It’s a tale as old as the internet: phishing scams evolve, and we do our best to stay ahead. But there’s a twist that continues to baffle users and, surprisingly, even some security professionals—a tiny, unassuming symbol lurking in URLs: the “@” sign. According to insights shared by the SANS Internet Storm Center, this symbol is being used in clever new ways to trick even the savviest among us. While everyone knows to scrutinize suspicious emails and funky domains, the @ sign has found a way to reintroduce itself as the star of a new phishing tactic. What’s worse? Most security awareness courses don’t even touch on this.
And here we are, scratching our heads, thinking, “Wait, that thing? Really?” Yes, really. It turns out that this symbol, typically associated with usernames in email addresses, can play a pretty convincing trick on even seasoned internet users.
But before we start pointing fingers at security training programs for their omissions, let’s break down how this little symbol is being misused and what we can do to outsmart those phishing tricksters.
How the @ Sign Sneaks Into Phishing Links
First, let’s get a bit nerdy for a second. According to the RFC 3986 specification (which sounds more exciting than it is), the @ sign can be used as part of a URI structure to denote “userinfo.” That means a username can come before the host in a web address. So, a legitimate URL could look something like:
https://[email protected]
Harmless, right? You might have used this decades ago for FTP logins, or maybe you’ve seen it when accessing certain secure networks. But now, bad actors are repurposing it for more nefarious purposes.
Picture this: you’re glancing at an email link that appears to be a login page for Facebook, and it looks like this:
hxxps://facebook.com+login%3Dsecure+settings%[email protected]
Everything before the @ symbol might give the illusion you’re going to Facebook, but the real destination is everything that comes after the @ sign. In this case, it’s taking you to 123.456.789.0, which is, let’s face it, not where your social media account lives.
Why Security Awareness Programs Don’t Cover It (and Maybe Shouldn’t)
Now, here’s the kicker. This @ sign trick isn’t new. In fact, it’s been around for quite some time, but it ebbs and flows in popularity. According to the SANS Internet Storm Center (yes, that’s the folks who know all the ins and outs of these phishing schemes), the technique pops up from time to time, but it’s rarely covered in security awareness courses.
Wait, what? Why wouldn’t something so clearly devious make it into every company’s mandatory security training?
Here’s the thing: security awareness programs often have to fit a LOT of content into a tiny window. Whether it’s a 30-minute onboarding session or an annual training course, the curriculum needs to prioritize the most common threats. Think about it like this—security professionals are constantly battling to distill decades of evolving threat landscapes into digestible chunks for non-technical employees. It’s like trying to teach someone the rules of chess in 10 minutes while they’re still figuring out the difference between the pieces.
Would you prioritize obscure tricks like the @ sign, or focus on basic red flags that apply across all phishing methods? Exactly.
But Less Is More, Right?
When it comes to security awareness training, cramming every single trick into a one-hour course can actually overwhelm employees. The whole “less is more” strategy makes a lot of sense here. Instead of teaching users how to catch every potential scam (an impossible feat), most courses focus on broader phishing tactics that are easier to spot and apply to a wider range of attacks.
In this case, if you teach someone how to break down a URL by identifying the domain from right to left—focusing on what comes after the “http://” or “https://”—they’ll be better equipped to spot shady links, regardless of whether the @ sign is involved. For example:
https://isc.sans.edu.untrustednetwork.net/random
In this link, the real domain is untrustednetwork.net, not isc.sans.edu. The same concept applies to phishing links using the @ sign. The real destination is everything that follows the @, so if users learn to identify that, they’ll be in much better shape overall.
Why the @ Sign Trick Persists
So, why does this technique still work? Part of the problem is that it plays into our assumptions. Most people just aren’t looking for it. We’re trained to spot strange characters like numbers and weird extensions in URLs, but something as benign as an @ sign often goes unnoticed. And because it’s such an old and rarely-used feature, many of us forgot it was even there to begin with!
Phishers love to take advantage of gaps in knowledge. If they can create a URL that looks almost right, they’re banking on people skimming over it. It’s the same trick as adding a subtle typo in the domain name or replacing letters with similar-looking numbers (think go0gle.com vs. google.com).
The Case for More Phishing Awareness (and Maybe Fewer Tricks)
While we could argue that security awareness programs should include more advanced phishing techniques like the @ sign, there’s also something to be said for focusing on the fundamentals. Phishing relies on creating a sense of urgency, fear, or confusion. When people feel pressured to act quickly—”Click this link now to avoid losing your account!”—they’re less likely to scrutinize the details.
So, instead of packing every obscure phishing technique into a single awareness session, maybe the real focus should be on encouraging users to slow down and think. Even if you don’t know about every trick in the book, taking a minute to double-check a link before clicking on it can save you a lot of grief.
FAQs
What’s the deal with the @ sign in phishing links?
The @ sign is part of a URL format that can specify “userinfo” before the domain name. Phishers use this trick to make a URL appear legitimate at first glance, but the actual destination is hidden after the @ sign.
How can I spot phishing links that use the @ sign?
Look at the full URL, and remember that the real domain is what comes after the @ symbol. Everything before it can be manipulated to look like a trustworthy site.
Why don’t security awareness programs cover this trick?
Security awareness programs focus on the most common phishing techniques due to time constraints. Covering every possible trick could overwhelm users and diminish the effectiveness of the training.
Can this tactic be prevented with security software?
While some security tools can flag suspicious URLs, the best defense is user awareness. Double-checking URLs and knowing how to identify the real domain are key to staying safe.
Should I be worried about this?
It’s a good idea to be aware of the @ sign trick, but don’t lose sleep over it. If you’re in the habit of scrutinizing URLs and following basic security practices, you’ll likely catch this technique before it catches you.
Wrapping It Up: Don’t Let the @ Sign Fool You
Phishing tactics are constantly evolving, but they all rely on one thing: tricking you into acting without thinking. The @ sign trick is just one of many ways attackers try to make their malicious links look legitimate. The key takeaway here? Slow down. Check the URL. And, if something smells phishy, trust your instincts.
But hey, if you’re a security trainer reading this—maybe consider sprinkling this one into your next newsletter or quiz. You never know when that tiny symbol might come back into vogue.
Call to Action: Have you ever fallen for a phishing scam or noticed an unusual phishing attempt? Drop a comment below and share your story! And don’t forget to subscribe to Guardians of Cyber for more cybersecurity tips and insights.
