Phishing URLs steer unsuspecting users to fake websites and steal from them. Here’s how to avoid the trap.
- URL phishing is a growing threat where cybercriminals create counterfeit websites to lure their victims and obtain sensitive information.
- Often these fake websites look similar to the real thing, and checking for telltale signs can help protect against URL phishing.
- Organizations can minimize their risk by training users and adding automated defenses that screen emails.
By now, most of us are familiar with the concept of phishing. The most common example is where a fraudster mimics a known company, sending a bogus email with a message saying “Your account has been disabled. Click here to restore it.” Alarmed users then click the link and unwittingly install malware onto their computer. URL phishing goes even further: the cybercriminal creates a bogus website that is linked within the email. When users click it, they go to a site that looks like the real thing but is up to no good.
How Does URL Phishing Work?
Like most phishing scams, URL phishing relies on tricking the user into taking action — in this case, accessing a fake website and parting with passwords and sensitive information. The site often asks the user to reset a password, reenter personal and credit information to validate an account, or download a “software update,” which is really malware in disguise.
5 Tips to Identify a Phishing URL
Emails with phony URLs often take a tone of urgency, so the target panics and takes immediate action — like clicking the fraudulent link — before looking closely at the text and seeing that it’s fake. URL phishing awareness training always starts by teaching users to pause and closely examine messages before acting.
Taking these investigative steps before clicking links can help curb the fraudsters:
- Consider the source: If you receive an email or text message directing you to a website you already do business with, don’t click on the link. Instead, go to another screen and log into your account directly. If the message was legitimate, and there is an issue with your account, for example, the business will notify you about it when you log in, either right on the screen or in a message. Otherwise, the email was probably phishing. Either way, you can also contact the company’s support directly from the site to be sure. Also, note that fraudsters use “angler phishing” attacks on social media to hijack legitimate customer service interactions, so be aware of where your support messages are coming from.
- Spellcheck the address: Look closely at the sender’s email address and the site’s URL, even if it looks legitimate. Many types of phishing depend on “spoofing” familiar email addresses and websites. These can look like the real thing, but upon closer examination, you’ll often find small differences, such as a “.net” address where it should be “.com.” Fraudsters will also spell the URL using lookalike characters, using the number 0 instead of the letter O, for example.
- Vet that URL before you click: If you hover your cursor or right-click your mouse over the link (depending on the browser) you can often find out more information about the website address, such as whether it has a valid security certificate. A lock icon and an “https” address are positive signs that it’s a legitimate site. Still, be careful. Many times, email messages will obscure the site address by using a button instead of a written-out URL link. Hover over the button and read that URL closely. If it looks strange, search for the site and go to it directly.
- Investigate the website: If you don’t initially recognize the website that a phishing email asks you to visit, you don’t have to click on the link to find out more. Do a quick search for “[name of the website] scam” or search for the email subject line plus the word “scam” and see what results pop up. Fraudsters are prolific — that phishing email probably hit up many other people on its way to you, and the word is out.
- Proofread that site: Many phishing websites are clearly bogus once you look at them closely. A website spoofing a well-known brand’s site will often show its hand once you click past the home page. Pay attention to spelling and sentence syntax. A number of the cybercriminal operations running these scams are located outside of the U.S. and their English usage shows it. If they ask for a payment, check that they are using a legitimate payment processor, such as PayPal or Stripe, and not just harvesting your account information. And if they use a well-known processor, you must still check the URL. Move your cursor over the link to see the true destination. If you aren’t certain, don’t click on the link.
Ways to Protect Against URL Phishing
Awareness training is the first line of defense to protect against URL phishing. Eighty-five percent of companies now offer security awareness training to employees to protect their systems from all kinds of email-borne threats, according to Osterman Research. There are also technology tools to fight against fraudsters:
- URL filtering: Automation can scan and block emails containing fake URLs. Three out of four organizations are currently using threat intelligence feeds and blocklists to keep email phishing messages out of their systems, Osterman reported.
- Artificial intelligence and machine learning: AI tools that check email traffic in real time can serve to block some spam messages that bear phony websites. They spot abnormal traffic patterns in the system and catch URL phishing before it hits a user’s inbox.
How to Report Phishing URLs
When it comes to reporting URL phishing sites, the landscape is fractured, with many security companies collecting their own data and not necessarily sharing it. When spotting a phony URL, the first step is to alert your IT department, which can block it and start remediation steps.
The U.S. Cybersecurity and Infrastructure Security Agency is partnering with the Anti-Phishing Working Group to build a collection of phishing emails and fake website addresses. The APWG’s eCrime Exchange (eCX) has a threat data repository and data sharing platform. Report phishing URLs to APWG by sending an email to .
Most web browsers now offer their own defenses for users, such as warnings against unsecure websites and alerts to users before they serve up a known spoof site. But those defenses depend on users reporting fake sites. The IT department at San Francisco State University prepared a guide explaining how to report phishing URLs to the major browsers.[i] You can access it
The Bottom Line
Awareness and quick action are the best defenses to protect against URL phishing, with an assist from technology. Learning how to identify phishing URLs is the critical first step.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly