How to Read URLs and Prevent Phishing Scams

Despite an ever-changing digital world, email has held strong as a popular form of communication. This has allowed cybercriminals to hone their craft and come up with new and creative ways to scam you out of personal information. Today, we’re going to cover how to prevent phishing scams and other cyber attacks by tackling one of the most common mediums used – links. This will be a vital way to prevent phishing scams and other cyberattacks in email and other online mediums.

Sketchy links are so common online, that most of us are uneasy clicking on links in almost any situation. So how do you stay safe without suspecting your mom of a phishing scam when she sends you a link to a new recipe? Learn how to read URLs!

Some of these may seem a little hard to believe due to how simple they are. Let’s let Dilbert show why they still work…

Dilbert comic on how email scams work

Cyberattacks work due to high volume!

#1 – Misspelling Domains

Seems too easy, but this is one of the most common ways cybercriminals sneak past us in phishing scams. Take a look at the URLs below and see how long it takes you to spot what’s wrong with them.


1 – Letter Scramble

When letters are scrambled inside longer words, our brains typically make the correction without us noticing.

2 – Letter Combos

This one isn’t as common as the others due to the wide number of fonts used today. In this case, the “r” and the “n” look a lot like the letter “m”

3 – Number Swap

No doubt the “o” vs. “0” issue has caused problems for you in some way before. It’s also a classic method used to mask a shady URL.

4 – Missing Letters

This one doesn’t work on a number of well-known URLs, but for some longer domains, it can be very tricky to spot.

#2 – Domain Jumble

This method has become much more popular over the past few years. Ultimately, you should always be looking for the top-level domain in any link before you click. To do this correctly, follow these two rules:

  1. If there aren’t any single forward-slash characters in the URL (/), then read the top-level domain from left to right.
    Example URL highlighting the top-level domain
  2. If there are single forward-slash characters in the URL (/), then locate which one is farthest from the right. Starting from that forward-slash, read the top-level domain from right to left.
    Example URL highlighting the top-level domain

Pro Tip:
We are looking for single forward-slashes in the URL. Therefore, the double forward-slash in https:// would not apply.

Test it out! Take a look at the URLs below and see if you can see what links good, and what links are bad:


1 – Good!

The forward-slash is between login and com, so the top-level domain is

2 – Bad.

The forward slash is between 8675309 and net, so the top-level domain is, not Facebook.

3- Bad.

The forward slash is between com and account, so the top-level domain is, not Facebook

4 – Good!

The forward slash is between ads and com, so the top-level domain is We’ll explain the meaning of the rest of that URL towards the end.

#3 – Short Links

Short links are fairly common on social media and email for a number of reasons. Some of the most common resources for this are Bitly, Rebrandly, and TinyURL. Companies and marketers use short links to reduce character counts on social media, track link clicks, etc. Because they are so common, they have started to be leveraged in cyberattacks as well. Here’s an example of a short link:

So how do we protect ourselves? Thankfully, on social media (especially ads), the platforms carefully scan linked websites for authenticity, quality, and relevance to the ad itself to ensure it’s not misleading or malicious.

As for email, we need to be a bit more careful to prevent phishing scams. If the short link is being sent from a source you don’t trust quite yet, then you can copy/paste the short link into online tools that will expand it for you. Here are some of the more popular sites for expanding short links:

UTMs & Tracking

Last, let’s talk about the mess you often see at the end of links like this:

https://www.execu ?utm_source=blog&utm_medium=reading_urls &utm_campaign=cybersecurity_guide &utm_term=example_link&utm_content=reading_utms

First and foremost, if you follow the single forward-slash method, then you can focus on what matters. In this case, you can see that the top-level domain is, so the rest isn’t really a concern. For those of you who are curious, here’s what it all means!

Everything after the question mark (…a-look-forward/?utm…) is simply for tracking purposes. It simply helps businesses understand where their website traffic is coming from. In this example, here’s the information a company would gather:

  • Campaign Source: Blog
  • Campaign Medium: Reading URLs
  • Campaign Name: Cybersecurity Guide
  • Campaign Content: Reading UTMs

That’s it! UTMs can definitely be used to better mask sketchy URLs, but if you follow the best practices laid out in the article, they’re completely harmless.
Unfortunately, there are many other methods such as “onMouseOver” event triggers, Punycode DNS registrations, href attributes, data URLs, and more. The large variety of cyberattacks is why you should always layer your new-found knowledge of common scam approaches with other methods of cybersecurity. You may miss one of these tactics and click on a shady link, so it’s important to have other layers of protection such as antivirus software, secure routers, etc.

To learn more about protecting you and your business from cybersecurity threats, check out our Ultimate Guide To Cybersecurity!

The Ultimate Guide To Cybersecurity

Related Insights