a hacker holding a fishing hook with a chain.

Ever had an itch to click on a link while your entire body was screaming “NO!” but you didn’t know why? It was probably a phishing URL (Uniform Resource Locator). Sometimes they look so genuine it’s hard to tell them apart from real emails. So what exactly is URL phishing, and what should you look out for? 

Table of contents

    URL phishing explained 

    URL phishing is an activity by cybercriminals who send emails or messages with links that lead to malicious websites. They’re made to look trustworthy and usually require users to enter personal information, which is then used to collect data and steal passwords or even financial information.

    The threat actors often hide phishing website links in emails (email phishing), text messages (smishing), or other messaging apps or social media platforms. Those links are tailored to look similar to known brands like Twitter, Google, Microsoft, Zoom, and Amazon or governmental institutions that deal with health, finances, or social benefits.

    If you want to learn more about how URL phishing works and how to fight it, take a look at our video.

    How to identify a URL phishing attack

    When faced with a phishy-esque URL, review the following points:

    • Does it come from a suspicious email/message?
    • Is the displayed link hiding a different one when you hover over it?
    • Is the domain name correct and ends appropriately (.com, .net, etc.)?
    • Is the protocol correct (“https://”)?
    • Does the link have a subdomain, and where is it located?
    • Does a link redirect you through Google Search or other websites?

    If a link checks any single one of these boxes or more, don’t click it. Read on if you find any of this confusing or wish to learn more!

    Five different types of URL phishing

    URL phishing most often comes in the following forms:

    1. Legit” links are phishing links that use legitimate websites, such as Google or Bing search engine results, to redirect the victim to websites they want, like this (this one is safe to check, but hover over the link to see where the URL leads first).
    2. Masked links are hyperlinks that are overlaid on top of legitimate ones that lead to a different page, for example, www.objectivemeaningoflife.com/ (actually leads to the Surfshark order page).
    3. Typosquatting is URL phishing done by purposefully changing, skipping, or mistyping letters in a domain name like https://twirtter.com (do not visit) instead of https://twitter.com.
    4. Malformed prefix links prey on people who do not pay attention to a URL’s prefix. For example, http://google.com (fake, do not visit) is different from https://google.com (legit).
    5. Subfolder links give an illusion that a link leads to a legitimate site, but it’s a purposefully misplaced subfolder in the middle of a URL, e.g., https://microsoft.com.office365.ru vs. https://microsoft.com/office365 (let’s explore URL structure below).

    What does a URL phishing attempt look like? 

    I discussed the different forms of URL phishing above, but here’s a detailed example of what it may look like in an email you receive:

    A fake Surfshark website created to represent the main phishing techniques.

    How to protect against URL phishing

    The best rule of thumb: always check the links you receive according to the checklist above before opening, and if they seem phishy, don’t open them!

    Seriously though, not clicking is the best way to avoid any kind of phishing – our security officers approve this message. And if you don’t even want to see them, luckily, there are four ways to prohibit phishing website attacks from reaching you. Let’s check them out:

    URL Filtering

    In larger-scale phishing attacks, hackers use the same URL to target many people. Once someone reports a fraudulent attempt, that link is added to the list of untrusted URLs. Having that list available online is handy as you can use it to block bad URLs from entering your mailbox.

    Domain reputation check

    While URL filtering is good for well-known links, a domain reputation check prevents freshly created phishing attempts. It scans URLs and studies everything about them. For instance, a domain that is only a few hours old will probably be flagged as malicious

    Artificial intelligence (AI) based protection

    AI protection combines scanning for known malicious URLs and checking the reputation of the unknown ones. Conveniently, some email clients offer this protection as one of their features, so all you have to do is find and use one.

    Security awareness

    The best method to avoid malicious links is to learn about them (hopefully, not from your own mistakes). Use websites to check URLs, and inspect them. Be cautious of pop-up ads; double-check if URLs are safe before giving your information away.

    Not sure how to check that? I’ll take you through that in the next section.

    How do I know if a URL is safe?

    browser with 'HTTP' written in the search field

    If you have a link or a file at hand that you’re curious to check, you can use VirusTotal. However, even if you run a URL through and it comes clean from malware, it still doesn’t mean it’s 100% safe.

    Knowing how to read URLs is necessary if you want to be more confident in dealing with phishing attempts. Let’s dig in.

    Reading URLs to avoid URL phishing

    Every URL consists of three parts: protocol, domain, and subfolder (subdirectory).

    A real URL with protocol, domain, and subfolder places indicated

    The protocol determines how the information requests travel from a user to a domain and back. Big brands and self-respecting entities will use HTTPS over HTTP because it’s more secure. This often leaves HTTP links as partners in crime for URL phishing attacks.

    The domain is the most important part of a URL because there can be only one domain name, e.g., https://amazon.com, while https://amazon.net would be a different domain.

    A URL’s subdomain is where things can get tricky. Usually, it shows a page within a specific website and follows the domain name. However, as per the example below, you can also place it in the middle.

    altered URL with protocol, subdomain, and domain places indicated.

    This can be quite dangerous, especially if you receive a link in your email like this one:

    A fake URL with highlighted protocol, subdomain, and domain places.

    This makes it appear that the link would send you to Gmail, but someone just registered the domain “office365.ru” and put “microsoft.com” as a subdomain. You should avoid such links at all times!

    The general rule of thumb here is: if a URL seems somewhat legit but ends with a .com, .co, .net, .ru, or any other form of (.)something domain name, you probably have a subdomain somewhere in the middle of the link!

    So you found a suspicious URL – what to do next?  

    How to report phishing URLs

    When it comes to reporting phishing URLs, the security industry is quite divided. Companies don’t have one shared entity of phishing URLs but rather collect their own data. Because of this, the first thing to do when discovering a fake URL is to let the IT staff know about it

    If you want to go further, or don’t have IT staff available, here’s what you can do:

    Stay vigilant in the vast phishing seas

    A standing woman with an umbrella, confused by the webs flying all around her.

    Seems like there’s a lot to know – is it really necessary? Pardon my bluntness, but yes, it is. And URL phishing is just one form of phishing.

    Technology to stop hackers from exploiting cybersecurity systems improves every day.  That’s why their focus shifts towards the weakest link in our defenses – the human. Arm yourself with knowledge, understand why we fall for phishing, and avoid it!

    Block access to phishing URLs

    Get Surfshark


    What does a phishing URL look like?

    There is no general answer to what phishing should look like, as every attack is crafted differently. Two general rules include the URL not beginning with https:// or shttp://; spelling and grammar mistakes in the link.

    If you see anything odd/different, be extra careful and double-check the URL before giving away your information.

    What happens if I click on a phishing link?

    The attacker will immediately obtain basic information, such as your device statistics or  location. As long as you are not entering any personal information – you are fine.

    What makes a URL suspicious?

    URL can be suspicious if you get it in unusual ways (for example, in an email you never subscribed to). It’s also odd if it forces you to provide sensitive info (passwords, banking details).

    Judging by the looks, you should be worried if you see grammar, punctuation mistakes, long and garbled text, or shortened names.