Phishing

How to spot a fake phishing website address

We discuss how scammers can mask web addresses to make them appear legitimate, and how you can see past their tricks to spot the fakes.

Phishing scams will usually lure a victim into clicking a link that leads to a spoof website intent on stealing any data entered into it.

But how do you know if a website is legitimate, or an imposter? One of the methods we always recommend before entering any information into a website is to check the web address (URL) at the top to see what website domain you are on. (For example, Facebook is hosted on the Facebook.com domain.)

Sometimes this can be easy. If you’re on what appears to be the Facebook login page, and the web address at the top says www.rbdrirect.ru/login, then you can be extremely confident that’s a scam, since you’re not on the Facebook.com domain.

But it’s not always so easy because scammers have become quite good at masking web addresses to make them appear legitimate.

However, they cannot duplicate a real web address exactly. There will always be tell-tale signs. The best way to spot the fakes is to learn the basic components that make up a web address in order to determine what web domain you’re really on.


Sponsored Content. Continued below...




A web address and web domain

The start of a web address (after the HTTPS protocol and optional WWW. prefix) will comprise of words separated by full stop (periods.) These are the domains. There will be at least two domains, but there can be more. Let’s start simple.

Facebook.com

The .com is called a TLD, or top level domain.. It can be other things too such as .co.uk, .co.nz, .co.au, .net, .gov, .org, .gov.uk, .info and many more. The TLD will be the last domain in the web address (i.e. furthest to the right.)

The Facebook part is called the SLD, or second level domain. The SLD is directly left of the TLD.

The web domain is generally considered the SLD plus the TLD, so in this case, Facebook.com See below.

This means, in order to check which web domain you’re on, in the web address, find the TLD and combine it with the domain directly to the left (the SLD.) Remember, all domains are separated by full stops (periods.)

And then we have subdomains. Subdomains appear left of the SLD, and again are separated by full stops (periods.) They can be almost anything the owner of the web domain wants, and there can be multiple subdomains one after another.

Unlike a web domain (SLD+TLD) subdomains don’t have to be unique. Meaning a web domain owner can set a subdomain to anything they like, for example Facebook or Google. For example, on our web domain thatsnonsense.com, we could set a subdomain called Facebook, and the address would be –

facebook.thatsnonsense.com

That’s a subdomain, followed by second-level-domain, followed by top-level-domain.

Let’s take a look at the real web address of the Wikipedia page discussing, aptly, Second Level Domains.

en.wikipedia.org/wiki/Second-level_domain

The TLD is .org.
The SLD is wikipedia.As such, the web domain is wikipedia.org.
Anything to the left of the SLD is a subdomain. In this case that’s en. (Wikipedia uses subdomains for different languages.)

Once you reach the first / (forward slash) symbol, the domains are over and the web address is now referring to specific webpages and folders (directories) on the web domain.


Sponsored Content. Continued below...




Spotting a phishing web address

Now we know the basics of a web address (URL) lets look at a real-life phishing scam.

Take for example, a recent phishing web address we came across, that is masquerading as the Australian Tax Office (ATO) whose official website is www.ato.gov.au.

ato.gov.au.loginservices.info/index.html

What web domain is this hosted on?

Is can be difficult to spot for an untrained eye since there appear to be multiple TLDs in the web address, but the real TLD will always be last (i.e. furthest on the right) just before the webpages and web folders (that are separated with the / forward slash symbol.)

In this case, the TLD will be .info.
And the SLD will consequently be loginservices.
As such, the web domain (SLD+TLD) will be loginservices.info.
Loginservices.info has nothing to do with the Australian Tax Office. It’s a scam website.

You can see they’ve set their subdomains up to mimic the genuine ato.gov.au website. Don’t be fooled by this trick.


Sponsored Content. Continued below...




Let’s look at another example.

Imagine a text message or email apparently from Apple asks you to click a link to verify your identity, and the web address you land on is…

apple.com.verifyidentity.net/AppleVerifyIdentity/Services/index

We know the official web domain and website for Apple is apple.com. Is the web address above on the apple.com domain?

Hopefully you can tell that it is not. The TLD – the furthest domain to the right – is .net.
Meaning the SLD is verifyidentity. And the web domain is verifyidentity.net.
While this may sound official, it can be owned by anyone, including cybercrooks.

The apple.com. section are subdomains, set by the owner of the verifyidentity.net web domain. Just because those subdomains read apple.com, it does not mean that this website is attached with Apple the company.

We don’t recommend clicking links in text messages, emails or chat messages since links can take you anywhere. But if you do click on a link and land on a web address, always take the time to properly evaluate this address, and don’t just skim the address for keywords. Always take the time to identify the TLD and the SLD so you can determine the actual web domain you’re on, and if you’ve ever unsure, always click away.

Remember, having good security software installed can also be a great way of detecting phishing websites as well. You can see our recommended security software here.

Share
Published by
Craig Haley