AXOX Hub Hub
Security Feb 17, 2026 5 min read

How to Spot a Phishing Link Before You Click It

Attackers craft URLs designed to fool even security-aware users. Here's how to read a URL like a security analyst and verify any link before it's too late.

Why phishing links are so effective

Phishing attacks account for over 90% of data breaches. They work because humans are pattern matchers — we see paypal.com in a URL and our brain stops reading. Attackers exploit exactly this cognitive shortcut.

Modern phishing URLs are carefully crafted to look legitimate at a glance. Learning to actually read URLs — not just skim them — is one of the highest-ROI security skills you can develop.

The tricks attackers use

Typosquatting

Registering a domain that's one character off from a legitimate one, relying on users not noticing the typo.

paypal.com

paypaI.com (capital i, not lowercase L)

paypall.com (double L)

paypal.com (wrong but you may not see it)

Subdomain confusion

Putting a real brand name as a subdomain, with the actual malicious domain after it. Users read left-to-right and stop when they see a familiar name.

paypal.com.login-verify.ru/account

The real domain here is login-verify.ru, not paypal.com

Homograph attacks

Using Unicode characters that look identical to ASCII letters. The Cyrillic "а" (U+0430) looks exactly like the Latin "a" (U+0061), but they're different characters — meaning they create different domains.

apple.com (all Latin)

аpple.com (Cyrillic а — looks identical)

URL shorteners

Short links like bit.ly/3xK92p completely obscure the destination. Attackers use them specifically to hide malicious URLs. Never click a shortened link in an email or message without previewing it first (add + to the end of bit.ly links to see the preview).

HTTPS doesn't mean safe

Seeing the padlock icon only means the connection is encrypted — it says nothing about who owns the site. Phishing sites routinely use free SSL certificates. A padlock on a phishing site is common. Always check the domain, not just the padlock.

Open redirect exploitation

Some legitimate sites have open redirect vulnerabilities — URLs like google.com/url?q=evil.com. Attackers use these to make malicious links appear to come from trusted domains.

How to read a URL safely

  1. Find the actual domain — the real domain is the part immediately before the first single slash after https://. Everything before that is a subdomain; everything after is a path.
  2. Check the TLD.com doesn't mean safe. Attackers use .co, .net, .xyz, and country codes too.
  3. Hover before clicking — hover over links to see the actual URL in your browser's status bar before clicking.
  4. Look for urgency manipulation — phishing emails create panic ("Your account will be closed in 24 hours!"). Urgency is a manipulation tactic to stop you from thinking critically.
  5. Verify via official channels — if you receive a link about your bank account, don't click it. Go directly to your bank's official site by typing the URL yourself.

What to do with a suspicious link

  • Use a link safety scanner to check the URL against threat databases before visiting
  • Use a sandbox like urlscan.io to take a screenshot of the page without visiting it yourself
  • Check the domain's age — newly registered domains are a red flag (most phishing sites are days old)
  • Report phishing URLs to Google Safe Browsing and your email provider

Check any URL before clicking

Scan against threat databases for phishing, malware, and fraud — free, instant results.

Open Link Safety Scanner
← Back to Blog