Reading domains and URLs (the one skill that catches most phishing)
If you only learn one thing here, learn to read a web address. Almost every phishing attack falls apart the moment you can answer one question: who really owns this address?
What is a domain?
A domain is the name a person or company registered and controls — like paypal.com, google.com, or irs.gov. Owning a domain is like owning a street address: only the owner can put up the building. When you're sure an address belongs to PayPal, you can trust it. The whole game in phishing is making an address look like it belongs to someone it doesn't.
Two places you'll see domains:
- In an email address, after the
@: inservice@paypal.com, the domain ispaypal.com. - In a link / web address (URL): in
https://www.paypal.com/account, the domain ispaypal.com.
The registrable domain — and the right-to-left rule
A web address can have several words separated by dots. Only two of them are the part that's actually owned: the name and the ending (.com, .net, .gov, .ru…). That pair is the registrable domain, and it's the only part that tells you who's in charge.
Read it from the right, just to the left of the first single slash /. The registrable domain is the last two pieces before that slash.
https://login.microsoftonline.com/account
└────┬────┘
registrable domain = microsoftonline.com ✅ owned by Microsoft
https://login-microsoftonline.secure-auth.ru/account
└────┬────┘
registrable domain = secure-auth.ru ❌ owned by "secure-auth.ru", NOT Microsoft
Everything to the left of the registrable domain (login., login-microsoftonline.) is a subdomain — and the owner of the domain can name those anything they want. An attacker who owns secure-auth.ru can create login-microsoftonline.secure-auth.ru in two minutes. It reads like Microsoft; it's owned by the attacker.
Rule: find the first single
/after thehttps://, then read the two pieces immediately to its left. That's who owns the page. Ignore the rest.
The characters that matter (and how attackers abuse them)
Phishers play tricks with the punctuation in addresses. Here's what each character actually does:
- Dot
.separates the pieces of a domain. The dots are the only thing that defines the structure.paypal.com(one domain) is completely different frompaypal.com.secure-login.ru— read right-to-left, that last one is owned bysecure-login.ru. Attackers add extra dotted words so a quick glance sees "paypal.com" at the start and stops reading. - Hyphen
-is a normal letter inside a domain name — which is the trick.paypal-secure.comandapex-officesupplies.comare brand-new domains that aren'tpaypal.comorapexofficesupplies.com. The hyphen lets an attacker glue a trustworthy word onto a domain they own. - Slash
/marks the end of the domain and the start of the path (the page on that site). Everything after the first single slash is just a page name the owner chose —evil-site.ru/paypal.com/loginis owned byevil-site.ru, and/paypal.com/loginis only a folder name meant to fool you. @inside a link is a genuinely sneaky one. In a URL, a browser ignores everything before an@and goes to whatever's after it.https://www.paypal.com@evil.ru/logindoes not go to PayPal — it goes toevil.ru. If you ever see an@in the middle of a link, stop.- Lookalike letters / numbers:
paypa1.com(the number one for the letter L),micros0ft.com(zero for O),rnicrosoft.com(r-n looks like m). Read slowly, letter by letter, when something feels off.
Putting it together
When you get a link or a sender address:
- Find the registrable domain (right-to-left, two pieces before the first slash, or after the
@). - Ask: is that really the company's normal domain? Not a hyphenated cousin, not a subdomain of something else, not a lookalike.
- If you're not certain, don't click. Open the company yourself by typing its real address or using a bookmark.
The next guides show how to verify a domain you're unsure about — checking its reputation and age (VirusTotal) and who owns it (WHOIS).