A link is not always what it seems. Hackers have gone to great lengths to create convincing websites that look just like the real deal. Oftentimes, this is spoofing a major company such as Microsoft. By convincingly spoofing legitimate websites, bad actors are hoping to encourage end-users to enter their credentials. Thus, URL phishing is a pretext for credential harvesting attacks. 

When done properly, URL phishing can lead to usernames, passwords, credit cards, and other personal information being stolen. The most successful ones often require users to login into an email or bank account. Without proper defenses, end-users and companies could easily fall prey. 

Here, we discuss the basics of URL phishing and a summary of the best practices for stopping these attacks.

URL Phishing - A Malicious Website

Phishing attacks commonly begin with an email and can be used in various attacks. URL phishing attacks take phishing a step further to create a malicious website. The link to the site is embedded within a phishing email, and the attacker uses social engineering to try to trick the user into clicking on the link and visiting the malicious site.

How Does It Work?

URL phishing attacks can use various means to trick a user into clicking on the malicious link. For example, a phishing email may claim to be from a legitimate company asking the user to reset their password due to a potential security incident. Alternatively, the malicious email that the user needs to verify their identity for some reason by clicking on the malicious link.

Once the link has been clicked, the user is directed to the malicious phishing page. This page may be designed to harvest a user’s credentials or other sensitive information under the guise of updating a password or verifying a user’s identity. Alternatively, the site may serve a “software update” for the user to download and execute that is actually malware.

How To Identify URL Phishing

URL phishing attacks use trickery to convince the target that they are legitimate. Some of the ways to detect a URL phishing attack is to:

  • Ignore Display Names: Phishing emails can be configured to show anything in the display name. Instead of looking at the display name, check the sender’s email address to verify that it comes from a trusted source.
  • Verify the Domain: Phishers will commonly use domains with minor misspellings or that seem plausible. For example, company.com may be replaced with cormpany.com or an email may be from company-service.com. Look for these misspellings, they are good indicators.
  • Check the Links: URL phishing attacks are designed to trick recipients into clicking on a malicious link. Hover over the links within an email and see if they actually go where they claim. Enter suspicious links into a phishing verification tool like phishtank.com, which will tell you if they are known phishing links. If possible, don’t click on a link at all; visit the company’s site directly and navigate to the indicated page.

How To Protect From URL Phishing

URL phishing attacks can be detected in a few different ways. Some of the common solutions include:

  • URL Filtering: Some phishing URLs are used multiple times and are included in threat intelligence feeds. Blocking these known-bad URLs can help to prevent less-sophisticated phishing emails from reaching users’ inboxes.
  • Domain Reputation: Anti-phishing products commonly look for warning signs of phishing URLs within emails. For example, a domain that is only a few hours old is likely malicious.
  • DMARC Verification: DMARC verification uses SPF or DKIM to verify that an email originates from the alleged source domain. This helps with detecting and blocking spoofed source addresses.

These common phishing detection mechanisms can catch the low-hanging fruit. However, phishers are growing more sophisticated and using methods that bypass these common techniques. For example, phishing sites may be hosted on SaaS solutions, which provides them with legitimate domains. Protecting against these more sophisticated attacks requires a more robust approach to URL scanning.

URL Phishing Protection With Check Point

Check Point and Avanan have developed an anti-phishing solution that provides improved URL phishing protection compared to common techniques. This includes post-delivery protection, endpoint protection to defend against zero-day threats, and the use of contextual and business data to identify sophisticated phishing emails.

Learn more about how phishing and social engineering attacks have grown more sophisticated over the years with the Social Engineering Ebook. Then sign up for a free demo of Check Point Harmony Email and Collaboration to learn how to block the phishing emails that other solutions miss.