How Masked Links Work in Phishing Emails
An email says "Click here to view your invoice" and the text shows www.yourbank.com, but clicking it takes you to a completely different site. This is the principle behind masked links, one of the most common and hardest-to-detect phishing techniques.
What is a masked link?β
In HTML (the format most modern emails use), a link has two independent parts:
- The visible text: what you see on screen, for example
www.secure-bank.com - The destination URL: where it actually takes you, for example
http://malicious-site.xyz/steal-data
An attacker can write any text as the link anchor. So what looks like a legitimate link to your bank, social network, or online store can lead to a page designed to steal your credentials.
Variants of deceptive linksβ
1. Text that mimics a legitimate URLβ
The most straightforward case: the link text displays a trusted address, but the destination is different.
Visible text: https://www.paypal.com/account
Real target: https://paypa1-secure.xyz/login
2. URL shortenersβ
Services like bit.ly, tinyurl.com, or t.co completely hide the real destination. While they have legitimate uses, in an unsolicited email they're a red flag.
Visible text: Check your order
Real target: https://bit.ly/3xK9mZ2 β (could be any site)
3. Homograph attacks (IDN)β
This technique uses characters from other alphabets that look identical to Latin letters. For example, the Cyrillic letter "Π°" is visually identical to the Latin "a," but to the browser it's a completely different domain.
Legitimate: apple.com
Fake: Π°pple.com (the first "Π°" is Cyrillic)
These domains are encoded in "punycode" format (starting with xn--), but browsers and email clients often display them decoded, hiding the difference.
4. IP-based URLsβ
Instead of a domain name, the link points directly to a numeric IP address. Legitimate sites almost never do this.
Target: http://192.168.45.12/login
How to verify a link manuallyβ
- Hover over the link without clicking. Most email clients show the real URL in the status bar or a tooltip.
- Compare the domains: the domain in the visible text should match the domain in the destination URL.
- Look for suspicious signs: subtle typos in the domain, long subdomains (e.g.,
login.bank.attacker-site.com), or the use of IP instead of a domain. - Don't blindly trust HTTPS: a lock icon in the browser only means the connection is encrypted, not that the site is legitimate. Attackers also use SSL certificates.
How BrisaMail handles itβ
BrisaMail analyzes every link within the message body and applies multiple detection layers:
- Deceptive links: when the visible text shows a different domain than the actual destination, BrisaMail flags the link as dangerous and displays both domains so you can compare.
- Homograph attacks: detects domains with punycode encoding (
xn--) and mixed scripts (Cyrillic + Latin, Greek + Latin), alerting you to possible impersonation. - URL shorteners: identifies the most common shortening services and notifies you that the real destination is hidden.
- IP-based URLs: flags links that point to direct IP addresses instead of legitimate domains.
- Sender mismatch: detects when the reply-to address (Reply-To) points to a different domain than the sender's, a technique used to intercept your responses.
When BrisaMail detects any of these situations, it shows a warning dialog before opening the link, allowing you to see the actual destination URL and make an informed decision.
Conclusionβ
Masked links exploit a fundamental weakness of HTML email: the separation between what you see and where it takes you. Training your eye to spot inconsistencies is important, but having an email client that analyzes links for you adds a layer of protection that can save you from a bad experience.