The “s” in HTTPS stands for “secured”. It was introduced in 1995, so older websites that have been left on its own without regular maintenance usually don’t have it. But even to this day, unsecure websites exist, and fraudsters can easily take advantage of them.
Although hackers continue to develop new viruses and bug exploits, the most effective weapon in their arsenal is a simple email. All a would-be cybercriminal has to do is write a convincing message (or pretend to be a trustworthy entity) to persuade a victim to download a malware-ridden file or surrender their personal information.