What is URL phishing?

Ever had an itch to click a link while your entire body was screaming “NO!” but you didn’t know why? It was probably a phishing URL (Uniform Resource Locator), and it can prove tough to figure out if you don’t know what to look for.

URL phishing is a form of phishing when a threat actor manipulates internet links in various ways to incite his victims to click them. These links usually lead to malicious, malware-ridden sites that fish for a person’s credentials, especially banking information and passwords.

The threat actors often use emails (email phishing), SMS messages (smishing), or any other messaging apps or social media platforms to send infected links. These links are tailored according to known brands like Twitter, Google, Microsoft, Zoom, and Amazon, or authoritative institutions that deal with health, finances, or social benefits.

Six quick steps to identify URL phishing

If faced with a phishy-esque URL, review the following points:

  • Does it come from a suspicious email/message?
  • Is the displayed link hiding a different one when you hover over it?
  • Is the domain name correct and ends appropriately (.com, .net, etc.)?
  • Is the protocol correct (“https://”)?
  • Does the link have a subdomain and where is it located?
  • Does a link redirect you through Google Search or other websites?

If a link checks any single one of these boxes or more, don’t click it. If you wish to learn more or find certain points confusing, read on!

Five different types of URL phishing

URL phishing most often comes in the following forms:

  1. “Legit” links. These phishing links use legitimate websites, such as Google or Bing search engine results, to redirect the victim to websites they want, like this (this one is safe to check, but hover over the link to see where the URL leads first).
  2. Masked links are hyperlinks that are overlaid on top of legitimate ones that lead to a different page, for example, www.objectivemeaningoflife.com/ (actually leads to the Surfshark order page).
  3. Typosquatting is URL phishing done by purposefully changing, skipping, or mistyping letters in a domain name like https://twirtter.com (do not visit) instead of https://twitter.com.
  4. Malformed prefix links prey on people who do not pay attention to a URL’s prefix. For example, http://google.com (fake, do not visit) is different from https://google.com (legit).
  5. Subdomain links give an illusion that a link leads to a legitimate site, but it’s a purposefully misplaced subdomain in the middle of a URL, e.g., https://microsoft.com.office365.ru vs. https://microsoft.com/office365 (let’s explore URL structure below).

What does a URL phishing attempt look like? Example e-mail

I discussed the different forms of URL phishing above, but here’s an example of what it may look like in an email you receive:

What does a URL phishing attempt look like?

How do I know if my URL is safe?

How do I know if my URL is safe?

If you have a link or file at hand that you’re curious to check, you can use VirusTotal. However, even if you run a URL through and it comes clean from malware, it still doesn’t mean that it’s 100% safe.

Best rule of thumb: always check the links you receive according to the checklist above before opening, and if they seem phishy, don’t open them!

Seriously though, not clicking is the best way to avoid any kind of phishing – our security officers approve this message.

Also, if you learn to read URLs, you can be more confident in dealing with phishing attempts.

Reading URLs to avoid URL phishing

Every URL consists of three parts: protocol, domain, and subdomain.

Reading URLs to avoid URL phishing: Surfshark

The protocol determines how the information requests travel from a user to a domain and back. Big brands and self-respecting entities will use HTTPS over HTTP because it’s more secure. Many times this leaves HTTP links as partners in crime for URL phishing attacks.

The domain is the most important part of a URL because there can be only one domain name, e.g., https://amazon.com, while https://amazon.net would be a different domain!

A URL’s subdomain is where things can get tricky. Usually, it shows a page within a specific website and follows the domain name. However, as per the example below, you can also place it in the middle.

Reading URLs to avoid URL phishing: Order

This can be quite dangerous, especially if you receive a link in your email like this one:

Reading URLs to avoid URL phishing: Microsoft

This makes it appear as if the link would send you to Gmail, but someone just registered the domain “office365.ru” and put “microsoft.com” as a subdomain. You should avoid such links at all times!

The general rule of thumb here is: If a URL seems somewhat legit but ends with a .com, .co, .net, .ru, or any other form of (.)something domain name, you probably have a subdomain somewhere in the middle of the link!

Stay vigilant in the vast phishing seas

Stay vigilant in the vast phishing seas

This all seems like a lot to know, is it really necessary? Pardon my bluntness, but yes, it is, and URL phishing is just one form of phishing.

As technology improves day by day to stop hackers from exploiting cybersecurity systems, their focus shifts towards the weakest link in our defenses – the human. Social engineering is steadily growing in its many forms and will continue to do so, especially in times of turmoil and distress like the recent COVID-19 pandemic.

Anti-phishing software is not enough to battle phishing – you need to understand and be aware of it. Why buy expensive tools if you don’t know how to use them? Arm yourself with knowledge first to understand why we fall for phishing to avoid it!