You've been told to look for the padlock. Before you enter your credit card number, before you log in, before you share anything sensitive — check for the padlock in the browser's address bar. It means the site is secure.
Except it doesn't. Not exactly. And the gap between what people think the padlock means and what it actually means is where a lot of people get hurt.
What the Padlock Actually Tells You
The padlock icon means the connection between your browser and the website is encrypted. That's it. It means that if someone is intercepting traffic on your network — say, on a public Wi-Fi — they can't read what you're sending back and forth.
That's genuinely useful. It's why HTTPS matters. But it says absolutely nothing about the website itself.
What the Padlock Does Not Tell You
The padlock does not mean:
- The website is legitimate
- The company behind it is real
- Your data is handled safely once it arrives
- The site isn't a phishing page designed to steal your login
Getting an HTTPS certificate is free and takes about five minutes. Scammers figured this out years ago. The majority of phishing sites — fake bank login pages, fake PayPal screens, fake Amazon checkout pages — now run on HTTPS. They have the padlock. They look exactly like the real thing. The padlock is not a trust signal anymore.
A Real Example
Imagine you receive an email that looks like it's from your bank. You click the link. You land on a page that looks exactly like your bank's website. There's a padlock in the address bar. You enter your username and password.
You've just handed your credentials to a criminal. The padlock just meant your data was securely delivered to them.
So What Should You Actually Look For?
The URL. Always check the full web address, not just the padlock. Phishing sites typically use URLs that are close to the real thing but slightly off — things like paypa1.com, amazon-account-verify.com, or yourbank-secure-login.net. The padlock is green. The URL is wrong.
If you received a link in an email or a text message, don't click it. Go directly to the website by typing the address yourself or using a bookmark you've set up previously.
What This Means for Your Own Website
If your website still runs on HTTP — without the padlock — browsers are now actively warning visitors that your site is "Not Secure." That warning kills trust and drives people away. You need HTTPS. But having HTTPS is the floor, not the ceiling. It's the minimum standard, not a mark of distinction.
Real website security goes much further: how data is stored, how logins are protected, how the code is written, what happens when something goes wrong. That's where we focus our work.
Questions about your site's security? We're happy to talk.