Phishing & Social Engineering · 1 min read

Detecting Phishing URLs: Indicators and Techniques

Phishing URLs are designed to look legitimate while leading victims to fake pages. The tricks range from simple typosquatting (paypa1.com) to sophisticated homoglyph attacks using look-alike Unicode characters. Breaking down a suspicious URL into its components, checking the actual registered domain, and analyzing the path and parameters reveals the deception.

Try it now

URL Analyzer

Runs in your browser, nothing leaves your device.

Typosquatting: registering misspelled versions of popular domains (gooogle.com, amazom.com). Subdomain abuse: using the target brand as a subdomain of an unrelated domain (paypal.login.evil.com, where evil.com is the actual domain). URL shorteners hiding the destination. Long URLs with the real domain buried after many subdirectories. Homoglyph attacks using Cyrillic or Greek characters that look identical to Latin letters.

Extract the registered domain (the domain + TLD, ignoring subdomains). Check if it matches the expected brand. Look for Unicode characters that shouldn't be in a domain. Check the TLD: free TLDs like .tk, .ml, .ga are heavily abused. Examine query parameters for encoded redirect URLs that take you somewhere else after the phishing page loads. Check if the domain was recently registered using WHOIS data.

Subdomain deception

Input
https://secure-paypal.com.verify-account.xyz/login
Result
Actual domain: verify-account.xyz (not paypal.com). The 'secure-paypal.com' part is just a subdomain.

Homoglyph attack

Input
https://аpple.com (Cyrillic 'а' instead of Latin 'a')
Result
Looks identical to apple.com but is a completely different domain using Unicode lookalike characters.

Security context

The URL is the first thing to check in any suspected phishing attempt. If the domain doesn't match the claimed brand, stop there. Everything else, the page design, the SSL certificate, the content, can be faked trivially. The domain is what matters.

Focus on the registered domain, not subdomains or paths. In https://login.paypal.com.evil.xyz/account, the actual domain is evil.xyz, not paypal.com. Check for recent domain registration, free TLDs, and characters that look like but aren't standard Latin letters.

Go deeper

Continue in the Web Security Academy

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description