Phishing consistently tops the list of most reported cybercrimes according to the FBI. We explain what URL phishing is, how attackers disguise malicious URLs, and how you can spot and report fake links before they steal your data.
URL phishing refers to malicious links that mimic trusted sites to trick you into clicking and giving up sensitive information or downloading malware. Scammers have come up with many different tactics to make URLs look legitimate. We’ll cover the most commonly used ones below, list some telltale signs of a phishing link, and explain what to do if you spot one.
What is URL phishing? An overview
URL phishing involves attackers creating a link that appears legitimate but leads to a fake website, usually one that mimics the design of trusted sites like banks or online stores. When you click the link, they try to steal your login details, personal info, or payment data.
These phishing links can appear in emails, texts, social media messages, or even ads. The message usually pressures you to act fast, like “verify your account” or “confirm your delivery.” The sense of urgency tricks people into clicking without checking the URL closely.
Phishing URLs can take many forms, from subtle misspellings to pages on legitimate websites that hackers compromised. You can protect yourself by checking links carefully, previewing URLs, paying attention to browser or antivirus warnings, and using tools like a URL phishing checker before entering sensitive information.
Common URL phishing tactics
Every phishing scam aims for that first click, but attackers use different methods to get there. Here are some URL phishing tricks to watch out for:
Typosquatting
Typosquatting relies on small spelling changes in a domain name. Fraudsters register addresses that look almost identical to real websites, so the difference slips past you when you scan the URL quickly.
A scammer might use paypaI.com with a capital “i” instead of a lower case “L” (I/l) paypal.com, or register amaz0n.com with a zero. Some use characters that resemble Latin ones, such as apple.com with the Cyrillic “a”, which can fool even experienced users.
Disguised URLs
Disguised URLs hide the real destination behind text that looks safe. You might see a link labeled bankofamerica.com that redirects to a phishing domain when clicked. Email buttons, shortened links, and embedded hyperlinks in messages often hide the real address as well.
Here it is in action using Discord’s Masked Links feature. A hacker impersonating Discord staff could easily steal somebody’s account by claiming they can bypass age verification or that they “need to update their info” with a quick login.
Hacked trusted domains
Hackers sometimes break into legitimate websites, where they can modify pages, add phishing forms, or place malicious downloads on the site.
For example, a hacked blog, forum, or small business website might display a fake login prompt or update notice. Visitors assume the site is safe because the domain is familiar, but attackers control the page and collect any information entered.
Altered domain prefixes
Many people skim the beginning of a URL without looking closely at the full address. Bad actors take advantage of that habit by changing the prefix, like replacing www with wvvw, inserting extra letters, or rearranging characters.
A link like “wvvw.apple.com” or “logiin-secure-paypal.com” may appear normal until you take a closer look.
Malicious subpages on real sites
Instead of creating a fake domain, fraudsters sometimes place phishing pages inside existing websites. They add new paths or directories that appear connected to the legitimate domain. For instance, a compromised site might host a phishing page at “company.com/secure-verification”, making the fake page seem more credible.
Redirect-based phishing URLs
Some phishing links rely on redirects to send you to an unexpected destination. The link may start with a legitimate site, but the page quickly forwards you to a malicious destination. For example, a link might first open a harmless page on a real domain before redirecting to a fake login form. Shortened links and tracking URLs often hide these redirect chains.
SSL certificate spoofing
Many phishing sites use HTTPS and display the padlock icon in the address bar. Attackers can obtain SSL certificates for their domains, which makes the connection appear secure even though the site itself is malicious.
You might land on a page like paypal-login-secure.com that still shows HTTPS. The connection is encrypted, but the domain does not belong to PayPal, so any information you enter goes directly to the criminals.
Hidden links in images
Links do not always appear as visible text. Scammers can hide URLs behind images, buttons, banners, or other page elements so you cannot easily see the destination. It’s not uncommon for an email to include a promotional banner or QR code that leads to a phishing site.
Emails with safe and malicious links
Some phishing emails mix legitimate links with malicious ones to make the message appear trustworthy and lower suspicion.
A message might include real links to a company’s homepage or help center alongside a phishing login link. Because several links look legitimate, the dangerous one often goes unnoticed.
What does a phishing URL look like?
Phishing links often look normal at first glance, but small details give them away. Here’s a few quick checks before clicking or entering any information:
- Look for small spelling changes in the URL: Attackers often register domains that look almost identical to real ones. You might see extra letters (appple.com, swapped characters (appel.com), or numbers replacing letters (amaz0n.com).
- Preview the link before clicking: Move your cursor over a link to see the real destination in your browser’s status bar. If the address looks unfamiliar or unrelated to the message, avoid clicking and open the site manually instead.
