Phishing is for instance when an adversary attempts to trick you into visiting a URL, which you believe is leading somewhere else, than where it is actually leading. Surprisingly, a lot of these phishing attacks can be avoided by simply displaying the actual URL, or more specifically its domain, to your users – Regardless of which anchor text the hyperlink contains. For instance, and adversary can create a hyperlink with the anchor text of “paypal.com”, while the hyperlink actually leads to “somewhere-else.com”. Often simply clicking such a link, is a security risk.
However, in Sephia Five, we have been spending a lot of effort avoiding such security risks, and one of the things we have done, is to show the actual domain for hyperlinks in emails, regardless of which anchor text the sender is supplying. This simple feature makes you see which domain the link is leading to, and hence, significantly reduces the risk of that you will click a malicious link. See screenshot below for an example.
Not only do we display the domain, but we also emphasise it, with bold letters. We could have shown the whole URL, however, that would defeat the purpose, since the point is to show only the information necessary, to allow the user to do the intelligent action. If we had shown the whole URL, the domain would often “drown” in tons of other garbage.
Since a significant number of phishing attacks are created by adversaries sending you an email, leading to phony domains – This would significantly reduce the security risks for you, of becoming the next victim of a phishing attack.
In the image above, the first hyperlink is a simple inline hyperlink, written simply as a URL, where we display the domain emphasised. While the second hyperlink, is a true anchor hyperlink, with an anchor text of “Google”, where we append the domain after the anchor text, to such display it to the end user.
Such a simple trick, could potentially reduce the success ratio of a phishing attack towards your organisation, by orders of magnitudes. Simply since users can often understand they’re about to become victims, if you simply display the direction they’re attempted to be drawn towards. Basically, if the fish can see the hook, he won’t bite … 😉
Security starts out with simplicity, unless it’s simple, it’s not secure!