How to spot a phishing URL

Updated: Nov 15, 2021

Phishing is one of the, if not the biggest, cyber risk to businesses.

Metacompliance found that 91% of cyber attacks started with a phishing campaign.

Clown fish swimming in aquarium.
Catch a Phish

Unfortunately, it is also probably one of the hardest attacks to defend against, as criminals continue to tweak their campaigns and understand what makes us act. They are super social engineers.


One of the ways that criminals use phishing campaigns is to get us to click a link which takes us to a webpage which looks genuine and when we log in, it captures our account details which are then exploited.

Being able to identify when a link is malicious is a key ability which can protect your business from falling victim to phishing campaigns.

Structure of URLs

If your website is like your home, then your URL is your home address. The domain is unique, so ecrcentre.co.uk is different from ecrcentre.net.


https is identified as the procotol, ecrcentre.co.uk is the domain, news is the directory
Structure of URL

The protocol determines how information travels from you to the domain and back. HTTPS means that the information is encrypted, and most legitimate websites will use this protocol, so a warning sign might be a HTTP URL. The directory is the path to the exact page within the website.


The most important part to look at in the URL is the domain part. Look for the last dot (.) to work out if where you are being sent is where you expect. An example of this could look like http://microsoft. com.office365.ru where the criminals are hoping that you look at the start and see Microsoft.com (with an extra space) and don’t notice that actually the domain ends office365.ru – a completely different place.


Five ways that URLS can be Phished

URL phishing most often comes in the following forms:

  1. “Legit” links. These phishing links use legitimate websites, such as Google or Bing search engine results, to redirect the victim to websites they want, like this (this one is safe to check, but hover over the link to see where the URL leads first).

  2. Masked links are hyperlinks that are overlaid on top of legitimate ones that lead to a different page, for example, www.findaphish.com/ (actually leads to the ECRCentre.co.uk/sign-up page).

  3. Typosquatting is URL phishing done by purposefully changing, skipping, or mistyping letters in a domain name like https://twirtter.com (do not visit) instead of https://twitter.com.

  4. Malformed prefix links prey on people who do not pay attention to a URL’s prefix. For example, http://google.com (fake, do not visit) is different from https://google.com (legit).

  5. Subdomain links give an illusion that a link leads to a legitimate site, but it’s a purposefully misplaced subdomain in the middle of a URL, e.g., https://microsoft.com.office365.ru vs. https://microsoft.com/office365


Surfshark had this great example of what this looks like in practice

Examples of how phishing urls work with typosquatted name, legit link, malformed link profile and masked text
Example of fake Amazon email sent from Arnazon.com created by Surfshark

How to identify URL phishing

1. Does it come from a suspicious email or message?

2. If you hover over the link, does it show the same location as the displayed?

3. Is the domain name correct with no extra “.somethings” at the end?

4. Is the protocol as you would expect i.e., https and not http?

5. Are you being re-directed through a search engine?



If any of these are a “Yes” then don’t click on the link. Go to the legitimate site and confirm the information there.

Confirm independently - If you received an attachment that you were not expecting, or a change of payment details, confirm the details with the person using a method other than the one in the communication – criminals might be monitoring the email address or have changed a phone number, so it goes to them.


Report it - If you think you have received a phishing email, then you need to report it. Your business should have a policy about this, and your staff should understand what they need to do, whether they have fallen victim or just received it.

  • Reporting a suspicious website - https://www.ncsc.gov.uk/section/about-this-website/report-scam-website.

  • Reporting a suspicious email – forward to report@phishing.gov.uk

  • Reporting a suspicious text message – send to 7726. This free-of-charge short code enables your provider to investigate the origin of the text and take action, if found to be malicious.

The NCSC has an add-in which you can use in business versions of Outlook to report phishing emails directly to them so that they can investigate and potentially remove the threat. This could also help to keep phishing in mind when they receive an email, like a little nudge.


Our affordable Staff Awareness Training could help your staff to recognise a Phish. If you would like more information about this then contact us.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.