URL Phishing 
 

By now, most of us are familiar with the concept of phishing. 

What is URL Phishing?

URL phishing is the fraudulent practice of luring individuals to an imposter website where they will download malicious software or reveal confidential information. 

Example of a URL Phishing Attack

One of the most common examples of a URL phishing attack is where a fraudster mimics a known company, sending a bogus email with a message saying “Your account has been disabled. Click here to restore it.” 

Alarmed users then click the link and unwittingly install malware onto their computer. URL phishing goes even further: the cybercriminal creates a bogus website that is linked within the email. When users click it, they go to a site that looks legitimate, but is actually a trap.

How Does URL Phishing Work?       

Like most phishing scams, URL phishing relies on tricking the user into taking action — in this case, accessing a fake website and parting with passwords and sensitive information. The site often asks the user to reset a password, reenter personal and credit information to validate an account, or download a “software update,” which is really malware in disguise.

3 Common URL Phishing Techniques

1. Mixing legitimate links with malicious links

One of the most common URL phishing techniques is mixing legitimate links in with malicious links. 

Using legitimate links in the email helps bypass basic cyber security detection which “sees” legitimate links and “assumes” the email is safe. For example, the email may contain links to pages on the irs.gov website but have a “click here to secure your account” button that leads to an illegitimate site.

It’s also common for cyber criminals to use the brand’s logo and likeness to further disguise their malware.

2. Abusing Redirects

In this instance, users are directed to a legitimate webpage after giving their credentials or opening malicious software. This diverts them from thinking anything is awry.

3. Obfuscating Malware with Images

Many cyber criminals use images of text to hide malware from basic filters, which scan textual content. If the filters see an email with little to no text, they may mark it as safe without noticing the malware.

5 Tips to Identify a Phishing URL      

Emails with phony URLs often take a tone of urgency, so the target panics and takes immediate action — like clicking the fraudulent link — before looking closely at the text and seeing that it’s fake. URL phishing awareness training always starts by teaching users to pause and closely examine messages before acting. 

Taking these investigative steps before clicking links can help curb the fraudsters:

• Consider the source: If you receive an email or text message directing you to a website you already do business with, don’t click on the link. Instead, go to another screen and log into your account directly. If the message was legitimate, and there is an issue with your account, for example, the business will notify you about it when you log in, either right on the screen or in a message. Otherwise, the email was probably phishing. Either way, you can also contact the company’s support directly from the site to be sure. Also, note that fraudsters use “angler phishing” attacks on social media to hijack legitimate customer service interactions, so be aware of where your support messages are coming from.
• Spellcheck the address: Look closely at the sender’s email address and the site’s URL, even if it looks legitimate. Many types of phishing depend on “spoofing” familiar email addresses and websites. These can look like the real thing, but upon closer examination, you’ll often find small differences, such as a “.net” address where it should be “.com.” Fraudsters will also spell the URL using lookalike characters, using the number 0 instead of the letter O, for example.
• Vet that URL before you click: If you hover your cursor or right-click your mouse over the link (depending on the browser) you can often find out more information about the website address, such as whether it has a valid security certificate. A lock icon and an “https” address are positive signs that it’s a legitimate site. Still, be careful. Many times, email messages will obscure the site address by using a button instead of a written-out URL link. Hover over the button and read that URL closely. If it looks strange, search for the site and go to it directly.
• Investigate the website: If you don’t initially recognize the website that a phishing email asks you to visit, you don’t have to click on the link to find out more. Do a quick search for “[name of the website] scam” or search for the email subject line plus the word “scam” and see what results pop up. Fraudsters are prolific — that phishing email probably hit up many other people on its way to you, and the word is out.
• Proofread that site: Many phishing websites are clearly bogus once you look at them closely. A website spoofing a well-known brand’s site will often show its hand once you click past the home page. Pay attention to spelling and sentence syntax. A number of the cybercriminal operations running these scams are located outside of the U.S. and their English usage shows it. If they ask for a payment, check that they are using a legitimate payment processor, such as PayPal or Stripe, and not just harvesting your account information. And if they use a well-known processor, you must still check the URL. Move your cursor over the link to see the true destination. If you aren’t certain, don’t click on the link.

Ways to Protect Against URL Phishing        

Awareness training is the first line of defense to protect against URL phishing. Eighty-five percent of companies now offer security awareness training to employees to protect their systems from all kinds of email-borne threats, according to Osterman Research. There are also technology tools to fight against fraudsters:

• URL filtering: Automation can scan and block emails containing fake URLs. Three out of four organizations are currently using threat intelligence feeds and blocklists to keep email phishing messages out of their systems, Osterman reported.
• Artificial intelligence and machine learning: AI tools that check email traffic in real time can serve to block some spam messages that bear phony websites. They spot abnormal traffic patterns in the system and catch URL phishing before it hits a user’s inbox.

How to Report Phishing URLs          

When it comes to reporting URL phishing sites, the landscape is fractured, with many security companies collecting their own data and not necessarily sharing it. When spotting a phony URL, the first step is to alert your IT department, which can block it and start remediation steps.

The U.S. Cybersecurity and Infrastructure Security Agency is partnering with the Anti-Phishing Working Group to build a collection of phishing emails and fake website addresses. The APWG’s eCrime Exchange (eCX) has a threat data repository and data sharing platform. Report phishing URLs to APWG by sending an email to phishing-report@us-cert.gov.

Most web browsers now offer their own defenses for users, such as warnings against unsecure websites and alerts to users before they serve up a known spoof site. But those defenses depend on users reporting fake sites. The IT department at San Francisco State University prepared a guide explaining how to report phishing URLs to the major browsers.[i] You can access it here. 

The Bottom Line

Awareness and quick action are the best defenses to protect against URL phishing, with an assist from technology. Learning how to identify phishing URLs is the critical first step.

[i] “How to Report Phishing Websites Guide,” San Francisco State University, Information Technology Services