How does the SSL certificate renewal scam work?
It’s very easy for a scammer to get information about your website’s SSL certificate. An SSL certificate’s expiration date is public knowledge. Anyone can see any website’s SSL expiration date in any number of ways. There are SSL checker websites, the scammer can use programs to check, or one can simply view your website in their browser, click on the padlock, and click for more information about the certificate.
Your SSL certificate’s expiration date is a matter of public record for good reason. It is there to reassure your visitors that your site is safe. But that also makes it easy for a scammer to obtain the same information and try to turn it against you.
Here is what it looks like when you click on the padlock in Firefox, and click to view more information. You see the certificate authority and the expiration date with a few simple clicks.
From there, the scammer simply sends an email to likely addresses: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, and so on, and the email lands in your inbox if it isn’t screened out by your spam protection.
When you get down to it, the scammer doesn’t even have to know your certificate’s expiration date or that you have an SSL certificate. This type of scammer plays the odds. Two years ago, half of the world’s websites were already using SSL. NSS Labs predicts this number will be 75% this year. If you are aware of the importance of SSL certificates, then odds are that you have one on your website, so the scammer may not even waste time checking it out for sure.
What does an SSL renewal scam email look like?
The email our client sent us looked like this one below. Contrary to many phishing emails, this scam email doesn’t include any obvious signs like misspellings or grammar mistakes. The email uses a friendly tone, and purports to be looking out for you by offering you a discounted price, particularly if you opt for multiple years. It even includes a photo of a trustworthy-looking “Trust & Web Security Specialist” and includes phone numbers. They offer you a money-back guarantee and always-on tech support – what could go wrong? The website itself appears to be legitimate as well. It’s possible this is a more or less legitimate business that chooses to use shady practices.
How can I tell if this SSL Renewal email is a scam?
There are various Certificate Authorities that issue SSL certificates, like Comodo, Symantec (Verisign), GoDaddy, GlobalSign, DigiCert. This is not an exhaustive list, but as Comodo is one of the most common, the phishing email chose it since there is a higher chance the end user does actually have a Comodo-signed certificate.
In this case, the scammer was lazy and didn’t even attempt to match the certificate authority to the website, so that makes our job of recognizing this as a scam that much easier. The first thing to do if you receive an email like this is to check your own website, as explained above. In Chrome, for example, click on the padlock next to the domain name. Then click on “Certificate” for more information.
When we inspect the website with this method, we see its SSL certificate is issued by “Let’s Encrypt,” not Comodo. So that tells us right away this email is a scam. You wouldn’t normally change certificate authorities for an SSL renewal.
But what if your certificate is issued by Comodo? Then how would you know this is a scam?
As mentioned earlier, Comodo issues a lot of certificates – it has a market share of 41%. So your SSL certificate might be issued by Comodo. And the phishing email you receive might say Symantec (30% market share) or GoDaddy (13% market share) instead, and your certificate might be issued by one of those.
In that case, your next question should be: Where did I obtain my SSL certificate?
Very often, SSL certificates are purchased or a free SSL certificate obtained through the same company that hosts your website: GoDaddy, InMotion, Siteground, Bluehost, etc. If you know your certificate was purchased through your hosting company, and not through a third party, you can log into your hosting account. Remember, do NOT click on any links from an email – type the address into your browser. Log into your account. Go to your billing area, and see if there are any outstanding or upcoming payments due. You can create a support ticket or chat with a support technician to find out if they really sent you an email about renewing your SSL certificate.
Do I even need to renew my SSL certificate?
It depends on what type of certificate you have. Many hosting companies now offer free certificates through Let’s Encrypt, and those auto-renew with no action required on your part. If you have a paid certificate, you do need to renew it from time to time, and you may receive a reminder email from the company you purchased it through – most often your hosting company.
What if you are still not sure?
If you receive a similar email, it’s ok if you still aren’t really sure if it is legitimate or not. As mentioned above, your hosting company may send you a real email about needing to renew your SSL certificate if your site uses a paid SSL certificate. So it is easy to be unsure whether this is the real thing or not.
If you can’t tell, try doing what our savvy client did. Forward the email to your trusted web developer and ask them to check it out for you. We’re happy to help!
Want to learn more about how to avoid phishing scams? Check out these great tips to avoid becoming a victim.