Clicking a phishing link delivers you to a page designed to be indistinguishable from the real thing. Professional-grade phishing kits copy the HTML, CSS, JavaScript, images, and layout of real login pages exactly. The visual inspection approach — "does this look right?" — is unreliable. Detection requires checking the URL, understanding what HTTPS actually guarantees, and knowing how your browser and password manager signal authenticity.
The Five-Step Login Page Verification Protocol
Before entering credentials on any login page — whether you reached it via email, search result, or any other path — complete these five checks:
- Read the domain name in the address bar. The domain is everything between
https://and the first single/. Identify the root domain (second-to-last segment before the TLD). For "accounts.google.com/signin", the root domain is "google.com". For "google.com.accounts.verify.net/signin", the root domain is "verify.net" — a phishing site. - Verify it matches the organisation's official domain. Check the organisation's official website (from a trusted bookmark or direct type) if you are unsure what their real domain is. Many organisations publish their domain on printed material, statements, and official communications.
- Check whether your password manager offers to autofill. If no autofill appears for a site where you have saved credentials, the domain is different from where you originally saved them — potential phishing.
- Look for HTTP rather than HTTPS. While HTTPS does not guarantee legitimacy, HTTP is an immediate red flag — no legitimate login page should use HTTP in 2026.
- Be sceptical of search result links. Phishing pages appear in search results and in paid advertisements. Always prefer a bookmark, direct type, or the official app over following a search result to a login page.
Real vs Phishing — URL Examples
| URL | Real domain | Verdict |
|---|---|---|
| https://www.barclays.co.uk/login | barclays.co.uk | ✓ Legitimate |
| https://barclays-secure.co.uk/login | barclays-secure.co.uk | ✗ Phishing |
| https://barclays.co.uk.verify-account.net/login | verify-account.net | ✗ Phishing |
| https://accounts.google.com/signin | google.com | ✓ Legitimate |
| https://google-accounts.com/signin | google-accounts.com | ✗ Phishing |
| http://amazon.co.uk/login | amazon.co.uk | ⚠ Suspect (HTTP) |
The Password Manager Test
Using a password manager with unique passwords for every site provides an automatic phishing detector: the manager will only autofill on the exact domain where credentials were originally saved. Navigate to what you believe is the Bank of Scotland login page — if your password manager does not offer to fill your Bank of Scotland credentials automatically, you are almost certainly on a phishing page. This defence works even when the fake page is visually perfect, because the domain-binding is a technical check rather than a visual one.