Hackers often use this clever trick to take you to phishing sites — can you spot it?

A hacker typing on a computer
(Image credit: Shutterstock)

In order to trick you into downloading malware or giving up your personal information, hackers use a number of different tricks to take you to phishing sites. However, one of them is almost impossible to spot if you don’t know what to look for.

Phishing sites are designed in such a way that they closely resemble the legitimate sites they’re trying to impersonate. From using company logos and language to flat out copying a site’s entire layout, phishing sites have come a long way when it comes to appearing legitimate.

To get you to click on one of these fake sites in the first place, hackers use social engineering and often try to instill a sense of urgency in their phishing emails. However, now that most people primarily use their smartphones to access the internet, they’ve also begun using text messages and chat apps to contact potential victims.

While you should never click on links contained in messages or emails from unknown senders, if a link appears legitimate at first glance, some users may click on it despite the fact that it isn’t the correct URL to begin with.

Hiding in plain sight

web URL displayed at angle on screen

(Image credit: Shutterstock)

The attack method I’m describing here is known as a homograph attack because letters and numbers that look alike are called homographs. 

In a blog post on the matter, Malwarebytes provides a few examples like the small Latin letter “o” and the Digit zero “0”. Years ago a hacker may have been able to trick someone into clicking on “g00gle.com” but now simple character swaps like this are easily detected.

These days, hackers are using international domain names to pull off this trick in a much more convincing manner. For instance, take a look at these two URLs and try to guess which one is the correct one:

  • www.citibank.com
  • www.citibɑnk.com

If you guessed the first one – you got it right. While these two versions of Citi Bank’s website appear to be quite similar at first, upon closer inspection you may notice that the letter “a” is the one thing that sets them apart. The difference here is that the first URL uses a small Latin “a” while the one below it uses a lowercase Cyrillic ‘a”.  

Hackers and other cybercriminals often register fake domains that are almost identical to a company’s real website, but with one look-alike character from a different language. Unlike typosquatting, where hackers prey on those who may have misspelt a site’s address by typing “www.amozon.com” instead of “www.amazon.com”, homograph attacks attract more potential victims as many people still click or tap on a link before checking the URL. 

How to stay safe from spoofed URLs

The easiest way to stay safe from these kinds of attacks is to avoid clicking on links when possible. Instead, you should put the name of a site or service you want to visit into a search engine and then scroll down to find a company’s official page since hackers are also now weaponizing ads to take users to fake sites. In fact, this problem has gotten so bad that even the FBI now recommends using an ad blocker.

At the same time, you should start taking a closer look at every link you click on. In Google Chrome, all you need to do is hover over a link and its URL will appear at the bottom left corner of your browser window. To inspect it closer though, you can also copy the web address from a link and paste it into a text editor like Microsoft Word.

Cybercrime is as booming of a business as it’s ever been which is why you should also install the best antivirus software onto your computer or even consider upgrading to one of the best internet security suites as most give you access to a password manager, VPN and other useful tools in addition to antivirus software.

Spotting spoofed URLs — especially those that use Cyrllic or other foreign alphabets — can be quite difficult but at least now you’re aware of one of the most popular tools in a hacker’s arsenal.

Read next: 200 malicious Android and iOS apps draining bank accounts — check your phone now

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • D8Mach
    I thought we learned this twenty years ago. If you get a email notification you open the browser and use the bookmark. You did save the site when creating the account? More recently I open the businesses app since they all seem to have one these days.