-domain.com is not — malicious-domain.com is the actual domain.
Verify the Certificate, Not Just Its Existence
A valid TLS certificate confirms that the domain owner obtained the certificate. Domain Validation (DV) certificates — the most common type, including those issued by free providers like Let's Encrypt — only verify that the applicant controls the domain. They do not verify the organization's identity.
Click into the certificate details (the padlock icon → Connection is secure → Certificate). Check:
- Who issued it — Domain Validation certificates from free CAs are fine for legitimate small sites, but a major financial institution using a DV certificate rather than an Extended Validation (EV) certificate is unusual.
- The domain it's issued to — Does it match exactly what you see in the URL bar?
- Issue date — A certificate issued very recently on a domain registered very recently is a common phishing site pattern.
Social Engineering Signals in the Page Content
Page-level signals are less reliable because they're easier to fake, but they remain useful in combination with URL and certificate analysis:
Urgency language — "Your account will be suspended in 24 hours." "Immediate action required." Manufactured urgency is a consistent pattern in fraudulent sites because it discourages careful evaluation.
Unusual requests — Legitimate services do not ask for full credit card details to "verify your identity." They don't need your current password to reset your password. Any form asking for information that doesn't logically match the stated purpose deserves scrutiny.
Broken elements — Poor rendering, placeholder text, broken images, or inconsistent fonts often indicate a cloned page assembled quickly rather than an actual maintained service.
Grammar and phrasing — Professional services invest in copywriting. Odd phrasing, grammatical errors, or stilted language that reads like a translated document is a signal worth noting.
Independent Verification
The strongest check: navigate to the service independently rather than through the link or page in question.
If a site claims to be your bank, close the tab, open a new one, and type your bank's URL directly or use your password manager's stored entry. If the claimed "security alert" is real, it will appear when you log in through the verified channel. If it doesn't, the "alert" from the suspicious site was fake.
For unknown sites you're encountering for the first time, search for the organization name plus the domain — legitimate businesses have an established presence that includes mentions from third-party sources, not just their own site.
The Systematic Evaluation Flow
New/unfamiliar site requesting sensitive action
│
▼
Check the URL ──── Domain not what you expect? ──► Don't proceed
│
It looks right
│
▼
Check the certificate ──── Doesn't match? ──► Don't proceed
│
Certificate valid
│
▼
Look for urgency or unusual ──── Pressure tactics? ──► High suspicion
requests on the page
│
Nothing alarming
│
▼
Navigate to the service ──── Can't reproduce the ──► Site was fraudulent
independently to verify situation?
The evaluation takes 60 to 90 seconds. The fraudulent site is designed to make you skip it.