What is URL phishing?

9 min read
Hannah Leung

Does the concept of URL phishing sound familiar to you?

There is a similarity between the act of phishing and the act of scamming. Both of these activities require the perpetrator to coax their victims into handing over something that they want. These victims usually do not know that there is a criminal behind these activities. Hence, they willingly hands over anything from cash to sensitive information, potentially harming themselves as a result.

In today's highly connected world, a vast amount of information is being passed on over the internet. From content compiled into a blog post to a database worth of users' personal information, people are both giving and receiving many types of information over their emails or browsers. Given the sheer amount of information, it's no wonder crime and criminal opportunists have turned their eye to the internet.

Whether you are an end-user or small business owners/webmaster, chances are you will encounter phishing sites on a regular basis. In fact, according to GlobalSign, Asia-Pacific has become a hotbed of cyberattacks targetted at both individuals and organizations.

At the onset of COVID-19, many businesses and organizations have taken to work remotely and conduct business on the internet. As a result, cybercriminals took advantage of this situation and launched many smart phishing attacks, causing widespread disruptions and losses.

Take a look at the news and every period, you might see a warning of a new form of phishing attack. Still, most cybercriminals commit their online crime using phishing URLs. In this article, we take a closer look at URL phishing and how you can prevent your website from falling victim to various kinds of attacks that may harm your business.

Table of Contents

  • What is URL phishing?
  • How common is URL phishing?
  • Don't fall victim to a phishing URL with these techniques
  • Precautions you can take to prevent phishing URLs from harming your business and customers

What is URL phishing?

The concept of phishing is pretty much close to fishing. When you fish, you typically try to lure fishes using baits, hooking it up with your rod when a fish takes your bait. Similar to fishing, cybercriminals lure their victims online by creating fake websites that resemble very closely to common secure sites that these victims access frequently.

URL phishing is a growing threat where cybercriminals create fake websites, ads and software to lure victims to disclose sensitive information.

Targets are also tricked into downloading programs that are malware in disguise. Hackers will, in this case, be able to acquire passwords, bank account pin numbers or credit card details, often putting these to malicious use.

In many cases, some of these websites look exactly the same as legitimate websites. A phishing URL will also look extremely similar to a real URL, which is why many people fall prey to it before they know it.

As webmasters / business owners, the most important thing is to ensure that your website is secure. If your website falls victim to a phishing attack, you can potentially lose business and in the long run, lose your customers' trust.

However, by preparing and taking the right steps, you can safeguard yourself from even the most sophisticated forms of phishing attack.

How common is URL phishing? 

SlashNext, a company that provides phishing defense for business, reported that phishing attacks are growing and are no longer limited to just emails.

Phishing attacks can now happen via SMS, social platforms, videoconferencing, and gaming services. In fact, mobile users are even more vulnerable due to small screens and invisible URL strings hiding the address.

With iPhone, users are 18 times more likely to get phished. Undeterred by the pandemic, SlashNext reports that the number of daily phishing threats topped 25,000 a day in 2020. COVID-19 specific scams rose by 22%, with hackers sending counterfeit Covid relief-checks, vaccination registrations, job opportunities and impersonating utility companies, charities or other services.

Cybercriminals are becoming more advanced and audacious. In mid-July 2020, Microsoft shut down the servers of scammers who targeted millions of people across 62 companies, via phishing emails that resembled Microsoft Office 365 alerts — many of which supposedly offered COVID-19 information. The damage was severe, with all Office 365 account contents — including email, contacts, notes and material — being hacked.

URL phishing awareness is one that requires you to be constantly on the lookout for any potential new phishing plot where you or your business might fall victim to. However, there are precautions to guard yourself and your website from these kinds of phishing attacks. More on that in the next section!

Scrabble Tile Showing Word "Scam Alert"

Don't fall victim to a phishing URL with these techniques

If an email that is supposedly from your bank, insurance company, or another trusted source starts with a generic "Dear sir or madam,” this serves as a red flag. Most institutions -- from retail to loyalty programs -- should have your information. A bogus email often starts out awkwardly and that should be a sign that the email contains malicious messages.

