Is a URL like amazonshop.com the same as amazon.com? Is ebay1 the same as ebay? This is what you have to be alert to if you receive an email purporting to be from a site or service you use. A URL that’s close to a legitimate or popular site is just that: close. It could in fact be a scam site part of a phishing effort to steal your personal information.
How does URL phishing work?
URL phishing attempts to trick individuals into divulging sensitive information. They are described as URL phishing because the attacker uses scam websites with URLs that are easy to mistake as legitimate.
Here’s how a URL phishing scam is typically done:
Step 1: Cybercriminals create fake websites that mimic the look and feel of legitimate ones, like banks, social media platforms, or email services. They also give these sites URLs that can be easily confused with the URLs of the sites they are imitating.
Step 2: Scammers then lure users into visiting the sites by sending emails, text messages, or social media messages that appear to be from a legitimate source.
Step 3: The victim is asked to enter personal information like usernames, passwords, credit card details, or social security numbers into forms on the sites, which look real.
Step 4: The information collected is used for various malicious purposes, such as unauthorized access to accounts, financial theft, identity theft, and sales on the dark web.
How to identify a URL phishing attack
Identifying a URL phishing attack is similar to looking out for other forms of phishing attacks. Here’s how to spot one:
1. Read the URL carefully
Look closely at the URL in the address bar of your browser. Phishing URLs often mimic legitimate ones but may have slight misspellings, extra characters, or an altered domain like .net instead of .com.
2. Look for HTTPS
Although it’s not a foolproof sign, look for HTTPS in the address bar, which indicates the site is encrypted. Not having HTTPS (instead using HTTP) means the site is unsecured and much more suspicious. More reputable companies would not use HTTP.
3. Beware of unsolicited requests
Be cautious with emails, texts, or social media messages that ask you to click on a link, especially if the site requests sensitive information. Legitimate organizations typically do not ask for personal details via unsolicited messages.
4. Examine the email sender’s address if you’ve received an email
If the message comes via email, inspect the sender’s email address. It might look legitimate at first glance but often contains discrepancies like replaced characters or extra words. In addition, phishing attempts often use urgent language to create a sense of panic or urgency. This tactic is intended to rush you into making a decision.
If you suspect you’ve received a phishing email or message, report it as spam and block the user immediately.
What are the different types of URL phishing attacks?
URL phishing attacks come in various forms, each with its tactics and targets. Understanding these types can help in identifying and preventing potential threats.
1. Real links (but hacked)
This involves using links that appear completely legitimate because they lead to real websites. However, these websites are often compromised by attackers. The legitimate aspect of the URL lowers the user’s guard, making it easier to exploit them through other means on the website, such as malicious downloads or login forms designed to steal information.
2. Masked links
In this tactic, the visible text of a link looks legitimate, but the actual URL (which you see only when you hover over the link or inspect it) leads to a malicious website. For example, a link might appear in text as amazon.com but actually redirects to a completely different, malicious URL when clicked.
3. Typosquatting
This method has fake sites lying in wait of users making common typing errors when entering a website address. Attackers register domains that are misspellings of popular websites (like “goggle.com” instead of “google.com”). Unsuspecting users who mistype the URL are taken to these fraudulent sites that can be set up for phishing.
4. Malformed prefix links
These are deceptive URLs where the prefix is manipulated to mislead the user. For example, an attacker might use “yourbank.evil.com”. Users might only notice the “yourbank” part and miss that the actual domain is “evil.com”.
5. Subfolder links
In this case, the attacker uses a legitimate domain but adds a malicious subfolder or page. It might look like “www.legitimatesite.com/maliciouspage.” The user trusts the main part of the URL (which has likely been compromised) and doesn’t realize that an attacker controls the subfolder.
6. Abusing redirects
Some websites use redirects, which automatically take you to another page. Phishers exploit this by embedding a legitimate website’s URL in the link, while redirecting it to a malicious site. The initial legitimate URL gives a false sense of security.
7. Obfuscating malware with images
Attackers sometimes use images to hide the true nature of a link. For instance, they might embed a malicious URL in an image button or link, so when users click on what appears to be an innocuous image, they are actually redirected to a harmful site.
8. Mixing legitimate links with malicious links
This tactic involves sending emails or creating web pages with a mix of both legitimate and malicious links. The presence of legitimate links can make the entire content seem trustworthy, lowering the user’s guard against clicking on the malicious ones.
Each of these tactics exploits different aspects of user behavior and perception, such as trust in familiar brands, inattention to detail, and the assumption of safety in certain contexts. Awareness and careful scrutiny of URLs and links are essential in protecting oneself against these types of phishing attacks.
How to protect against URL phishing?
Protecting against URL phishing requires a combination of technical safeguards and personal vigilance. Here are some effective strategies:
1. URL filtering
URL filtering is a method used to block access to websites or content within websites based on the URL. It’s a form of control over the web content a user can access, typically used in organizational networks and parental control systems. URL filters can prevent users from accessing known phishing sites by checking accessed URLs against a database of known malicious or suspicious websites.
Many web browsers offer extensions or add-ons to filter and block access to certain URLs. Alternatively, you could download an antivirus program with URL filtering capabilities or manually configure it by going to your router’s admin page.
2. Domain reputation check
Domain reputation refers to the trustworthiness or safety rating of a domain, based on various factors like past behavior, age of the domain, and any history of malicious activity. Tools and browser extensions are available that automatically check and report on the reputation of websites.
3. AI-based protection
AI and machine learning are increasingly used in cybersecurity to identify and respond to threats more efficiently. AI algorithms can analyze patterns, detect anomalies, and predict potential phishing threats, even in cases where the phishing attempt doesn’t match any known attack. These protections might be built in to your email service to warn you of potential phishing attempts.
