Privacy Tip of the Week: Learn to Recognize URL Spoofing

With more than one billion unique websites on the internet, finding a specific one would be next to impossible without the help of URLs. Much like a building address, which allows people to find places in the real world, URLs act as digital addresses that help people find websites in the online world. Despite how vital they are, or perhaps because of it, cybercriminals have managed to turn them into a weapon, through a process called URL spoofing. This crime occurs when a fraudulent link looks like a real URL, all in order to steal your data or infect your device with malicious software. Taking the time to learn about the most common types of spoofs and how to recognize them can help keep you safe online.

• Common spoof attacks
• How to recognize URL spoofing

Common Spoof Attacks

Unfortunately, hackers are clever. Over the years, they’ve thought up tons of methods for URL spoofing, some of which are more sophisticated than others. However, the more sophisticated the method, the more time intensive it is. Because of this, a few favoured spoofing methods have emerged, most of which come through email or on social media websites. These are some of the most popular:

• Masked Links: Hackers are able to hide URLs behind other page elements, like buttons or text. If clicked, these links can install malicious software on your device, or take you to a website that looks real but is really designed to steal your data.
• Misspelled URLs: Some hackers won’t bother to mask the URLs they’re spoofing at all. Instead, they rely on your lack of attention to trick you. With this type of URL spoofing attack, the URL they want you to click will be just slightly misspelled. They simply hope you won’t notice. For example, a hacker may send you an email claiming your YouTube account has been compromised and you must sign in again to change your password. However, the link they include in the email is really spelled youtude.com. If you miss the spelling error and click the link, you can bet the website will look like YouTube. This is all designed to trick you into giving away your login info.
• Shortened Links: Many URLs are quite lengthy, which means sharing them in emails or social media eats up character limits and breaks text flow. Instead, many people prefer to use URL shorteners, such as Bitly, which is completely legitimate. Unfortunately, hackers know that many people trust link shorteners, and have started hiding their own malicious links behind them.

How to Recognize URL Spoofing

Although URL spoofing can be difficult to detect, there are a few tips you can use to avoid and report malicious links hidden with spoofing techniques.

• Hover Over the Link: Before you click any link, hover your mouse over it to check the URL (which should appear as a pop up). If the URL doesn’t pop up, you can also right-click copy the link. From there, paste it into a word document or note-taking app to see the full address.
• Read the Link: Before clicking a link, take the time to read the URL. If you think you’re going to Netflix.com but the URL says Ntflix.com, it’s a spoof. Also look for accents, glyphs, or other strange characters in the URL that shouldn’t be there.
• Visit the “Website” Independently of the Link: If you receive an email from an airline (as an example) offering a deal too good to be true, but can’t tell if the link is fake or not, don’t click it. Instead, leave the email behind and find the airline’s website on your own, to verify if the deal is true. You can use this tip for any email you receive.
• Protect Your Devices: Despite your best efforts, it’s still possible to fall victim to a spoof. If that URL contains malicious software, it may infect your device with malware or viruses. You can protect yourself before this happens by installing antivirus software on your devices, and keeping your browser updated.
• Report URL Spoofs: If you can verify a spoof on social media sites or in your emails, don’t just ignore it. Instead, report it to the platform. This helps the website improve the protections they have against such things (such as spam filters).

URL spoofing isn’t the only threat that lurks on the internet. You can help protect yourself against others by using HotBot VPN every time you connect to the web. Our app, available for Android, iOS, and Windows devices, encrypts your data and makes you anonymous online. You can read about our service’s other features here.