What is URL phishing?

Is a URL like amazonshop.com the same as amazon.com? Is ebay1 the same as ebay? This is what you have to be alert to if you receive an email purporting to be from a site or service you use. A URL that’s close to a legitimate or popular site is just that: close. It could in fact be a scam site part of a phishing effort to steal your personal information.

How does URL phishing work?

URL phishing attempts to trick individuals into divulging sensitive information. They are described as URL phishing because the attacker uses scam websites with URLs that are easy to mistake as legitimate.

Here’s how a URL phishing scam is typically done: 

Step 1: Cybercriminals create fake websites that mimic the look and feel of legitimate ones, like banks, social media platforms, or email services. They also give these sites URLs that can be easily confused with the URLs of the sites they are imitating. 

Step 2: Scammers then lure users into visiting the sites by sending emails, text messages, or social media messages that appear to be from a legitimate source.

Step 3: The victim is asked to enter personal information like usernames, passwords, credit card details, or social security numbers into forms on the sites, which look real.

Step 4: The information collected is used for various malicious purposes, such as unauthorized access to accounts, financial theft, identity theft, and sales on the dark web.

How to identify a URL phishing attack

Identifying a URL phishing attack is similar to looking out for other forms of phishing attacks. Here’s how to spot one:

1. Read the URL carefully 

Look closely at the URL in the address bar of your browser. Phishing URLs often mimic legitimate ones but may have slight misspellings, extra characters, or an altered domain like .net instead of .com. 

2. Look for HTTPS

Although it’s not a foolproof sign, look for HTTPS in the address bar, which indicates the site is encrypted. Not having HTTPS (instead using HTTP) means the site is unsecured and much more suspicious. More reputable companies would not use HTTP.

3. Beware of unsolicited requests

Be cautious with emails, texts, or social media messages that ask you to click on a link, especially if the site requests sensitive information. Legitimate organizations typically do not ask for personal details via unsolicited messages.

4. Examine the email sender’s address if you’ve received an email

If the message comes via email, inspect the sender’s email address. It might look legitimate at first glance but often contains discrepancies like replaced characters or extra words. In addition, phishing attempts often use urgent language to create a sense of panic or urgency. This tactic is intended to rush you into making a decision.

If you suspect you’ve received a phishing email or message, report it as spam and block the user immediately.

What are the different types of URL phishing attacks? 

URL phishing attacks come in various forms, each with its tactics and targets. Understanding these types can help in identifying and preventing potential threats.

1. Real links (but hacked)

This involves using links that appear completely legitimate because they lead to real websites. However, these websites are often compromised by attackers. The legitimate aspect of the URL lowers the user’s guard, making it easier to exploit them through other means on the website, such as malicious downloads or login forms designed to steal information.

2. Masked links

In this tactic, the visible text of a link looks legitimate, but the actual URL (which you see only when you hover over the link or inspect it) leads to a malicious website. For example, a link might appear in text as amazon.com but actually redirects to a completely different, malicious URL when clicked.

3. Typosquatting

This method has fake sites lying in wait of users making common typing errors when entering a website address. Attackers register domains that are misspellings of popular websites (like “goggle.com” instead of “google.com”). Unsuspecting users who mistype the URL are taken to these fraudulent sites that can be set up for phishing.

4. Malformed prefix links

These are deceptive URLs where the prefix is manipulated to mislead the user. For example, an attacker might use “yourbank.evil.com”. Users might only notice the “yourbank” part and miss that the actual domain is “evil.com”.

5. Subfolder links

In this case, the attacker uses a legitimate domain but adds a malicious subfolder or page. It might look like “www.legitimatesite.com/maliciouspage.” The user trusts the main part of the URL (which has likely been compromised) and doesn’t realize that an attacker controls the subfolder.

6. Abusing redirects

Some websites use redirects, which automatically take you to another page. Phishers exploit this by embedding a legitimate website’s URL in the link, while redirecting it to a malicious site. The initial legitimate URL gives a false sense of security.

7. Obfuscating malware with images

Attackers sometimes use images to hide the true nature of a link. For instance, they might embed a malicious URL in an image button or link, so when users click on what appears to be an innocuous image, they are actually redirected to a harmful site.

8. Mixing legitimate links with malicious links

This tactic involves sending emails or creating web pages with a mix of both legitimate and malicious links. The presence of legitimate links can make the entire content seem trustworthy, lowering the user’s guard against clicking on the malicious ones.

Each of these tactics exploits different aspects of user behavior and perception, such as trust in familiar brands, inattention to detail, and the assumption of safety in certain contexts. Awareness and careful scrutiny of URLs and links are essential in protecting oneself against these types of phishing attacks.

How to protect against URL phishing?

