What is URL phishing?
Don't get hooked
A whopping 9 million phishing attacks were detected worldwide in 2023, with bad actors using lookalikes of legitimate websites to trick people into visiting bogus links, downloading malware, and revealing personal information – and then going on to commit identity theft, take over accounts, or steal money.
Even worse, phishing attacks have become more sophisticated and harder to spot, owing to advancements in technologies like AI. Seeing as just one click can be enough to compromise your digital privacy, it's important to know how URL phishing happens and how to avoid it.
Read on to find out how you can protect yourself against this dangerous cybercrime. I'll explain how digital privacy tools like the best VPNs and the best antivirus software can help sniff out even the most sophisticated phishing attacks.
What is URL phishing?
URL phishing is a method of social engineering used to encourage people to click on a link. The link often sends users to a fake website designed to harvest login credentials and other personal information (like credit card details and social security numbers), but can also initiate ransomware and malware downloads.
Think of it as a trick used by cybercriminals to bait people into handing over the usernames and passwords to their email or bank accounts.
These details can then be exploited by the bad actor to crack other accounts owned by the compromised user. Alternatively, they may sell the stolen credentials on the dark web for a profit.
As mentioned earlier, the bad actor can also use the phishing link to install malware on the victim's device. Malware can spy on their activity, collect data, or lock them out of their system entirely – and even follow things up with a ransom. The download is usually disguised as an innocuous .PDF file.
Curious about the creation and execution of a URL phishing attack? Let me give you a thorough run-through of the process. It starts with a bad actor creating a bogus site – a lookalike of the original. After all, the fake site has to look convincing if it's going to fool users into thinking it's real.
Next, the cybercriminal writes a message designed to make the reader click a link and visit the site.
This is usually done by making the user think something's wrong with an account of theirs. For example, it may be a message alerting the user about an overdraft or negative balance in their bank account. Alternatively, it can be a security warning asking the user to reset their password or verify their identity because their account has been compromised.
Although email is the most common channel for delivering a phishing link, it can also be sent via a social media DM, text message, or other online platforms.
Irrespective of the exact message sent out, the idea is to create panic (or urgency) in the user and prompt them to take immediate action – or risk something bad happening.
The "action" is, of course, to click the attached link, which takes the user to a fake but convincing login portal. The user then enters their password and other personal details and ends up getting "phished."
It's worth noting that most URL phishing attacks take a "spray and pray" approach, wherein the bad actor sends out identical messages to hundreds or thousands of users, expecting at least a few dozen folks to click.
However, with the evolution of phishing attacks, they've become more sophisticated and personalized. A good example of this is spear phishing, where the bad actor targets just a handful of people, or maybe even just a single person, addressing them by their name and/or using a reference, such as a coworker.
Next, there are vishing attacks, which are fake phone calls made to random telephone numbers. They combine AI tools (to mimic human voice) and traditional phishing techniques, which make them harder to ward off.
How to spot URL phishing scams
Although there's growing user awareness of traditional phishing campaigns, bad actors are constantly cooking up new and more sophisticated attacks that are harder to identify. So, it's important to remain vigilant and aware of the red flags that will help you spot instances of URL phishing much more effectively.
Here are my top tips for spotting phishing scams:
- Be suspicious: if a message seems odd, out of the blue, or too good to be true, be wary. Bad actors use clickbait and urgency to get people to click on bogus links. Oftentimes, your browser will warn you with an "insecure connection" alert if you visit a phishing site.
- Check the URL: phishing URLs, because they want to mimic the original website, often use misspellings, added hyphens, or altered domains, such as .net instead of the original's .com. Examine the URL and be extra cautious if it has been shortened.
- Ask who sent the message: check for errors in the sender's email address by comparing the details against the legitimate ones; you can find the latter by simply searching for it on Google. Bad actors often make slight tweaks to their email addresses in the hopes you won't notice.
- Question the requests: bad actors also try to dupe users with fake password reset links – so always double-check that the requests are legitimate.
- Examine the content of the website: most reputable companies have top-notch websites with a clean UI and high-resolution images. Fake phishing websites, on the other hand, typically have substandard websites with clumsy grammatical errors and low-res images. Additionally, unlike phishing sites, genuine business websites almost always have a "contact us" page where they display their postal addresses, phone numbers, email addresses, etc.
- Check payment methods: legitimate sites allow transactions via debit/credit cards and PayPal. However, phishing websites do not offer these payment methods and insist on payment via a bank transfer or cryptocurrency.
- Find out who owns the website: every single domain name has to be registered, and you can look up a website's ownership details, including the creation date, current owner, and the owner's contact details, completely free of charge.
- Who is the message for: dodgy emails often use generic greetings rather than your actual name.
How to prevent URL phishing
Here are four tools you can use to ensure you never fall prey to a URL phishing attack.
- A link checker: simply put, a checker scans a URL and lets you know if it's legitimate or not. It does so by comparing the link against a list of websites that have been flagged for scams or malware. The best part is that link checkers are often free (top suggestions include NordVPN Link Checker and Google Ads Scripts) and easy to use.
- Use a VPN: the best secure VPN services encrypt your communications over the internet by routing your traffic through an encrypted VPN tunnel (and not your ISP's server), making your data unintelligible to snoopers. It will also spoof your real IP address, so opportunistic cybercriminals can't track your online activities.
- Enable multi-factor authentication: MFA will help prevent unauthorized access to your accounts. So, even if you end up getting phished, i.e., your login credentials are stolen, bad actors won't be able to log into any of your accounts because that would require a one-time code, which is only available on your mobile phone.
- Use an antivirus: the best antivirus software will block phishing sites and catch threats before they can cause you any harm.
Krishi covers buying guides and how-to's related to software, online tools, and tech products here at TechRadar. Over at Tom's Guide, he writes exclusively on VPN services. You can also find his work on Techopedia and The Tech Report. As a tech fanatic, Krishi also loves writing about the latest happenings in the world of cybersecurity, AI, and software.