PhishLabs' John LaCour links the sharp rise to both the attackers themselves and their response to software decisions. Many phishers are buying web domains and promptly creating SSL certificates for them. And while Google was helpful when it started warning Chrome users about non-secure sites, that likely prompted phishers to secure their sites in an attempt to avoid those alerts.

To some extent, browser developers are tackling the issue by blocking known phishing sites regardless of whether or not they use encryption. They can't catch every site, though. To some extent, the best defense against the rise of 'secure' phishing sites is simply to dispel assumptions. You want to always question the legitimacy of unexpected requests for your sign-ins and personal info, even if they appear authentic on the surface.