What is URL Phishing and How to Avoid an Attack

Written by Sam Jones
May 10, 2022 - 5 minute read

URL Phishing is a popular technique using malicious links and fake websites to extract sensitive information. Read on to learn how to avoid these attacks.

Have I Been Breached Tool

Phishing is a lot more complicated and sophisticated than it once was. We now have to be on the lookout for all kinds of malicious tricks and not just by email - vishing and smishing are common threats now too.


But one thing is clear whatever method of social engineering is used. If they gain your trust, you’re a much easier target.


URL phishing aims to fool you with more than just an email. Hackers will actually create fake web pages to further lure in their victims with the ultimate goal of capturing their details. Often these sites are designed to look like a site you might recognise so that they might appear to be legitimate - and when we’re not paying attention, it can be easy to miss the signs.  


URL Phishing


Here’s how a URL phishing attack might play out:


  1. You open your inbox and find an email from your favourite music streaming platform letting you know that your account has been compromised.

  2. But don’t worry, there’s a password reset link in the email so you can go and rescue your account.
  3. Clicking the link, you land on a URL that perfectly reflects the platform you know and love

  4. You’ll be asked to log in so you can change your password and get on with your day - simple, right

  5. Not quite. The site is only disguised to look like your trusted music streaming app. Once those login details are entered, they’re sent straight to your hacker’s server, free to use however they please. They’ll have access to all the information inside your account and they may sell your credentials on the Dark Web. If you’re using that password anywhere else, you can be sure a hacker will now gain access.


This is just one of many scenarios that a hacker might choose. Other popular attacks involve impersonating your bank or healthcare provider as these are likely to be most profitable to bad actors, offering highly sensitive personal information.


It’s worth noting that URL phishing doesn’t have to be email-based. They may be websites accessible via a simple google search, where hackers have paid for ads on certain keywords to trick users into clicking on a malicious phishing site.


A real case of this happened recently, where hackers took advantage of users searching for crypto wallets in order to transfer their victims’ funds into their own wallets. The sites were built to look like official crypto wallet sites with slight deviations like a different extension on the domain - easy to miss when you’re not looking for it. After capturing the searcher’s credentials, the hackers stole and transferred cryptocurrency into their own wallets. These attacks reportedly resulted in the theft of around $500,000 worth of cryptocurrency. Google’s 2021 update addressed these cases of URL phishing, introducing new measures and compliance requirements for advertisers.


Cryptocurrency Phishing


So how is it so easy to get duped?


Hackers can get clever with URL phishing. As we’ve seen, these malicious sites can look so similar to the original, that it’s easy to assume there’s nothing phishy (pun intended) going on.


A common tactic is for an email to contain various legitimate links along with the malicious one. The malicious one, however, will normally be associated with the primary call to action, the reset link, for example. Using the brand’s logos and even mimicking the language and tone of their real emails can further build our trust and lower any suspicions.


Hackers might also redirect their phishing page to a legitimate URL on the company’s site, so after you’ve put in the details they want from you, you’ll have no reason to suspect anything is wrong.


Here are 5 tips for protecting yourself against URL phishing in practice:


Consider Email Content. As with any phishing email, always be wary of how the email is written. Is there a sense of urgency around getting you to complete the desired action? What is the spelling and grammar like? This includes the domain of the sender. Emails from reputable companies are not going to be littered with grammatical errors, so this is usually cause for suspicion.


Investigate Links. If there are links in an email that you’re being encouraged to click on, check them first. Hovering over the text link or button will give you the full URL so you can check it’s what you were expecting and that it starts with HTTPS to indicate it’s a secure link.  


Examine the Webpage. If everything seems legit and you do click on the link, give the page a thorough examination before inputting any details. Again check for spelling and grammar, and peruse the site a bit to see if there are any slip-ups that the hacker has made. Be wary of popups as these can be malicious even if the website itself is legitimate. If asked for your credentials, a good trick can be to enter the wrong password and if it’s accepted, you can be fairly sure of foul play.


Avoid Clicking. To be extra cautious, you can avoid clicking the link in the email altogether but rather go to Google and find the site that way. If you suspect it might be a scam, you can try and find out if anyone else has reported something similar, otherwise, if the email appeared to be from a company you have an account with, access it via your usual login method. It will quickly become clear whether there’s actually any cause for concern or action required of you or you can contact the company themselves to find out more. They will definitely appreciate it if you make them aware of a URL phishing scheme involving them!


Use Tools. Certain tools like URL filtering can help by scanning emails for fake URLs by comparing them with blacklists of malicious domains. AI-based solutions are even more reliable for this as hackers become more sophisticated and competent at bypassing filtering.


When you’re busy and your mind is on other things, attacks like URL phishing are missed, so it’s always best to be sceptical of everything. Phishing is the most common cyber attack by a long way and for good reason. Even if it takes a few minutes out of your day to verify a link, you’ll be glad you did it. If you do spot something wrong, you can report it to Action Fraud or send the suspicious email directly to report@phishing.gov.uk.


Outsmarting a hacker is your best chance of not becoming another statistic, so keep an eye out and have these tips top of mind when you’re going through your emails - everyone’s a target, but not everyone has to be a successful hit!


Think you might have been breached by a URL phishing attack? Find out now with our free online tool.

Topics: Cyber Security, Social Engineering


More by Sam Jones

Related articles
The Importance of Penetration Testing for SMEs: Safeguarding Your Digital Assets

Learn why penetration testing is crucial for SMEs to safeguard their digital assets, identify vulnerabilities, comply with regulations, enhance security, protect customer data, and make cost-effective security investments.

Is Your Supplier List Your Weakest Link?

Discover why Cyber Essentials certification should be mandatory for suppliers to strengthen supply chain security and mitigate cyber threats. Safeguard your business and gain a competitive advantage.

Tailgating Social Engineering: The Unseen Threat at Your Doorstep

Discover how to prevent 'tailgating' in cybersecurity: a simple act with serious consequences. Learn strategies to secure your business.