Suspicious Links? It’s All In The Period
We’re always telling people to avoid clicking on suspicious links, but the bad guys are making it harder to tell the difference between a legitimate URL and a suspicious one. We’re going to try to simplify it for you, and have you focus on the placement of a single punctuation mark in a link to tell if it might be safe or dangerous.
Let’s make up a fictional company that becomes a massive global retailer and multimedia company, as well as a household name. We’ll call our fake enterprise Flimflamazon.
Our totally made-up Flimflamazon has a million billion products and services, and users log in to buy and sell products, manage their payments, run advertising campaigns, customize their own personal Flimflamazon user profiles, watch Flimflamazon movies that were shot exclusively by Flimflamazon Studios, manage their Flimflamazon Web Hosting accounts, and Flimflamazon is proud to announce that patients can now log in to their Flimflamazon to receive telehealthcare from our licensed Flimflamazon doctors and nurses.
Our slogan is Flimflamazon; Everything is Here.
Because Flimflamazon has become the world’s most trusted online retailer, and one of the largest marketplaces and distributors of content, people generally trust it. Just like our ads say, before Flimflamazon, buying products online and consuming media was challenging.
As fun as this is, I think that’s enough world-building for this example. You get the idea. Flimflamazon is, much like companies such as Facebook, Amazon, and Google, huge, multi-faceted, and generally known and trusted by the public.
Like Facebook, Google, PayPal, and Amazon, Flimflamazon’s massive success leads to Flimflamazon users being constantly scammed by cybercriminals to try to trick them out of their money and sensitive information.
So Flimflamazon users get a lot of email from Flimflamazon. They get emails about products they should buy, account notifications, and receipts. They get emails about their transactions and the products they are trying to sell. They get offers and alerts and everything in between.
All a cybercriminal has to do is make an email look like a typical Flimflamazon email. They can steal the branding and do some technical spoofing to make the email look like it’s coming from one of the dozens of legitimate Flimflamazon email addresses.
They can then include links that look like they go to Flimflamazon, but actually lead the user to a similar looking URL that the cybercriminals purchased and control.
It only costs a few dollars and a little time to create a web page that looks legitimate. A cybercriminal could purchase Flinflamazon.com (notice the subtle spelling difference?) or Flimflamazoncustomerservice.com or a whole slew of other simple tricks to look like they are a legitimate company. It’s up to all of us to be aware of what to look for so we don’t get scammed.
The links that take you to scam pages exist to steal your information and money, and while the destination might look legitimate, once you go to the scam page of a phishing attack, it might already be too late to look for other potential warning signs.
While this is going to change a little from one application to another, typically you can see the destination of a link by hovering your mouse over it. Most email clients and web browsers will tell you exactly where the link is going to at the bottom of the page.
For instance, if you are reading this blog in Google Chrome, and you hover your mouse over this link, you will see that it is going to take you over to a YouTube video by looking at the very bottom left of your browser window. Most browsers and email clients like Outlook do the same thing.
While you still need to be on the lookout for misspellings and unofficial URLs, one easy way to identify a sketchy link is by looking for a period after the domain name of the website.
Flimflamazon.com is the domain name. When you are looking at a URL, there can be other stuff BEFORE a domain name. This is called a sub domain.
If I own Flimflamazon.com, and I want to make a subdomain, like “help.flimflamazon.com,” or “support.flimflamazon.com,” or “account.flimflamazon.com,” I can do that. Nobody else is able to create a subdomain without actually owning the rights to flimflamazon.com.
There can also be stuff in the URL after the domain name, after a forward slash (/) or question mark (?). This represents sub pages or variables on that site, but these elements typically cannot have periods in them. There is an exception, but we’ll cover that in the moment.
Flimflamazon.com could have millions of subpages, so anything after a forward slash is fair game.
If there is a period AFTER the domain name of the website you want to go to, then it might be a trap.
- https://www.flimflamazon.com/gp/help/customer/account-issues – This is safe, because there isn’t a period after the .com.
- https://support.flimflamazon.com/ – This is safe, because the extra period is before the company’s domain name (in this case, flimflamazon.com)
- https://support.account.flimflamazon.com/customer-support/password-reset – Again, this is safe because there are no periods after flimlamazon.com, regardless of how many subdomains (extra periods) are before it in the URL.
- https://support.flimflamazon.ru – Time to slow down. While Flimflamazon might legitimately have a .ru domain, not every business has every variation of domain extension (like .org, .net, .co, .co.uk, etc.). As soon as you get something you don’t expect, start to scrutinize even more. If a company owns their .com domain, they might not also own the .net, for example.
- https://flimflamazon.com.passwordservices.com/help/account-issues – This one is dangerous. This URL is technically taking you to a site called passwordservices.com. We just made that up for the example. Anyone could purchase that domain (or something similar) and spoof the URL to say Flimflamazon before the first period. It’s tricky because it’s easy to miss.
Let’s take a look at another example, using PayPal:
- paypal.com – Safe
- paypal.com/activatecard – Safe
- business.paypal.com – Safe
- business.paypal.com/retail – Safe
- paypal.com.activatecard.net – Suspicious!
- paypal.com.activatecard.net/secure – Suspicious!
- paypal.com/activatecard/tinyurl.com/retail – Suspicious!
Keep in mind, these URLs above may or may not be real, we’re just making them up for the sake of an example!
Some websites might have a period towards the end of the URL, ending with a file type. This might be something like .html, .htm, .asp, .php, and others.
Other files, like PDF files, documents, and images, will have their own extensions too, such as .pdf, .doc, .jpg, .gif, and .png.
While these files can generally be safe, it is possible that malware can be stored within a document or file. Going directly to one of these files can be especially dangerous if they happen to be malicious.
Most businesses won’t give you direct links to files like this without making sure you understand what you are doing. If Flimflamazon wanted you to download a PDF ebook, you would have a legitimate download button on a legitimate Flimflamazon.com page that links to the PDF, not a link or attachment in an email.
Be careful what you click on! Legitimate-looking emails can have dangerous links.
Hover over a link to carefully read where it is going to send you before you click on it. If there is a period after the domain, or there are misspellings or other oddities, be skeptical!
If you ever get an email from a reputable source telling you to log into your account to fix an urgent problem, don’t do so with the links in the email; log in the way you normally would.
We hope this helps! Share this blog post with your colleagues and friends to help make the web a safer place!