URL Inspection Techniques for Phishing Defense

Malicious URLs are the delivery mechanism for the vast majority of phishing attacks. Whether embedded in emails, text messages, QR codes, or social media posts, the link is where the attack happens. Learning to inspect URLs before clicking is one of the highest-value security skills anyone can develop.

The APWG documented 3.8 million phishing attacks in 2025, and nearly all of them directed victims to fraudulent URLs designed to harvest credentials or deliver malware.

Anatomy of a URL

Understanding URL structure is essential for detecting fakes.

https://login.example.com:443/account/verify?token=abc123
|_____|  |___| |__________|___|  |_____________| |_________|
scheme  sub    domain     port  path             query
        domain

The domain is the critical component. Everything to the left of the domain is a subdomain (controlled by the domain owner), and everything to the right is a path. Attackers exploit this structure by placing legitimate-looking text in the subdomain while using a malicious domain:

https://www.paypal.com.secure-login-verify.ru/signin

In this URL, the actual domain is secure-login-verify.ru — a Russian-registered domain. www.paypal.com is merely a subdomain that the attacker controls.

Six URL Red Flags

1. Domain Misspellings (Typosquatting)

Attackers register domains with subtle character substitutions:

arnazon.com (rn instead of m)
paypa1.com (1 instead of l)
micros0ft.com (0 instead of o)
gooogle.com (extra letter)

2. Suspicious TLDs

While .com, .org, and country-code TLDs are common for legitimate sites, phishing campaigns frequently use cheap or newly available TLDs like .xyz, .top, .buzz, .click, and .info. A banking login page on a .xyz domain warrants extreme skepticism.

3. IP Addresses Instead of Domains

Legitimate organizations use domain names, not raw IP addresses. A URL like http://192.168.1.100/login or http://45.33.21.8/paypal-verify is almost certainly malicious.

4. URL Shorteners

Services like bit.ly, tinyurl.com, and t.co hide the destination URL. While legitimate in social media contexts, shortened URLs in emails claiming to be from banks or employers are red flags. Use URL expander tools to reveal the destination before clicking.

5. Excessive Subdomains

secure.login.verify.account.attacker-domain.com uses multiple subdomains to push the actual domain off the visible portion of the address bar, especially on mobile devices.

Any page requesting credentials should use HTTPS. While HTTPS alone does not guarantee legitimacy (attackers can obtain free certificates), HTTP on a login page is a definitive red flag.

Pre-Click Inspection Techniques

Hover Before You Click

On desktop, hover your mouse over a link to reveal the actual URL in the bottom-left corner of your browser or email client. The displayed text and the actual URL frequently differ in phishing emails:

Displayed: Click here to verify your account
Actual URL: https://phishing-site.xyz/steal-creds

Right-Click and Copy

Right-click the link and select “Copy link address.” Paste it into a text editor to examine it fully before deciding whether to visit it.

Mobile Long-Press

On mobile devices, long-press (tap and hold) a link to preview the destination URL. Mobile browsers show truncated URLs by default, making phishing harder to spot — this is why smishing click rates (19-36%) far exceed email phishing rates (2-4%).

Post-Click Verification

If you have already clicked a link, verify the page before entering any information:

Check the address bar — confirm the domain matches the legitimate organization
Look for the padlock — click it to view the certificate details and verify the organization name
Test with fake credentials — phishing sites accept any input; legitimate sites reject incorrect passwords
Check the page source — phishing pages often contain copied HTML with references to the legitimate site’s assets

URL Analysis Tools

Tool	Purpose	Cost
VirusTotal (virustotal.com)	Multi-engine URL scanning	Free
URLScan.io	Visual page rendering and analysis	Free
Google Safe Browsing	Real-time URL reputation check	Free (built into Chrome)
PhishTank	Community-reported phishing database	Free
WHOIS Lookup	Domain registration details and age	Free

A newly registered domain (days or weeks old) hosting a login page for a major brand is almost certainly a phishing site. WHOIS data reveals registration dates that expose these throwaway domains.

Advanced Techniques

DNS Resolution

Use nslookup or dig to resolve a suspicious domain and check whether the IP belongs to the claimed organization’s infrastructure. Most major organizations publish their IP ranges.

Certificate Transparency Logs

Search certificate transparency logs (crt.sh) for recently issued certificates matching brand names. Attackers must obtain certificates for their phishing domains, and these appear in public logs within hours.

Sandbox Analysis

Submit suspicious URLs to sandbox services like URLScan.io or Any.Run to see what the page does without risking your own system. These services render the page, capture screenshots, and log network activity.

Organizational Implementation

Organizations should combine URL inspection training with technical controls:

Email gateway URL rewriting — rewrites URLs to pass through a security proxy that checks reputation in real time
DNS filtering — blocks resolution of known malicious domains
Browser isolation — renders web content in a remote container, preventing malware delivery
DMARC/SPF/DKIM — prevents domain spoofing at the email level

See our email filtering best practices and browser security settings guide for implementation details.

Key Takeaways

The domain is the critical component of any URL — everything else can be faked
Typosquatting, suspicious TLDs, IP addresses, and URL shorteners are primary red flags
Always hover or long-press to preview links before clicking
Free tools like VirusTotal, URLScan.io, and WHOIS expose malicious URLs
Combine user training with technical URL filtering for organizational defense

For the complete phishing defense framework, see our phishing recognition and reporting guide.

Sources

Security education disclaimer: This article describes URL analysis techniques for defensive purposes only. Use these methods to protect yourself and your organization. Do not use them for unauthorized testing of others’ systems.