You're reading The SME Security Brief, practical IT, cyber security and technology advice for Irish and UK businesses. No jargon. No scare tactics. Just what you need to know, every week.

If someone forwarded this to you, you can subscribe at thesmesecuritybrief.com.

THIS WEEK'S THREAT 🔴

The padlock means nothing on its own

Ask most people what the padlock icon in a browser means and they will tell you the same thing, it means the website is safe. Secure. Trustworthy.

It does not.

The padlock and the HTTPS in the web address means one thing only, the connection between your browser and that website is encrypted. It means nobody sitting between you and the website can intercept what you are sending. That is genuinely useful. But it says absolutely nothing about whether the website itself is legitimate.

Cybercriminals figured this out years ago. Today, the majority of phishing websites use HTTPS. They have a padlock. They look exactly as "secure" as your bank's website. Because technically, they are, the connection is encrypted. The problem is you are encrypting your login details and sending them directly to an attacker.

Think about what this means in practice. An employee receives a phishing email with a link to what looks like a Microsoft 365 login page. They hover over the link, see it starts with https://, notice the padlock when the page loads, and think, this looks legitimate. They type in their username and password. Those credentials are now in the hands of an attacker, sent over a perfectly encrypted connection.

This is one of the most dangerous misconceptions in cyber security today. The padlock has trained people to feel safe when they should still be asking questions.

What you should do this week:

  1. Share this with your team. The padlock does not mean safe. It means encrypted. These are not the same thing.

  2. The real question to ask is, does the domain in the address bar match exactly what I would expect? Not similar. Exact.

  3. If anyone in your business handles financial transactions, supplier payments, or customer data online, make sure they understand this distinction.

THIS WEEK'S TIP 💡

How to actually tell if a website is legitimate

If the padlock is not enough, what should you look for? Here are the checks that actually matter.

1. Read the full domain carefully
Attackers register domains that look almost identical to legitimate ones. Common tricks include replacing letters, using a lowercase "l" instead of a capital "I", replacing an "o" with a zero, or adding a hyphen. Check the full domain in the address bar. paypa1.com is not paypal.com. rn365.microsoft.com is not microsoft.com. Train your eye to read the whole thing, not just glance at it.

2. Check what comes immediately before the first single slash
The real domain name is always the part immediately before the first single forward slash in the address. So in https://login.microsoft.com/yourcompany, the domain is microsoft.com, legitimate. But in https://microsoft.com.login-verify.net/yourcompany, the domain is actually login-verify.net , a completely different site. Attackers use this trick constantly.

3. Look at the certificate details
Click on the padlock icon in your browser and look at the certificate information. A basic certificate (called DV or Domain Validated) proves only that someone controls the domain, it can be obtained by anyone in minutes for free. A more robust certificate (OV or EV) verifies the organisation behind the site. For a site asking you to log in or enter payment details, you should see an organisational name in the certificate, not just a domain.

4. Trust your browser warnings
Modern browsers including Chrome, Edge, Firefox, and Safari actively flag known phishing and malicious sites. If your browser shows a warning screen , "Deceptive site ahead" or "This site may be harmful", do not click through it. These warnings are accurate the vast majority of the time. Make sure staff know not to override them.

5. When in doubt, type it yourself
If you receive a link to your bank, a supplier portal, or any site where you log in, do not click the link. Open a new tab and type the address yourself, or use a saved bookmark. This eliminates the risk entirely regardless of how convincing the link looks.

THIS WEEK'S TOOL 🛠️

Microsoft Defender SmartScreen, the phishing filter already running on your devices

If your business uses Windows and Microsoft Edge, you already have Microsoft Defender SmartScreen running in the background. Most people have never heard of it.

SmartScreen is a real-time phishing and malware filter built directly into Windows and Edge. Every time someone visits a website or downloads a file, SmartScreen checks it against Microsoft's constantly updated database of known malicious sites and files. If it finds a match, it blocks the page and shows a warning before any damage can be done.

Here is what it protects against:

  • Known phishing websites, including those using HTTPS

  • Malicious file downloads before they reach the device

  • Sites impersonating legitimate businesses

  • Links clicked in Microsoft 365 email that lead to known threats

To check it is enabled, open Microsoft Edge, go to Settings, then Privacy, search and services, then scroll to Security. You should see SmartScreen listed as on. On Windows, search for "Windows Security" in the Start menu, go to App and browser control, and confirm Reputation-based protection is switched on.

It costs nothing. It is already there. Make sure it is switched on across every device in your business.

For additional protection, Microsoft Defender for Office 365 extends the same link checking capability to emails in Microsoft 365, flagging malicious links before staff even click them. This is available on higher tier Microsoft 365 business plans and is worth asking your IT provider about if you are not already using it.

QUICK COMPLIANCE CHECKLIST

Five questions to review with your team:

  1. Do your staff know that the padlock icon does not mean a website is safe or legitimate?

  2. Do you have a process for verifying supplier or payment portal websites before entering credentials?

  3. Is Microsoft Defender SmartScreen enabled on all business devices and browsers?

  4. Do staff know never to override browser security warnings?

  5. Are staff trained to type known website addresses directly rather than clicking links in emails?

BEFORE YOU GO

The padlock was never meant to be a trust signal. It was meant to indicate encryption. Somewhere along the way the meaning got lost, and attackers have been exploiting that confusion ever since.

This is one of those issues where a five minute conversation with your team could prevent a serious breach. Share it. Talk through it. Make sure the people handling your business systems understand what the padlock actually means.

Knowledge is the cheapest security control available.

See you next week.

  • The SME Security Brief

Keep Reading