Tech & Cybersecurity 101: Dissect Phishing Links

OK (I’m overstating the obvious when I say) phishing emails are by far a bad actors’ favorite and most successful technique. It is inexpensive and even a modest 1% to 5% hit rate is lucrative. Every small business is a target, and everyone can be compromised, if not diligent 100% of the time.

Security awareness training programs, and online sources, speak and write extensively about how to recognize a phishing email – from evaluating the email address to analyzing poorly written text (although ChatGPT now helps non-English speaking bad actors write grammatically correct text) – but phishing email are driven by one action. Getting you to CLICK. Yes, some engage by phone, but the large majority of phishing emails are engaging in social engineering to get you to click on a link.

Here in lies this overarching issue, everything we do is based on clicking. So, we’re not going to scare everyone from clicking… BUT we can educate on how to read a URL (Uniform Resource Locator), aka the website link. Bad actors know most people are not technical and do not know how to breakdown a link and they use it to their advantage.

Applying critical thinking to any email is important – who is emailing you and why, or what are you being asked to do? No, the IRS is not going to email you demanding payment. I’m not going to cover all of the phishing email scenarios. But here’s some tips on how to read a URL so you know where you’re being sent to.

URL links may appear as text in an email or hidden behind a CLICK HERE image. The first step (on your computer) is to simply “mouse over” the button or link without clicking. Your email program should uncover the actual link you’re being directed to, or website you will be connecting to. This link may take the form of:

1.????https://blueteamadvisors.com/articles/f/tech-cybersecurity-101-c-i-a-triad

2.????https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fu1755800.ct.sendgrid.net%2Fls%2Fclick%3Fupn%3DOwiOQu2DAH0UMbwP2qusBqTE43JExzJeQF8SDwMvqODUSxyXthXf-2FA6cu9BFy9MacUUD_rvDzYcJMdqdKeN1CnYq9MfG7q2TcWD31NKSTX1rVKTo1uFwUXn79WmYlyH9lEKNOm7TP0ipx6TNoekEQcth0xmixPB0MIk8KMA7el-2F0vhS4or7P00sFzHEi6dPfHXdGNPoWj3JykfDPqywouBPrzRxqwSgQyCnRR2kTBR-2Fn-2Fatuja-2FAUphtAflRMMRtuKDlhJEidDZvhq8GhebgcCmi26Z85Q11juluxKt1gktDpOli1pkbdcWAE-2FFJQkiresEw4zjx-2BcuHrQ8ylKGsY7KGrG5z-2B-2FdRSWKsG6bw9gIcVXaH7c6Z4LlErLXgmT2-2FMwrQB0-2FrFvfny3L4r43QHvr16XwHprrH2MQmwzKvkOxuDJi-2BCcVkUibdlmSJ5zYWEulS20n1xghYBd-2BjAgN2XpgdgcigMpwaD7jpRaQkDZvaa9m0npGLg7LJXHRJSqKKDTI2rxyfTDMIGCBbLnw36OdXv-2Bw-3D-3D&data=05%7C01%7C%7C767f08f7e69741cbedbf08db3f1161d7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638173116116616748%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QhDxLiFBcCum%2Bv7gYQERB8IUzAw2RzfJDaIQ2X2sSk%3D&reserved=0

3.????https://urldefense.proofpoint.com/v2/url?u=https-3A__thehackernews.com_2023_06_microsoft-2Dreleases-2Dupdates-2Dto-2Dpatch.html&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=hzpKskIRdhq1vo6rAB1niRWyy-5d1NG1851myuxqVIY&m=Ei55_j-vE52NtSUJPBpKOntDI3JuW2ojV_jLAG53aryGJtu9m9uQSQm2DPRyPuPF&s=3GOVXE-3G--rxYyb7meQioZWFd8JKBIzld1U0_hs0U&e=

Some of you might be reading this and thinking, what am I looking at and how am I supposed to make heads or tails of this?

No worries, here’s what you need to focus on.?

1.????Every link starts with “https://” or “https://”; just know that this is the communication protocol between your web browser (e.g. Chrome or Firefox) and the website.

2.????Now locate the first slash that appears after “https://” and read backwards to the first dot or back to the double slashes.

?

Taking the first example (above), //blueteamadvisors.com/, you’re being directed to a .com site named blueteamadvisors. In the second example, you are being directed to outlook.com. The third is an example of an email security filtering service that will (upon you clicking) scan the site to determine its security state. In other words, it wouldn’t allow you to complete the connection if the site is compromised (thehackernews.com).

There will be more on domains in another article but just know that the original and most popular top level domains are .com (commercial), .org (organization), .net (network), .edu (education), and .gov (government). There are links below to a list of all available domain types.

So, what do you want to look out for?

1.????Misspelled known entity names, or introduction of characters. Examples include yahooo.com, micro-soft.com, or c1sco.com. Do not trust special characters or numbers in domain names.

In the second example (//na01.safelinks.protection.outlook.com/), “na01.safelinks.protection” are subdomains to the main domain (outlook.com). This is simply used to create an organized directory for the domain/website(s).

2.????Unfamiliar domain. An example might be Microsoft.com.ru. Here, you are being directed to a commercial site in Russia (.com.ru).

?

If it doesn’t look right, DON’T CLICK. Even if it appears to be a legitimate email, use your web browser and go directly to the known website, preferably one that you already bookmarked (if applicable).

Everything after the first slash are typically directories and web page or tracking information.

In the first example, “articles/f/” are directories or sections on the website, and “tech-cybersecurity-101-c-i-a-triad” is the page you are being directed to.

In the second example, the crazy hieroglyphs is tracking information. When used for legitimate purposes, companies will use this to track activity or marketing campaigns (for example). When used for illegitimate purposes, this could be links to malware waiting to be downloaded. Generally speaking, you’ll likely want to stay away from clicking here but apply critical thinking when determining when to click.

?

One caveat: you can’t do this on a smartphone. The recommendation is to not click on any link when using a smartphone or touch pad device (e.g. iPad). Here, users do not have the capability to mouse over a link before clicking. Heightened due diligence is critical to protecting your mobile device and yourself. THIS IS CRITICAL due to the intimate nature of using a personal device. Bad actors are targeting you on your Android or iOS devices with this in mind.

?

Summarizing with the links below.

1.????https:// = you’re going to a secure web page (https:// is not secure)

2.????.wikipedia.org/ = you’re going to a .org domain and the site is Wikipedia; “en” is a subdomain for Wikipedia.org and used to organize different languages (English in this example).

3.????wiki/ = directory

4.????List_of_Internet_top-level-domains = web page you will connect to

?

List of Internet Domains: https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains

Country code top-level domain: https://en.wikipedia.org/wiki/Country_code_top-level_domain

?

Would you like a sounding board about how you’re using technology or cybersecurity risks you may be facing? If so, feel free to reach out for a confidential, no obligation conversation.?

?

#blueteamadvisors #securityawareness #cybersecurity #phishing #criticalthinking