What is URL phishing? Everything you need to know

URL phishing is a social engineering technique cybercriminals use to steal sensitive information, which can be anything from your Instagram login credentials to the most secret company data. This method often involves creating fake websites that mimic legitimate ones or making malicious links appear safe and getting people to click on them.

Technically speaking, URL phishing is any phishing attack that involves getting a person to click on a link — whether it’s in an email, a Facebook post, or a text message.

By using URL phishing, cybercriminals try to exploit people’s inherent trust in familiar websites, government agencies, and their friends or coworkers.

The attack usually starts with the criminal creating a fake copy of a known website, for example, a social network, an online store, or even a bank. Then, they craft a convincing story that is meant to make you panic and click the link — there’s trouble with your account, there’s unknown activity on your profile, someone tried to transfer your money, etc.

Once they have their website, story, and phishing email ready, the cybercriminals start sending them out. It’s especially dangerous when hackers manage to get their hands on leaked users’ lists with names and email addresses — then they know for sure you’re a client at a particular service and are more likely to act urgently.

Once you enter the fake website and fill in your login credentials, your real account is as good as lost. The attackers can quickly log in and change your password, essentially locking you out. If it’s a bank account, they may transfer your money to themselves. If it’s your main email or a social network account, you may be forced to pay a ransom to get it back.

Some attackers can use your accounts to impersonate you in further attacks aimed at your family, friends, or coworkers.

Even though the fake website scheme described in the previous section is one of the most common methods of URL phishing, there are many more. Phishing attacks come in various forms, each designed to trick users in different ways. Here are seven common types of URL phishing:

1. Typosquatting involves registering domain names that are misspellings of popular websites (for example, goggle.com instead of google.com). If you make a typo while entering a URL, you can end up on a fake site like this without even realizing it.
2. Link masking is used by legitimate website owners who want to hide long and complex URLs by masking them under simple and short phrases. Unfortunately, cybercriminals also do that to hide obviously suspicious links under innocent-looking titles.
3. “Legit” domains are when parts of real domains are used to create a legitimate-looking URL, like special.brand.com, that in reality are phishing websites.
4. HTTP spoofing is creating a fake website that looks exactly like the real one but is hosted on a server controlled by the attacker, often distinguishable only by the lack of a secure HTTPS connection. This method is also used for clone phishing.
5. Doppelganger domain is similar to typosquatting, but instead of changing a character, it omits one, and facebook.com becomes facebok.com
6. Redirects are websites that have only one function — redirecting visitors to another page.
7. URL shorteners are often used by individual users and businesses when they want to shorten a long URL to save space — they have no distinguishable features, and you’ll never know whether you’ll land on a campaign page for a popular brand or a malicious website.

URL phishing can look different based on the platform (whether it’s a social media post or an email, for example), but it’s always tailored to trick users in some way. Here are some of the most common URL phishing examples:

Breached account alert scam

You get an email from your bank stating that suspicious activity was detected on your account, and it was blocked to protect your money. It says you must log in ASAP to see what happened and verify it’s really you to unfreeze your assets. There’s a link, helpfully included in the same email, which, at a glance, appears to lead to your bank. You click on it, and a familiar website pops up. You log in and verify that everything seems to be OK. You might even change your password in the process, just to be safe. Unfortunately, the email was spoofed and the link and the website are both fake, and you just gave away your password to a cybercriminal.

Fake online shop scam

You see a sponsored post from a brand you love. They’re having a huge sale! You open the link, find the items you want, add them to the cart, enter your credit card details, and eagerly await your delivery. Meanwhile, a criminal in a basement somewhere has your credit card data, which they promptly use to buy a bunch of cryptocurrency.

Fake charity scam

A charity posts on social media about a terrible accident: the animal shelter burned down, and they are raising money on their website to rebuild it. You visit their page, which seems to belong to the charity, so you transfer the money. It turns out that the charity never even heard about this scam, the website was a copy, and everyone’s money went to the cybercriminals, not the homeless animals.

FedEx delivery scam

You get a text message from FedEx about an incoming parcel, but you must pay customs first. It asks you to open the link to pay and select the time you’d like the parcel to be delivered. Once you tap the link, you’re taken to a payment page with a blurry FedEx logo on it. You have to enter all your data — name, surname, email address, home address, phone number, credit card information. Unfortunately, if you do that, you won’t get an exciting package from overseas, but a criminal is getting all your information for Christmas.

These are just a few examples of using URL phishing to steal money or data. Cybercriminals might pretend to be your boss, business partner, recruiter offering you a job, or even a government agency requesting your social security number to help you with your tax returns.

If you want to protect yourself and your sensitive information, being able to detect a URL phishing attack before it does any damage is essential. Here are some things you should do:

Verify the URL

Always check the URL in your browser’s address bar. Look for variations in the domain name that might indicate it’s a fake site — did it send you to a subpage, even though you should be on the homepage? Is there a suspicious prefix? To further safeguard your online security, consider using anti-phishing software.

Spell-check the domain

Review the domain name for misspellings or added characters. For example, “rn” looks very similar to “m” at a glance, so look for these subtle changes.

Read the text carefully

If you have even the slightest suspicion, go over the email or message once more. Was it unsolicited? Is it urging you to do something, trying to induce panic? Are there any typos or other mistakes?

Check the website’s protocol

Ensure that the website you’re on uses HTTPS protocol. Legitimate websites prioritize security and will have a padlock icon in the address bar, but a website with a spoofed URL might only use HTTP.

If you suspect you’re a target of a URL phishing attempt, it’s important to report it promptly.

Inform the IT department if the phishing attempt was made on your work email. They can immediately protect the network and other users.

Next, if you’re in the US, you can contact the US Cybersecurity and Infrastructure Security Agency (CISA). It provides resources and a platform for reporting phishing attempts. You can forward phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org or to the Federal Trade Commission at spam@uce.gov.

If you live outside of the US, you can look up local cybersecurity agencies or contact the Anti-Phishing Working Group (APWG). It’s an international coalition that unites the global response to cybercrime in private, government, and law-enforcement sectors. They track phishing attempts and work to shut down phishing sites. You can forward the suspected phishing email to reportphishing@apwg.org

Some URL phishing attacks are extremely sophisticated and well-planned, and it’s very difficult to avoid them before it’s too late. Others will be easy to spot if you know what to look for. Either way, there are a few things you can do to protect your work-related data as well as your personal accounts, information, and finances.

Use artificial intelligence

Businesses can implement AI-based security solutions that analyze patterns, detect anomalies, and flag potential phishing threats more efficiently than a human could.

URL filtering

Use URL filtering to block access to known phishing sites. It’s a great tool both for businesses and individual users — and very easy to use. Simply get NordVPN and enable the Threat Protection feature, and it will automatically scan every URL you visit. If phishing or malware is detected, your access to the website will be blocked.

Cybersecurity training

Regular training for employees on how to recognize phishing attempts is crucial for a business’ safety. But you should also be aware of the more common URL phishing tactics and how they may be used to target you specifically.

Check the domain’s reputation

If the email looks like the real deal and you want to click the link but still have doubts, check the domain. Tools like WHOIS will let you know when it was registered, its status, who created it, and more. This way, if a domain that’s supposed to belong to your bank was created two weeks ago, you’ll know it’s most likely fake.