According to PhishLabs, a quarter of all phishing sites now use HTTPS, up from a few percent a year ago.

Phishing embraces HTTPS, hoping you’ll “check for the padlock”

After a slow-burning romance, HTTPS has recently bloomed into one of security’s great love affairs. Google is a long-time admirer, and in October started plastering “not secure” labels on many sites failing to use HTTPS by default in the Chrome address bar, a tactic meant to persuade more website owners to share its enthusiasm.