How to Spot a Phishing Link: Tips to Keep You Safe

Phishing attacks have become increasingly sophisticated and targeted. This makes it more important than ever before for internet users to know how to identify malicious links. Attackers continue to exploit human error by using cleverly disguised phishing links to trick people.  Users who click often reveal sensitive information like login credentials or personal information, and even financial details.
Let’s dive into expert tips on how to identify phishing links and protect yourself from falling victim to these attacks.

Why Phishing is Still a Top Threat

Phishing is one of the most common and effective cyberattack methods because it preys on human trust. Cybercriminals craft emails, text messages, or social media posts to look like legitimate communications from trusted organizations. These messages commonly contain malicious links that, when clicked, redirect users to fake websites, trigger malware downloads or exploits.  Another common attack, we see much more frequently, is hackers stealing post-authentication tokens from your browser that enabled them to log into your email account or worse, your bank account!

The 2023 Verizon Data Breach Investigations Report examined the last 20 years of cyber attacks and concluded that the one constant for all 20 years was that phishing attacks remain the leading cause of data breaches.  Phishing attacks use multiple techniques to fool us such as domain spoofing (typo-squatting), URL shorteners, unsubscribe links, and even provide security logos to create a false sense of security or legitimacy.

How to Spot a Phishing Link: 5 Key Tips

1. Hover Before You Click

One of the simplest ways to check a link’s legitimacy is to hover your mouse over it (on a desktop or laptop). When you do this, the true URL will appear in a small box at the bottom left of your screen. If the link doesn’t match the domain it claims to be from—such as an email claiming to be from PayPal but linking to “paypa1.com”—that’s a red flag. On mobile devices, you can often long press (press and hold) a link to see the URL before opening it. Always double-check that the URL looks correct before clicking.  If ever you’re in doubt, google the vendor to validate the appropriate domain.

2. Watch for Misspellings and Odd Characters in the URL:

A common phishing tactic is using misspellings or subtle changes in a URL to make it appear legitimate. For example, a phishing link might use “micros0ft.com” instead of “microsoft.com,” or replace letters with numbers and symbols that look similar. These slight changes can easily go unnoticed, especially if you’re in a hurry. In addition to look-alike letters in a domain name watch for the addition of a solitary “S” to the end of the domain.  Double-check the URL for accuracy by running a Google or AI search for the vendor’s proper domain, just to be certain.

3. Look for HTTPS, But Don’t Rely on It Completely:

Most legitimate websites use HTTPS (Hypertext Transfer Protocol Secure), indicated by a padlock icon in the browser’s address bar, to encrypt data between your browser and the website. However, cybercriminals have caught onto this, and some phishing websites now use HTTPS to make themselves appear secure. While HTTPS is a good sign, it’s not foolproof. Always consider other factors, like the email source, URL, and the context of the message.

4. Never Trust URL Shortening Tools:

URL shorteners, such as bit.ly or tiny.url, are commonly used in social media posts or emails to condense long URLs. While they’re useful for legitimate purposes, they also hide the true destination of the link. This is why phishers often use them to conceal malicious URLs. If you receive a shortened URL, especially in unsolicited messages, it’s best to avoid clicking it. You can use URL expanders, like CheckShortURL.com, to reveal the full link before deciding whether to visit the site.

5. Check the Domain for Subdomains and Extra Words:

Another technique phishers use is creating URLs with legitimate company names embedded in subdomains. For instance, a phishing link might look like “login.microsoft.com.attacker.com” to trick you into believing it’s a Microsoft website. Always pay close attention to the actual domain name (in this case, “attacker.com”), and be wary of any unexpected subdomains. Legitimate organizations rarely use complicated subdomains for login pages or official communications. If you see an unusually long URL with extra characters, it’s likely a phishing attempt.

Additional Signs of a Phishing Attack

1. Urgency, Emotion, and Fear Tactics:

Messages that create a sense of urgency—such as threats to close your account or a warning that your information has been compromised—are designed to make you act without thinking. Likewise, emotional appeals that strike at your heart may also be a sneaky way to get you to react and click without thinking.  Even a like button in an email can contain malicious behaviors hidden in the code beneath.  The same can be said for unsubscribe links.  Never react quickly to any email.  Always take a moment to verify the sender’s legitimacy before clicking any links in these kinds of messages.

2. Unsolicited Invoices, Attachments, or Links:

If you receive an unexpected email with an attachment or link, even from a known contact, double-check with the sender before clicking. Their email may have been compromised and you could be falling into a favorite hacker attack vector – Business Email Compromise (BEC) attacks.  When checking with the sender, don’t send them an email, call them or text them.  Do anything to reach them except emailing them as the hacker may be in control of their email inbox.

3. Generic Greetings:

Phishing emails often use vague greetings like “Dear Customer” instead of addressing you by name. This is a red flag that the sender likely doesn’t have access to your personal information.

Remember, hackers favorite attack vector is phishing emails. It cost them so little to send amazingly complicated and convincing emails to millions of people.  They hope and pray for you to react quickly, without thinking, to their attacks.  Be smart, be suspicious, and always inspect the links and senders of emails before clicking on anything.  But what if you did accidentally click?  Since this happens here is what you should do if you find yourself in this clicky or sticky situation.

What to Do If You’ve Clicked a Phishing Link

If you accidentally click a phishing link, act quickly to minimize potential damage:

1. Disconnect from the Internet and Power Down:

If malware is downloaded, disconnecting from the internet can prevent it from communicating with a remote server. This prevents your infected computer from executing instructions from the hacker such as encrypting files, sending files to the hacker, or downloading malware. Powering your computer down will prevent further encryption routines from running. This allows IT to boot into safe mode, or off a bootable drive to inspect and potentially prevent further damage and remove the infection.

2. Contact your IT Department or IT Provider immediately. 

They will have the tools and monitoring to examine what happened after you clicked. They can also assist in scanning your computer for malware, logging all parties out of your email account and resetting your authentication credentials and so much more.  They are there for this very situation!

3. Scan for Malware:

Use antivirus and antimalware software to scan your device for any suspicious activity or files that may have been downloaded.

4. Change Passwords:

If you entered login credentials, immediately change your passwords for the compromised account and any other accounts that use the same credentials.

5. Enable Two-Factor Authentication (2FA):

Wherever possible, enable 2FA to add an extra layer of security to your accounts, making it harder for attackers to gain access.

6. Adopt Passkey-based authentication:

Passkeys are one-of-a-kind cryptographic keys that only work to unlock your account at one website.  This makes them even better than traditional complex passwords and multifactor authentication which can be stolen or bypassed respectively.  This makes passkeys a powerful tool to defend against hacker attacks.

Business Owners Tip:

Now that you have a handle on how to spot and avoid phishing attacks, you need to practice these skills with phishing simulations.  Practice must extend to every knowledge worker in your organization.  Like physical fitness, you and your staff must continuously practice these tips to build muscle memory.  If you stop working out you fall out of shape.  If you stop practicing phishing simulations you will react and make a grave mistake, or one of your staff members will.  Sign up for a positive, educational phishing simulation that teaches and rewards good behaviors like inspecting emails carefully and not reacting to them.  Avoid phishing tests that punish bad behaviors such as clicking on fake links but miss educating end users properly on what to inspect. 

CyberHoot provides just the solution you need to build cyber literacy in your employees. We educate, then test and reward them for good inspection behaviors quarter after quarter and year after year.

Conclusion

Phishing attacks continue to evolve, and cybercriminals are getting better at disguising malicious links to look legitimate. However, by following the advice and expert tips given in this article, you can reduce your chances of falling victim to a phishing scam. Become more aware to become more secure.