- Check for HTTPS in the address bar: Secure websites use HTTPS and display a padlock icon in the address bar. If a page asks you to log in or pay for anything without HTTPS, close it and avoid entering any information. That said, don’t forget that phishing sites can also use HTTPS, so check the full domain as well.
- Browser or antivirus security alerts: Modern browsers and antivirus tools notify you when a site appears dangerous. If you see a warning page or security alert, leave the site immediately and avoid bypassing the protection.
- Use a URL phishing checker: Paste the link into a tool like the NordVPN link checker or other safety scanner before clicking. These tools compare the address with known malicious sites to catch suspicious links early.
Examples of phishing links in the wild
Phishing URLs typically imitate banking alerts, delivery updates, or marketing offers to get you to click. Here are some of the most common examples so you know what to watch for:
- Fake online banking sign-ins: Hackers may trick you with warnings about unusual transactions or unpaid charges. However, when you enter your username and password, the mimic site records them, and the scammers can use the stolen details to access your account.
- “Secure your account” alerts: Some phishing emails claim your account was breached or locked. Unsurprisingly, any links will lead to a page that collects your credentials instead of protecting your account.
- Delivery tracking scams: These messages claim a package needs confirmation or rescheduling and include a tracking link. Whether it’s a UPS scam or fake Amazon driver texts, the link is only there to snatch your payment or personal info.
- Fraudulent donation pages: Cybercriminals may create fake charity pages during disasters or major events. The site looks legitimate and asks for donations, but the payment goes directly to scammers instead of a real organization.
- Fake online promotions: Some scam messages promise discounts, gift cards, or limited-time deals on popular storefronts. The page may ask you to enter personal details or payment information before claiming the offer, which attackers then collect.
Where to report phishing URLs
Several organizations and services collect reports and investigate suspicious links. Reporting phishing URLs helps remove malicious sites and warn others before they fall for the same scam. Here are your options:
- Notify the company being impersonated: If the phishing link pretends to represent a real company, report it to that organization. Many brands have dedicated misuse or security contact pages where you can submit phishing URLs.
- Report the site through browser safety tools: Browsers like Chrome, Firefox, and Edge include tools for reporting dangerous websites. Submitting the link helps the browser block the domain and warn other users.
- Send the link to security companies: Antivirus providers and companies like Cloudflare, Cisco, and CrowdStrike collect phishing reports and track malicious domains. Your report allows them to study the wider phishing campaign and add domains to blocklists used by browsers, DNS filters, and email security tools.
- Flag the phishing URL in your email/texting app: Email providers and messaging apps often include options to report phishing directly from the message. The service can then investigate and filter similar scams.
- Contact national cybersecurity agencies: Government agencies like the FTC and CISA in the US, or the NCSC in the UK, accept phishing reports and track large-scale scams. Submitting the URL gives authorities the info they need to investigate and alert the public.
How to protect yourself from URL phishing
Being able to recognize phishing URLs helps keep you safer overall. That said, nobody can stay alert all the time, so a few security tools should give you a stronger safety net against scams.
Using a dedicated password manager lets you fill in credentials only on the correct sites. That way, even if a phishing link looks convincing, you won’t accidentally hand over your login. Meanwhile, VPNs with threat protection can block access to known malicious domains, adding another layer of defense.
Don’t forget to secure all your accounts with an authenticator app or other two-factor verification method for good measure. Finally, remember to update your browser and antivirus software and heed any dangerous website alerts. They’re there for a reason.
What is URL phishing? FAQs
Should I be worried if I clicked on a phishing link?
Not necessarily. Many phishing links only load a fake website that asks for login or payment details, or tries to get you to download malware. If you refused any downloads and didn’t enter your email, password, or banking info, you’re probably safe.
That said, some attackers may exploit browser or app vulnerabilities to run code as soon as the page loads, even if you don’t click anything. If you suspect something is amiss, disconnect your device from the internet, run a full antivirus scan, and change important passwords from a different device. Monitor your accounts for a while, just in case.
Should I reset my phone if I clicked on a phishing link?
Resetting your phone after clicking a phishing link usually isn’t needed. As long as you didn’t download anything, log into an account, or enter your credit card details into a scam site, you’re most likely in the clear.
Plus, as we’ve covered in our Android vs iPhone security comparison, modern smartphones use app sandboxing. That means opening a link in your browser usually doesn’t allow it to make system changes. Still, it’s worth resetting important passwords and keeping an eye out for suspicious activity.
Can you get a virus from a URL?
You can get a virus from a URL if the site tricks you into downloading or installing an app or file. Some pages also abuse browser prompts to install malicious extensions. Avoid downloads from unfamiliar sites and keep your browser and system updated to prevent any issues.
Can someone hack your email with a link?
Yes, someone can access your email through a link if a phishing page gets you to enter your login details. Attackers often copy real sign-in pages to capture usernames and passwords. Once they log in, they may change your password and lock you out of the account.