A URL Is Not an Address - It Is an Instruction Set

Most phishing attacks begin with a single action: clicking a fraudulent URL. Whether you fall victim often comes down to whether you can distinguish a legitimate link from a fake one before you click.

A URL is not just a string of characters - it is a structured instruction to your browser. It specifies which protocol to use, which server to contact, and which resource to request. Understanding this structure gives you a powerful advantage in spotting phishing sites before they can do any damage.

URL Anatomy - Why Reading the Domain Correctly Is Everything

The basic structure of a URL is as follows:

https://sub.example.com:443/path/page?query=value#fragment

  • Scheme (https://): The communication protocol. HTTPS means encrypted communication
  • Subdomain (sub): An auxiliary name prepended to the domain
  • Domain (example.com): The core identifier that determines which server you connect to
  • Port (:443): Usually omitted (HTTPS defaults to 443, HTTP to 80)
  • Path (/path/page): The location of a specific resource on the server
  • Query (?query=value): Parameters passed to the server
  • Fragment (#fragment): A specific position within the page

The single most important skill for detecting phishing URLs is reading the domain correctly. Domains are read right to left. In example.com, you first identify .com (the top-level domain), then example (the second-level domain). This right-to-left reading habit is the key to defeating attacker tricks.

Subdomain Spoofing - The Most Common Trick

The technique attackers use most frequently is embedding a legitimate domain name as a subdomain of a malicious domain.

  • amazon.co.jp.evil-site.com - actual destination: evil-site.com
  • login.google.com.attacker.net - actual destination: attacker.net
  • www.paypal.com.secure-login.xyz - actual destination: secure-login.xyz

If you read domains right to left, these tricks become immediately obvious. Take amazon.co.jp.evil-site.com: reading from the right, the TLD is .com and the second-level domain is evil-site. The amazon.co.jp portion is merely a subdomain and has no bearing on where you actually connect.

The Quick Test

Check whether a forward slash (/) immediately follows the legitimate domain. amazon.co.jp/ is genuine, but amazon.co.jp. followed by more domain components signals subdomain spoofing.

Homograph Attacks - Visually Identical, Completely Different

Homograph attacks exploit characters from different scripts that look identical or nearly identical to forge domain names. They abuse the Internationalized Domain Name (IDN) system.

Legitimate Spoofed Character Used
apple.com аpple.com Leading "а" is Cyrillic (U+0430)
google.com ɡoogle.com Leading "ɡ" is Latin Small Letter Script G (U+0261)
paypal.com pаypal.com Second character "а" is Cyrillic

These are virtually impossible to distinguish with the naked eye. Modern browsers (Chrome, Firefox, Safari) counter this by displaying domains that mix multiple scripts in Punycode - an ASCII representation starting with xn--. If you see xn-- in your address bar, treat it as a potential homograph attack.

Shortened URLs and QR Code Risks

Shortened URLs

URL shortening services like bit.ly, t.co, and tinyurl.com hide the actual destination. A link like bit.ly/3xYz123 could point to a legitimate site or a phishing page - you cannot tell until you click.

To mitigate this, use URL expansion services (CheckShortURL, Unshorten.It) to preview the real destination before clicking. Many shortening services also support a preview mode by appending + to the URL (e.g., bit.ly/3xYz123+).

QR Codes

QR codes carry the same risk as shortened URLs - you cannot see the destination until you scan. "QR code jacking," where an attacker pastes a malicious QR code over a legitimate one in a public space, has been documented in the wild.

Smartphone QR code readers typically preview the URL before opening it in the browser. Make it a habit to inspect the URL before proceeding.

A Practical Safety Checklist

When you receive a suspicious link, follow these steps before clicking.

  1. Hover before you click: On desktop, hover your mouse over the link without clicking. The actual URL appears in the bottom-left corner of your browser
  2. Read the domain right to left: Identify the TLD first, then the second-level domain. Confirm it matches the legitimate site
  3. Check for HTTPS: Verify the link uses HTTPS. However, HTTPS only means the connection is encrypted - it does not guarantee the site is legitimate. Phishing sites routinely obtain free SSL certificates from Let's Encrypt
  4. Expand shortened URLs: Use an expansion service to reveal the true destination before visiting
  5. Navigate directly: Instead of clicking links in emails or messages, type the known URL directly into your browser's address bar or use a bookmark. This is the most reliable method

This is also a fundamental principle of safe online shopping: the more urgently a message pressures you to act, the more carefully you should scrutinize it. "Your account will be suspended," "Respond within 24 hours" - these urgency tactics are hallmarks of phishing.

You can also verify your current connection security and check whether your IP address is exposed by visiting IP確認さん, which provides an instant security score along with DNS leak testing and browser fingerprint analysis.

For a systematic approach to phishing defense, cybersecurity books offer comprehensive coverage.

Related Glossary Terms

Phishing An attack that uses fraudulent URLs and websites to steal personal information. Knowing how to read URLs is the strongest defense. SSL/TLS The technology behind HTTPS. Guarantees encrypted communication but does not guarantee site legitimacy. Domain The core component of a URL. Reading it right to left is the key to detecting subdomain spoofing.