What Is URL Phishing?
URL Phishing Definition
URL phishing is the use of emails to redirect recipients to a fake website and coerce them into divulging sensitive data, such as login credentials or financial information. The website will look deceptively familiar and legit, but its aim is to misuse your trust by “fishing” for personal information a malicious actor can use for nefarious purposes.
Overview of URL Phishing
An estimated 15 billion spam emails are sent every day, and over 80% of organizations claim to have experienced phishing attacks at some point. Despite increased awareness, at least one-third of all phishing emails are actually opened, and in about 90% of data breaches, phishing is the root cause. No wonder most IT teams view phishing attacks as a major concern.
But what is Uniform Resource Locator (URL) phishing and how does it work? How do you identify URL phishing attacks and protect your organization?
How Does URL Phishing Work?
In its most basic form, URL phishing happens when a criminal sends someone a legitimate-looking email, which then entices the recipient to take action by clicking on a link that redirects them to what seems to be a company's official website. Once there, the unsuspecting victim will be required to enter personal or financial information.
Often, a sense of urgency, such as a fast-approaching deadline, is involved to pressure the user into meeting the perpetrator's demands. Some fake URLs actually redirect to the legitimate site after personal information has been entered. This way, the target does not immediately realize they have been duped.
Examples of URL Phishing
Malicious parties use certain scenarios or techniques to stage URL phishing attacks. Here are some examples:
- An email from a fake organization or government department: An email that looks like it comes from the government or some organization shows up in a user's inbox. It warns them about a community threat, prompts them to click on a link, and subscribe to notifications and updates. It may even ask for their email address and certain medical details that can then be used for identity theft. During the pandemic, this method was used to capitalize on public concern over COVID-19 infections.
- An email warning regarding activity on your bank account, credit card, or financial application: An email that seems to originate from a bank or other financial institution such as PayPal warns a user about suspicious activity— such as a password breach—and prompts them to click on a link and verify transactions or change their password. The link redirects them to a fake version of the application or website, collects their login credentials, or prompts them to call “customer service.”
- Fake advertising: A user may receive an email or message telling them an organization is giving away a prize. When they click on the link included in the message, they are taken to a fake website. In another example, the top result of a Google search is a fraudulent site, but the user does not notice. The URL has a slight spelling error, special character, or weird suffix. They click on the link and sign up or log in to make a payment, and because the website looks legit, they are unaware their information has just been stolen.
These are just a few examples, but they help show how URL phishing works. Now, if an employee clicks on the link, how can they know the website is bogus so they do not give out sensitive data?
6 Tips for Identifying a Phishing Website
1. Message Seems Legitimate
Even if an email looks legit, make it a practice to log in to your account from a separate browser tab rather than from the email link. Carefully type in the URL so you know you are on the correct website. Additionally, consider any sense of urgency in an email a red flag. Legitimate sites will usually want customers to be prompt and responsible, but they will not want them to panic. They will also not issue unreasonable deadlines.
2.URL Looks Suspicious
Double-check the URL by looking for spelling mistakes or numbers where letters should be. For example, 0ffice.com is not the same as Office.com. Also, make sure the website suffix is the right one. For example, payabill.net is not the same as payabill.com.
3. Weird Website URL
There are other telltale signs that a website is bogus. If you hover over a link or button without clicking on it, a URL description may appear on the bottom left-hand corner of your screen, allowing you to scrutinize the URL carefully. If in doubt, open another tab or browser and search for the website it purports to be. Once you find the official site, compare the two URLs.
Some legitimate websites employ pop-ups, but a general distrust of pop-ups has led many organizations to eliminate them. However, some phishing emails will direct you to a real website but activate a pop-up window that requires you to enter your credentials. Be extra careful when signing in through a pop-up window.
5. Fake Password
If you are at a site and not sure about its legitimacy, enter a fake password the first time you log in. If it is a real website, your sign-in attempt will be denied. A fake website will sign you in any way, and that is a dead giveaway.
5. Website Address Is Not a Homograph
A homograph is a website that looks almost identical to the real one. Perhaps the only difference is a special character that looks like a letter at first glance. For example, payάbill.com is not the same as payabill.com. Keep a sharp eye out for those subtle details.
3 Common URL Phishing Techniques
Although phishing awareness has vastly improved over the years, phishers are evolving their techniques to get past defenses. Here are some of the methods they are likely to try:
Mixing Legitimate Links with Malicious Links
Since many email applications can sift out emails with malicious links, phishers will try including at least one legitimate link along with the bogus one(s). That way, the email passes the email program’s defenses. They may also use a legitimate business or organizational logo to make the message appear real.
Some phishing URLs may prompt the user for sensitive information. Once these have been entered, the user is then redirected to the legitimate site.
Obfuscating Malware with Images
Some filters scan the text in an email for malware, so phishers sometimes use images and graphics to hide the text and get past filters.
3 Strategies for Protecting Against URL Phishing
Your best bet for preventing phishing attacks is to train and educate employees, and being proactive is more cost-effective than being defensive. Here are some strategies you can adopt:
Ensure that your organization’s email application has link protection and/or URL filtering as security options. These will compare URLs users try to access against a periodically updated list of blocked or malicious URLs.
Artificial intelligence (AI) technologies can identify and block suspicious URLs, such as those impersonating legit URLs. Also, even if a phishing URL is not on any list or is not readily recognizable, AI defenses help to protect and update the database of malicious URLs.
Security Awareness Training
Human error is one of the primary reasons behind phishing attacks, so train your employees on security awareness. Help them:
- Recognize the common methods attackers use
- Understand how URL phishing works
- Learn how to report URL phishing attempts to your security team
There are even applications you can use to conduct phishing simulations.
How To Report a Phishing URL
Employees should know how to report phishing attempts promptly to your organization’s in-house security team or managed services provider (MSP). But stopping there only benefits your organization. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has partnered with the Anti-Phishing Working Group (APWG) to create a database of phishing emails and fake URLs. To contribute to this database, report phishing attempts to email@example.com.
How Fortinet Can Help
As threats evolve, the need for security teams to be able to monitor them and promptly respond also grows exponentially. The Fortinet network detection and response service, FortiNDR, helps organizations benefit from AI technologies and a built-in virtual security analyst.
What is URL phishing?
URL phishing is the use of emails to redirect recipients to a fake website and coerce them into divulging sensitive data, such as login credentials or financial information.
How does URL phishing work?
URL phishing happens when a criminal sends someone a legitimate-looking email, which then entices the recipient to take action by clicking on a link that redirects them to what seems to be a company's official website. Once there, the unsuspecting victim will be required to enter personal or financial information.