Detecting Phishing URLs: Indicators and Techniques
Phishing URLs are designed to look legitimate while leading victims to fake pages. The tricks range from simple typosquatting (paypa1.com) to sophisticated homoglyph attacks using look-alike Unicode characters. Breaking down a suspicious URL into its components, checking the actual registered domain, and analyzing the path and parameters reveals the deception.
Try it now
URL Analyzer
Runs in your browser, nothing leaves your device.
Typosquatting: registering misspelled versions of popular domains (gooogle.com, amazom.com). Subdomain abuse: using the target brand as a subdomain of an unrelated domain (paypal.login.evil.com, where evil.com is the actual domain). URL shorteners hiding the destination. Long URLs with the real domain buried after many subdirectories. Homoglyph attacks using Cyrillic or Greek characters that look identical to Latin letters.
Extract the registered domain (the domain + TLD, ignoring subdomains). Check if it matches the expected brand. Look for Unicode characters that shouldn't be in a domain. Check the TLD: free TLDs like .tk, .ml, .ga are heavily abused. Examine query parameters for encoded redirect URLs that take you somewhere else after the phishing page loads. Check if the domain was recently registered using WHOIS data.
Examples
Subdomain deception
https://secure-paypal.com.verify-account.xyz/login
Actual domain: verify-account.xyz (not paypal.com). The 'secure-paypal.com' part is just a subdomain.
Homoglyph attack
https://аpple.com (Cyrillic 'а' instead of Latin 'a')
Looks identical to apple.com but is a completely different domain using Unicode lookalike characters.
Security context
The URL is the first thing to check in any suspected phishing attempt. If the domain doesn't match the claimed brand, stop there. Everything else, the page design, the SSL certificate, the content, can be faked trivially. The domain is what matters.
Frequently asked
Focus on the registered domain, not subdomains or paths. In https://login.paypal.com.evil.xyz/account, the actual domain is evil.xyz, not paypal.com. Check for recent domain registration, free TLDs, and characters that look like but aren't standard Latin letters.
Go deeper
Continue in the Web Security Academy
Related techniques
Homoglyph and IDN Homograph Attack Detection
Detect Unicode homoglyph attacks in domain names and text. Identify Cyrillic, Greek, and other look-alike characters used for phishing and impersonation.
Email Header Analysis
Parse email headers to trace message origin, verify SPF/DKIM/DMARC authentication, and detect spoofed sender addresses in phishing emails.
URL Encoding and Decoding
Decode percent-encoded URLs to reveal hidden paths, parameters, and payloads. Detect double-encoding attacks and URL-based injection attempts.