Protecting against URL phishing requires a combination of technical safeguards and personal vigilance. Here are some effective strategies:

1. URL filtering

URL filtering is a method used to block access to websites or content within websites based on the URL. It’s a form of control over the web content a user can access, typically used in organizational networks and parental control systems. URL filters can prevent users from accessing known phishing sites by checking accessed URLs against a database of known malicious or suspicious websites. 

Many web browsers offer extensions or add-ons to filter and block access to certain URLs. Alternatively, you could download an antivirus program with URL filtering capabilities or manually configure it by going to your router’s admin page.

2. Domain reputation check

Domain reputation refers to the trustworthiness or safety rating of a domain, based on various factors like past behavior, age of the domain, and any history of malicious activity. Tools and browser extensions are available that automatically check and report on the reputation of websites.

3. AI-based protection

AI and machine learning are increasingly used in cybersecurity to identify and respond to threats more efficiently. AI algorithms can analyze patterns, detect anomalies, and predict potential phishing threats, even in cases where the phishing attempt doesn’t match any known attack. These protections might be built in to your email service to warn you of potential phishing attempts.

4. DMARC verification

DMARC (domain-based message authentication, reporting, and conformance) is an email security protocol. It uses two other methods, SPF and DKIM, to verify that an email really comes from the domain it claims to. SPF checks if the email is sent from a valid server for that domain, and DKIM ensures the email content hasn’t been changed. DMARC then ensures that the domain in the email’s “From” address matches these verifications.

Based on a policy set by the domain owner, DMARC tells email servers what to do with emails that don’t pass these checks—ignore, quarantine, or reject them. It also reports which emails passed or failed to the domain owner, helping them monitor for misuse.

5. Security awareness

Education and awareness about common phishing tactics (like spear phishing, vishing, or typosquatting) can prepare individuals to recognize and avoid these threats. Knowing the mechanisms of URL phishing helps recognize the subtle signs of a phishing attempt, such as misleading URLs or urgent language in an email. Training within companies is particularly important, as an employee’s compromised credentials could affect numerous customers.

How to report phishing URLs

If you’ve discovered a phishing site, there are ways you can report it to have the page blacklisted or taken down:

1. Report the company being impersonated

If the phishing attempt impersonates a specific company, report it directly to them. Most companies have a dedicated email address for reporting phishing (e.g., phishing@company.com).

2. Report the site on your browser

You can also report the phishing site on Google Chrome using Safebrowsing on Google. If you’re a Microsoft Edge user, head to Settings and report the page for phishing. Reporting a suspected phishing site alerts the browser’s security team. This will allow them to quickly assess and take action, such as blacklisting the site, which prevents other users from accessing it and falling victim to potential threats.

3. Report it to an antivirus or anti-malware service

If you use antivirus or anti-malware software, they might have options to report malicious websites.

4. Report it to your email or messaging service providers

If you received the phishing URL via email, report it as phishing within your email service. For example, Gmail has a ‘Report phishing’ option in the drop-down menu of the email. Popular messaging services like Telegram and WhatsApp will also allow you to report a message for phishing and block the sender.

5. Report to government or cybersecurity organizations

In many countries, government agencies or cybersecurity organizations accept reports of phishing. In the U.S., you can report phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org and to the FTC at ftc.gov/complaint.

For the UK, you can forward phishing emails to the National Cyber Security Centre at report@phishing.gov.uk.

How do I know if a URL is safe?

1. Check for HTTPs

Look for “https://” at the beginning of the URL. This indicates that the site uses encryption to protect data transmission, which is essential for security, especially on pages where you enter personal or financial information.

2. Look for misspellings

Look out for misspellings, character substitutions (like ‘0’ instead of ‘o’), or unusual domain extensions in the URL. Phishers often create URLs that closely mimic legitimate ones to trick users.

3. Hover over links before clicking

If you’ve received an email with a suspicious link, hover over the link (without clicking) to see if the URL matches what is displayed. Doing so could tell you a lot about whether a link is legitimate.

4. Confirm short links before clicking

You should also look out for shortened links from sites like bit.ly or tinyurl. While not every shortened link is bad, they can hide the real destination of the page you’re going to, which is something scammers might use. Before clicking on a shortened link, use a URL expander service to reveal the full URL before clicking.

5. Verify with reviews or reports

There are various online services where you can enter a URL to analyze its safety. Examples include Google’s Safe Browsing Transparency Report, Norton Safe Web, and VirusTotal. You could also use online tools to check the domain’s age. New domains are often used maliciously, while older and established domains are generally more trustworthy.

6. Use your browser’s safety features

Modern browsers have built-in safety features that warn you about suspicious or dangerous sites. Ensure these features are enabled to keep yourself safe from suspicious links.