Very true with respect to below,

A URL could be malformed where URL re-direction parameter exists or shorten the URL and share it on Social Media saying "To Login to - X - application click here" or anything which makes them to use that URL. Create a spoof page which looks like GUI of the original application and now do whatever you want like stealing the credentials.