In my years of doing security awareness training, I’ve always taught users to hover over links embedded in emails before clicking on them. When hovered over, links show their true destination, and users could then see if a link is taking them to the real website, or a fraudulent one.
And it’s a great way to help detect and avoid phishing emails, which we all know, contributes to over 40% of the malware distribution on the Internet today. That is, unless you don’t know how to pick out the good from the bad in a web address.
In a recent training I did, I found that to be an (incorrect) assumption I had been making all these years.
What good is looking at the link before you click, if you can’t accurately determine where it will actually take you?
Phishing artists are getting especially good at crafting fraudulent emails, and that includes creating believable, complicated domains and sub-domains that can be tricky to sort out. Because of these complexities, it takes some training at all levels of an organization to develop this skill.
So, how do you spot a bad URL?
My recommended method is to find the domain of the web address as an assessment of the link’s validity. This will tell you if the link is taking you to the right website, or something entirely different.
This simple set of rules is an easy way to disassemble complex URLs and web addresses to determine its’ domain:
- Remove the http(s)://
- Find the last “.” before the first “/”
- The domain is the text directly before and after that “.”
- Include “-“ and “_” in the domain, they are not separators
- Assume a “/” at the end if one is not present
Let’s try it out on the address below:
https://members.citicards.com.relay4.net/account/balance.php
- Remove the http(s)://
https://members.citicards.com.relay4.net/account/balance.php
- Find the last “.” before the first “/”
https://members.citicards.com.relay4.net/account/balance.php
- The domain is the text directly before and after that “.”
https://members.citicards.com.relay4.net/account/balance.php
This appears to be a fraudulent URL.
And one more:
https://login.account_chase.com
- Remove the http(s)://
https://login.account_chase.com
- Find the last “.” before the first “/” (Remember: Assume a “/” at the end if one is not present)
https://login.account_chase.com/
- The domain is the text directly before and after that “.”
https://login.account_chase.com/
Wait, that’s not right...
- Remember: Include “-“ and “_” in the domain, they are not separators
https://login.account_chase.com/
This appears to be a fraudulent address also.
I hope you find this rule set helpful. With a little practice, it will become second nature. Here are a few samples you can try on your own:
http://products.shop2win.us/amazon.com
https://drive.google.com/this_could_be_malicious.docx
http://hotmail.com.user-mail.ru/login
https://onlinebanking.mybank.com/887564433/user/login.aspx
As always, feel free to share with users, co-workers, and colleagues.
[feather_share]
Or sign up for our newsletter to receive articles like this delivered to your inbox weekly.
[mc4wp_form id="451"]