Think twice before opening emails that are not personally addressed to you.

If an email does come your way from a trusted sender, still hover your mouse over internet links before clicking through. A careful glance of the domain name should be able to help you identify genuine URLs. Beware of masked links, hyperlinks that are overlaid on top of legitimate text but lead to a different page. Even if an email appears to be from someone you know, take caution if you’re asked to click through a consent prompt.

In the case of the Microsoft hack, cybercriminals designed phishing emails to appear as if they originated from an employer or other trusted source. The phishing emails contained deceptive messages associated with generic business activities.

For example, the malicious link in the email was titled with business terms such as “Q4 Report – Dec19.” After clicking through a consent prompt, the victim unknowingly granted hackers permission to access and control the victims’ Office 365 account content.

You can be sent phishing URLs through an email, SMS, WhatsApp, Tweets, video conferencing or gaming platforms. Malicious links are difficult to spot, because they are engineered to look like they’re from a trustworthy source.

If there is an option to incorporate an email protection software on your inbox, definitely look into it!

2. Read through the content carefully and scan through URLs in preview before clicking

Ask yourself, is there anything that looks odd in this e-mail / SMS / message? Watch out for minor spelling variations, an unusual country domain (e.g. .uk or .io), or long strings of text and symbols. You can also Google the company name to check if it matches the official website URL.

What does a phishing URL look like? Hackers use a trick called “script spoofing,” where they register a URL using letters from a foreign language resembling the original version, such as the Cyrillic alphabet. Script spoofing can also be as simple as using the number “0” instead of the capital letter “O”, or the number “1” instead of a lowercase “L” or uppercase “I”.

For example, this email appears legitimate: info@amαzon.com. However, look closely and you’ll notice that the second “a” is actually the Cyrillic character “α”.

Magnifying Glass Over Google Word On Screen

Another clue to spot phishing URLs is to look at the prefixes of URLs. Chances are, most legitimate websites are secure and do not contain any spelling error or script spoofing. For example, a secure website uses HTTPS.

Hackers often disguise themselves as people working for the government or official organization. If you get an email from a seemingly legitimate organization, spend a few minutes checking online and making sure everything matches.

Scams often try to scare people into sending money to help a loved one or family member in trouble. They will rush you to pay, and once you do, you’ll never get the money back.

Although the company’s website or ad may show testimonials and reviews from satisfied customers, these may be fake. For emails or offers from a company you’ve not heard of, check to see what people have said about the company as well as reviews real customers have left. Make sure the company has a legitimate address. Additionally, look up the name of the company or the person plus the words “scam,” “review,” or “complaint.”

Overall, stay updated on recent scam and extortion alerts.

Precautions you can take to prevent phishing URLs from harming your business and customers

1. Enable Google reCAPTCHA on your website. 

Ah, the dreaded Google reCAPTCHA. As annoying as it might be as a user to click through, there’s a reason most websites enable this function. It helps to prevent spambots from completing fake submissions.

If you have a portion on your website involving a form or survey, enable Google reCAPTCHA to prompt visitors. By checking a box to prove that they’re not a robot before they submit their request of information, you’ll prevent spammers from completing submissions.

This can make it harder for spammers to drop random comments and spam your inbox.

2. Restrict uploading access and disable file editing on your website. 

Letting website visitors upload files to your website can be risky. That’s because any file could potentially contain a script that exploits vulnerabilities on your website when it’s executed on the server.

In some instances, your website might require file uploads. You may want users to add photos of your products when they’re writing a review. In this case, you should still treat all uploads as a potential threat.

3. Tighten your spam filters. 

Instead of simply deleting emails you get in your inbox, set up filters so the same type doesn’t come through again. You can also report messages to improve filters in the future. URL filtering stops the function of malicious code or spyware, phishing attempts, and other threats.

In review

Protect yourself against these common phishing attacks by exercising caution. Verifying the link and content of URLs before clicking through, enabling Google reCaptcha and restricting uploading access on your website, and tightening your spam filters overall. By taking these steps, you’ll stymie any security breaches that come your way.