URL Phishing

Cybercriminals use phishing URLs to try to obtain sensitive information for malicious use, such as usernames, passwords, or banking details. They send phishing emails to direct their victims to enter sensitive information on a fake website that looks like a legitimate website.

URL phishing is also known as: fake websites and phishing websites.

Hackers create phishing sites to harvest personal or otherwise valuable data. They send email messages to their victims in an attempt to lure them to the phishing site. These attacks are successful when a victim follows a link to a website and provides whatever information is requested. Normally these links are disguised as password resets or identity confirmations for legitimate services. The website is also disguised so that the victim does not notice it is a fake website.

Around 91% of security breaches start with a phishing attack, and many of them include malicious links to fake websites. The use of URLs in phishing emails is popular and effective. Unfortunately, about 4% of recipients in any given phishing campaign click on the malicious link, and hackers only need one person to let them in.

Given the success rate, it’s not surprising that reported losses in 2019 due to phishing reached almost $58 million. That’s bad news, considering only 57% of organizations have URL protection in place, according to a recent survey.

In recent years, hackers started to adopt social-engineering tactics to avoid detection and trick users into clinking on malicious links. They combine URL phishing with impersonation techniques, use newly registered high-reputation sites — or even hijack a website of a legitimate business for their phishing campaign, using redirects or URL shortening services.

There are a number of strategies you can put in place to protect your users and your business against phishing URLs:

Link protection

Make sure your email security includes link protection or URL filtering. These technologies will limit access to specific URLs by comparing addresses of sites users attempt to visit to a blocklist or list of known malicious domains. Link protection also automatically rewrites these URLs so they can be scanned by your security solution when clicked to block malicious links.

AI-Based protection

Attackers are adapting their techniques to bypass email gateways and spam filters, so a good spear-phishing solution that protects against phishing URLs is a must. Artificial intelligence-based protection can identify and block abnormal or impersonating URLs, which signal phishing attacks. Even when a phishing website has never been used in previous campaigns or is hosted on a high-reputation domain, inbox defense can help protect against targeted spear-phishing attacks that use malicious URLs.

Security awareness training

Make URL phishing part of your security awareness training program. Ensure your staff can recognize these attacks, understand their fraudulent nature, and feel comfortable reporting them. Use phishing simulation technology to test the effectiveness of your training and evaluate the users most vulnerable to extortion attacks.