Don’t Get Hooked by Phishing: Identify Safe Internet Domains
- Updated: Oct. 22, 2024
3.4 billion phishing emails are sent every single day, and nearly 1 million unique phishing sites were detected worldwide in the first quarter of 2024
2024 State of the Phish report
Phishing scams have been on the rise for a long time, and while you've probably heard the usual advice “Don’t click suspicious links”—great advice, by the way—knowing how to evaluate web addresses itself is crucial to avoiding scams.
The internet is full of domains that might seem unfamiliar or sketchy, from .to websites to URLs starting with "www1" or "www2." Quishing attacks—phishing delivered through QR codes—are also becoming more common, adding another layer to these threats.
But it’s not just the “other” domains that require extra scrutiny, nearly 20% of phishing sites today use a .com address.
So, which domains are legitimate, which ones should you avoid, and how can you tell if a link is safe to click?
In this blog, we’ll break down different types of internet domains, show you how to recognize phishing attempts, and share best practices for staying safe online.
Evaluating URLs: What To Watch For
So what’s the key to reading URLs in links? The basic answer is that interpreting the URL means focusing on the important stuff between the double forward-slash “//” and the first single slash, primarily in the highlighted area shown below.
Note: The framework above is the basic URL breakdown. In place of http:// or https://, you may see ftp:// or news://. These are different types of transfer protocols.
In addition, though “www” appears in many URLs, it is not a required component. You may see additional fields prior to the generic top-level domain and secondary domain/server name. After the first single forward slash, you’ll find less critical things such as directories, subdirectories, filenames and file types.
Types of Domain Names
The part of the URL immediately before the first “/” after “https://” is the most important. Domains fall into several types:
- Top-Level Domains (TLDs): Familiar options like .com, .org, .net. For example, .org is often used by nonprofits, while .gov is strictly for government use.
- Country Code Top-Level Domains (ccTLDs): Such as .to, .co, .be. These indicate the country where the domain is registered. .ca, for instance, is Canada’s domain.
- New gTLDs: These include domains like .pizza, .social, or .network. There are thousands of these new domains, and they provide more creative options for website owners—but they also offer phishers more ways to craft deceptive URLs.
Spotting Phishing Domains: Red Flags to Watch
- Misleading Subdomains: A URL like http://www.ama.zon.com is actually leading you to “zon.com,” not Amazon. Be wary of subtle differences.
- @ Signs and IP Addresses: URLs with “@” signs or that start with an IP address, like http://[email protected], often redirect you somewhere other than the expected domain—a common phishing trick.
- URL Redirections: If you see URLs like http://www.google.com/url?q=http://www.badsite.com, it’s a redirect. These can be used for legitimate purposes but can also lead to malicious sites. Proceed with caution.
What Is WWW1 and WWW2?
You might come across URLs like “www1.website.com” or “www2.website.com” and wonder if they’re sketchy. In most—but certainly not all—cases, they’re benign.
These prefixes indicate multiple servers behind a popular website, helping balance the traffic. So, if you see “www1” or “www2,” you’re just seeing which server is providing the content. It’s not inherently a sign of phishing—but as always, other parts of the URL need careful evaluation.
Example Links/URLs: Safe or Sketchy?
- http://www.amazon.com
This is a well-known site, and the URL doesn’t include any suspicious modifications.
Assessment: LEGIT! - http://www.ama.zon.com/gp/cart/view.html/ref=nav_cart
URLs can be formed in almost any fashion, which makes it easy for site owners to build unique site names. It also makes it easy for phishers to build site names that closely approximate legitimate site names. In this example, a period makes all the difference. If a person clicked on the link above, they wouldn’t go to amazon.com. The link leads to the site zon.com, which could be a site registered by phishers.
Assessment: SUSPECT! - http://[email protected]/catalog
In this case, a person would be directed to IP address 66.161.153.155, not amazon.com. If you see a link/URL with an “@” sign, be particularly careful. Phishers routinely use this URL-manipulation tactic.
Assessment: SUSPECT! - http://209.131.36.158/amazon.com/index.jsp
This URL is somewhat similar in function to #3 above. It leads to the IP address, not amazon.com, which is listed after the first single forward slash.
Assessment: SUSPECT! - http://www.google.com/url?q=http://www.badsite.com
This URL would refer a person from one site (in this case, google.com) to another site, badsite.com (note the “=http://” nomenclature that allows this). Referrals are not in themselves bad, but a referral could lead to a phishing site. In this case, badsite.com doesn’t look legitimate.
Assessment: SUSPECT! - https://www.paypal.com/login
This is a well-known, secure URL that uses HTTPS and matches PayPal’s official domain. The URL doesn’t include any suspicious modifications.
Assessment: LEGIT! - http://www.pa1pal.com/login
This URL uses a subtle typo, replacing “y” with “1” in “paypal.” It’s an example of a lookalike domain meant to trick users into thinking it’s legitimate.
Assessment: SUSPECT! - https://secure-login.com/paypal/account
Though it uses HTTPS, this URL does not lead to PayPal—it leads to “secure-login.com.” Phishers often use terms like “secure” to trick users.
Assessment: SUSPECT!
Internet Domain Security Best Practices
- Check for HTTPS: Always look for https:// and the padlock icon. This doesn’t guarantee the website is safe but it indicates the data is encrypted.
- Look for Domain Highlighting: Modern browsers sometimes highlight the actual domain, dimming everything else. This helps identify the true identity of the site.
- Question Unknown Domains: New or unfamiliar TLDs should be treated with suspicion until verified. Just because a domain ends in .co or .tv doesn’t mean it’s a legitimate website.
Avoiding Domain Name Scams
New domains and phishing tricks are evolving. Scammers can purchase domains that look almost identical to legitimate ones.
- Double-Check Links: Hover over links in emails to verify the destination. If something seems off, don’t click.
- Educate Your Team: Regular phishing awareness training can significantly reduce the risk of falling for domain name scams.
Stay Informed, Stay Safe
Phishing is an ever-present threat, and the expansion of internet domains means vigilance is critical.
Informing your team about how to understand and evaluate URLs and recognize different types of domains will make a world wide web of difference in keeping your organization safe.
Security awareness training gives your team the knowledge and tools to navigate online threats confidently.
Protect your organization. Reach out to HBS today and have our experts help you build a security-first culture.