4. DMARC verification
DMARC (domain-based message authentication, reporting, and conformance) is an email security protocol. It uses two other methods, SPF and DKIM, to verify that an email really comes from the domain it claims to. SPF checks if the email is sent from a valid server for that domain, and DKIM ensures the email content hasn’t been changed. DMARC then ensures that the domain in the email’s “From” address matches these verifications.
Based on a policy set by the domain owner, DMARC tells email servers what to do with emails that don’t pass these checks—ignore, quarantine, or reject them. It also reports which emails passed or failed to the domain owner, helping them monitor for misuse.
5. Security awareness
Education and awareness about common phishing tactics (like spear phishing, vishing, or typosquatting) can prepare individuals to recognize and avoid these threats. Knowing the mechanisms of URL phishing helps recognize the subtle signs of a phishing attempt, such as misleading URLs or urgent language in an email. Training within companies is particularly important, as an employee’s compromised credentials could affect numerous customers.
How to report phishing URLs
If you’ve discovered a phishing site, there are ways you can report it to have the page blacklisted or taken down:
1. Report the company being impersonated
If the phishing attempt impersonates a specific company, report it directly to them. Most companies have a dedicated email address for reporting phishing (e.g., phishing@company.com).
2. Report the site on your browser
You can also report the phishing site on Google Chrome using Safebrowsing on Google. If you’re a Microsoft Edge user, head to Settings and report the page for phishing. Reporting a suspected phishing site alerts the browser’s security team. This will allow them to quickly assess and take action, such as blacklisting the site, which prevents other users from accessing it and falling victim to potential threats.
3. Report it to an antivirus or anti-malware service
If you use antivirus or anti-malware software, they might have options to report malicious websites.
4. Report it to your email or messaging service providers
If you received the phishing URL via email, report it as phishing within your email service. For example, Gmail has a ‘Report phishing’ option in the drop-down menu of the email. Popular messaging services like Telegram and WhatsApp will also allow you to report a message for phishing and block the sender.
5. Report to government or cybersecurity organizations
In many countries, government agencies or cybersecurity organizations accept reports of phishing. In the U.S., you can report phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org and to the FTC at ftc.gov/complaint.
For the UK, you can forward phishing emails to the National Cyber Security Centre at report@phishing.gov.uk.
How do I know if a URL is safe?
1. Check for HTTPs
Look for “https://” at the beginning of the URL. This indicates that the site uses encryption to protect data transmission, which is essential for security, especially on pages where you enter personal or financial information.
2. Look for misspellings
Look out for misspellings, character substitutions (like ‘0’ instead of ‘o’), or unusual domain extensions in the URL. Phishers often create URLs that closely mimic legitimate ones to trick users.
3. Hover over links before clicking
If you’ve received an email with a suspicious link, hover over the link (without clicking) to see if the URL matches what is displayed. Doing so could tell you a lot about whether a link is legitimate.
4. Confirm short links before clicking
You should also look out for shortened links from sites like bit.ly or tinyurl. While not every shortened link is bad, they can hide the real destination of the page you’re going to, which is something scammers might use. Before clicking on a shortened link, use a URL expander service to reveal the full URL before clicking.
5. Verify with reviews or reports
There are various online services where you can enter a URL to analyze its safety. Examples include Google’s Safe Browsing Transparency Report, Norton Safe Web, and VirusTotal. You could also use online tools to check the domain’s age. New domains are often used maliciously, while older and established domains are generally more trustworthy.
6. Use your browser’s safety features
Modern browsers have built-in safety features that warn you about suspicious or dangerous sites. Ensure these features are enabled to keep yourself safe from suspicious links.
FAQ: About URL phishing
What happens if I click on a phishing link?
Clicking on a phishing link can lead to several potential risks and consequences, depending on the nature of the phishing attack and the security measures in place on your device. Here are some potential scenarios that could happen after you’ve clicked on a phishing link:
– Credential theft: If the phishing link leads to a fake website that mimics a legitimate one, it may prompt you to enter personal information, login credentials, or financial details. Entering this information on a phishing site means it’s now in the hands of cybercriminals.
– Malware and ransomware infection: Some phishing links automatically download malware onto your device. This malware can range from spyware, which monitors your activity and steals sensitive data, to ransomware, which locks your files and demands payment for their release.
– Financial loss and identity theft: If you disclose financial information, such as credit card numbers or bank account details, you may be at risk of financial theft. This could also lead to identity theft, especially if cybercriminals use your details to commit fraud or other illegal activities in your name.
– Spam and further phishing attempts: Your contact information might be used to target you with more phishing attempts or spam.
What can phishing links do?
Phishing links, which are often disguised as legitimate and trustworthy links, can lead to various malicious activities when clicked. Here’s what they can do:
– Steal personal information: Many phishing links direct you to fake websites that look genuine. These websites prompt you to enter personal details, such as login credentials, social security numbers, or credit card information. Once entered, this information is sent to the attacker.
– Install malware: Clicking on a phishing link may result in the automatic download and installation of malware on your device. This malware can take many forms, including:
– Spyware: To monitor your activities and steal sensitive data.
– Ransomware: To encrypt your files and demand payment for their release.
– Trojans: This can create a backdoor in your system for further attacks.
– Viruses or Worms: To damage your system, corrupt files, or spread to other devices.
– Initiate scams: Phishing links can lead to scams, such as fake lotteries or investment opportunities, designed to trick you into sending money or sharing financial information.
How do I remove a URL phishing attack?
If you’re a business owner and have encountered a notification from Google or another browser that your website contains harmful programs or deceptive links, it’s important to find the exact cause. If your site is being hosted on a third-party platform like WordPress, you’ll need to figure out if there’s been an account breach and reach out for help from the platform. Alternatively, you can use an anti-malware service to clean up your site.