You just got a notification, and you need to log in fast. You click the link, and the website looks perfect—the logo is right, the colors match, and the login box is exactly where it should be. You’re about to type in your password, but hold on a second!
Scammers are masters of creating fake websites that look identical to a trusted one (like your bank, Amazon, or PayPal). They clone the site down to the pixel. But there is one thing they cannot fake: the URL (the website address).
Knowing how to read a URL is your superpower in the fight against these scams. It’s the ultimate reality check that tells you whether you’re on the real website or a criminal’s trap.
Unlock the URL Secret: The Core Domain
The most important part of any website address is the core domain. This is the real, verified name of the company you are visiting, and it always sits right before the final .com, .org, or other top-level domain.
For example, look at this address:
https://www.bankofamerica.com/login/account
The core domain is bankofamerica. Everything to the left of that is the subdomain (www.), and everything to the right is the specific page path (/login/account).
The Rule: A legitimate site will always have the company’s real name immediately preceding the .com or similar suffix.
Common Scammer Tricks (and How to Spot Them)
Criminals rely on you glancing quickly at the address bar, but they have to twist the address to make their trap work.
1. The Subdomain Swap
This is a classic trick. Scammers take the real company name and move it to the subdomain—the part that comes before the core domain.
- Fake Example: https://www.paypal.**security-alert.com**/login
- The Problem: The core domain is actually https://www.google.com/url?sa=E&source=gmail&q=security-alert.com, which is owned by the scammer. They just put “paypal” at the beginning to trick your eyes.
- The Real Site: https://www.**paypal.com**/myaccount
2. The Typo Trap (Typosquatting)
Scammers hope you don’t notice a tiny misspelling.
- Fake Example: https://www.faceb00k.com/ (using a zero instead of the letter ‘o’)
- Fake Example: https://www.gooogle.com/ (an extra letter)
- The Problem: If you type in the address, or click a link containing a misspelled name, you land on the scammer’s site.
- The Real Site: https://www.facebook.com/
3. The Hyphen Headache
Scammers sometimes try to insert extra hyphens or words to confuse you.
- Fake Example: https://www.**amazon-support.com**/billing
- The Problem: The core domain is amazon-support.com, which is not the same as amazon.com. The hyphen is the giveaway.
- The Real Site: https://www.**amazon.com**/gp/billing
Your Active Superpower Checklist
Before you ever enter a username or password:
- Stop and Look: Force yourself to look at the entire address bar, not just the page content.
- Locate the Dot: Find the final .com, .org, or .net.
- Verify the Name: Look immediately to the left of that dot. Does that word match the name of the company you expect to see? If you see a hyphen, a typo, or another unrelated word there, bail immediately.
By adopting this simple habit, you activate your superpower and shut down a huge majority of phishing scams before they can even touch your data.
