mlab mlab Academy
Phishing & Social Engineering

Recognizing a phishing link

Techniques for detecting fraudulent URLs that mimic legitimate websites.

1 Introduction

Phishing is the most widespread attack technique on the Internet. The concept is simple: you receive a link that looks like a trusted website (your bank, PayPal, Amazon...) but actually leads to a fraudulent copy designed to steal your credentials.

Think of it like receiving a letter with your bank's logo asking you to go to a fake address. The letter looks official, the logo is perfect, but the address leads you to a scammer. On the Internet, the address is the URL link, and learning to decode it is your best protection.

Key statistics

91%

of cyberattacks start with a phishing email

1.2M

active phishing sites worldwide on average

36%

of data breaches involve phishing

2 How It Works

Test a suspicious link with our phishing analyzer:

Anatomy of a URL

To spot a phishing link, you first need to understand the structure of a URL:

https://www.mybank.com/account/login?redirect=home

Protocol

https:// means encrypted connection (but does NOT guarantee the site is legitimate)

Domain (the critical part)

This is WHERE you need to focus your attention. Everything else can be deceptive.

Path

The specific page on the site. Attackers often put reassuring words here like "secure" or "verify".

Parameters

Additional data. May contain your email address to pre-fill the fake login form.

Concrete phishing link examples

https://paypal-verification.secure-update.com/login

The real domain is secure-update.com, not PayPal. The word "paypal" is just a deceptive subdomain.

https://192.168.45.12/chase-bank/login

An IP address instead of a domain name. No legitimate bank will ever send you to a raw IP address.

https://bit.ly/3xK9mQz

A URL shortener completely hides the real destination. Never click on a shortened link in a suspicious email.

https://www.apple.com/id/verify

Can you spot the difference? The "l" is actually a special Unicode character that looks identical to the Latin "l". This is a homoglyph attack.

3 Detailed Analysis

The golden rule: identify the real domain

The real domain of a URL is always located just before the first single slash (/) after the protocol. More precisely, it is the last group before the extension (.com, .org, etc.).

https://login.mybank.com/account

Real domain: mybank.com -- Legitimate

https://mybank.com.secure-login.net/verify

Real domain: secure-login.net -- PHISHING! "mybank.com" is a deceptive subdomain

Homoglyph attacks

Homoglyphs are characters from different alphabets that look visually identical. For example, the Cyrillic "a" (а) looks the same as the Latin "a", but they are two completely different characters to a computer.

Latin character Homoglyph Alphabet
a а Cyrillic
e е Cyrillic
o ο Greek
p р Cyrillic

Modern browsers display the Punycode name (xn--...) when a domain mixes alphabets, which helps detect these attacks. But not all software does this.

The HTTPS padlock trap

Many people believe that a site with the HTTPS padlock is automatically safe. This is false. The padlock only means the connection between you and the site is encrypted. But if the site belongs to a scammer, you are sending your data encrypted... directly to the scammer. Today, more than 80% of phishing sites use HTTPS. The padlock does not protect against phishing.

Try it on mlab.sh

Paste a suspicious URL to check the domain's registration age, DNS records, and SSL certificate. Identify phishing indicators before clicking any link.

Check a URL on mlab.sh

4 Red Flags

Here are the warning signs to spot a phishing link:

Misspelled domain

paypa1.com, arnazon.com, gogle.com: any misspelling in a known domain is a sign of phishing.

Abnormally long URL

Phishing links are often very long with multiple subdomains and parameters to push the real domain far to the left, out of the visible area of the address bar.

IP address instead of a domain

A link like https://185.23.45.67/login is almost always malicious. Real services use domain names, not raw IP addresses.

URL shortener

bit.ly, tinyurl.com, or t.co links in a supposedly official email are suspicious. A bank uses its own domain.

Artificial urgency

"Your account will be deleted in 24 hours", "Immediate action required": urgency is designed to prevent you from verifying the link before clicking.

Link text does not match destination

The displayed text says "www.mybank.com" but the actual link (visible on hover) points to a different domain. Always hover over a link before clicking.

Powered by mlab.sh

Related Modules

Analyzing a suspicious email

Dissecting email headers to identify phishing and spoofing attempts.

Spoofing techniques

Digital identity theft: email spoofing, caller ID spoofing, and domain spoofing.

Analyzing a suspicious domain

Techniques for evaluating whether a domain is legitimate or potentially malicious.