What Is URL Phishing?

Malicious parties use certain scenarios or techniques to stage URL phishing attacks. Here are some examples:

1. An email from a fake organization or government department: An email that looks like it comes from the government or some organization shows up in a user's inbox. It warns them about a community threat, prompts them to click on a link, and subscribe to notifications and updates. It may even ask for their email address and certain medical details that can then be used for identity theft. During the pandemic, this method was used to capitalize on public concern over COVID-19 infections.
2. An email warning regarding activity on your bank account, credit card, or financial application: An email that seems to originate from a bank or other financial institution such as PayPal warns a user about suspicious activity— such as a password breach—and prompts them to click on a link and verify transactions or change their password. The link redirects them to a fake version of the application or website, collects their login credentials, or prompts them to call “customer service.”
3. Fake advertising: A user may receive an email or message telling them an organization is giving away a prize. When they click on the link included in the message, they are taken to a fake website. In another example, the top result of a Google search is a fraudulent site, but the user does not notice. The URL has a slight  spelling error, special character, or weird suffix. They click on the link and sign up or log in to make a payment, and because the website looks legit, they are unaware their information has just been stolen.

These are just a few examples, but they help show how URL phishing works. Now, if an employee clicks on the link, how can they know the website is bogus so they do not give out sensitive data? 

Even if an email looks legit, make it a practice to log in to your account from a separate browser tab rather than from the email link. Carefully type in the URL so you know you are on the correct website. Additionally, consider any sense of urgency in an email a red flag. Legitimate sites will usually want customers to be prompt and responsible, but they will not want them to panic. They will also not issue unreasonable deadlines. 

Double-check the URL by looking for spelling mistakes or numbers where letters should be. For example, 0ffice.com is not the same as Office.com. Also, make sure the website suffix is the right one. For example, payabill.net is not the same as payabill.com. 

There are other telltale signs that a website is bogus. If you hover over a link or button without clicking on it, a URL description may appear on the bottom left-hand corner of your screen, allowing you to scrutinize the URL carefully. If in doubt, open another tab or browser and search for the website it purports to be. Once you find the official site, compare the two URLs. 

Some legitimate websites employ pop-ups, but a general distrust of pop-ups has led many organizations to eliminate them. However, some phishing emails will direct you to a real website but activate a pop-up window that requires you to enter your credentials. Be extra careful when signing in through a pop-up window.

If you are at a site and not sure about its legitimacy, enter a fake password the first time you log in. If it is a real website, your sign-in attempt will be denied. A fake website will sign you in any way, and that is a dead giveaway.

A homograph is a website that looks almost identical to the real one. Perhaps the only difference is a special character that looks like a letter at first glance. For example, payάbill.com is not the same as payabill.com. Keep a sharp eye out for those subtle details.

Your best bet for preventing phishing attacks is to train and educate employees, and being proactive is more cost-effective than being defensive. Here are some strategies you can adopt:

Ensure that your organization’s email application has link protection and/or URL filtering as security options. These will compare URLs users try to access against a periodically updated list of blocked or malicious URLs.

Artificial intelligence (AI) technologies can identify and block suspicious URLs, such as those impersonating legit URLs. Also, even if a phishing URL is not on any list or is not readily recognizable, AI defenses help to protect and update the database of malicious URLs.

Human error is one of the primary reasons behind phishing attacks, so train your employees on security awareness. Help them: 

1. Recognize the common methods attackers use
2. Understand how URL phishing works
3. Learn how to report URL phishing attempts to your security team

There are even applications you can use to conduct phishing simulations.

Employees should know how to report phishing attempts promptly to your organization’s in-house security team or managed services provider (MSP). But stopping there only benefits your organization. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has partnered with the Anti-Phishing Working Group (APWG) to create a database of phishing emails and fake URLs. To contribute to this database, report phishing attempts to phishing-report@us-cert.gov.