The URL address bar is your primary defence against fake login pages. Visual design, logos, and page content can all be copied exactly — the domain cannot be faked in the address bar of a correctly updated browser. Mastering URL inspection takes five minutes to learn and prevents the majority of phishing credential captures.
Understanding URL Structure
A URL has several components. Understanding each is essential for correct interpretation:
https://mail.accounts.google.com/signin/v2?hl=en ↑ ↑ ↑ ↑ ↑ ↑ scheme sub sub root domain path query Protocol: https:// Subdomain(s): mail.accounts. Root domain: google.com ← THIS IS WHAT MATTERS Path: /signin/v2 Query: ?hl=en
The root domain is the only part that is fixed and verified by the certificate. Everything before it (subdomains) and after it (path, query) can be set to anything by the site operator — including an attacker.
The Two Most Common URL Deception Techniques
1. Subdomain impersonation
https://google.com.accounts.secure-login.net/signin
Reading left to right, "google.com" appears early — it looks legitimate. But the root domain is "secure-login.net". Everything before "secure-login.net" is just a subdomain. The operator of "secure-login.net" controls this server entirely.
2. Path impersonation
https://phishing-site.com/google.com/accounts/login
"google.com" appears after the first slash — it is part of the path, which the attacker controls completely. The root domain is "phishing-site.com".
The 10-Second URL Check
- Click the address bar to see the full URL
- Find the first single
/afterhttps:// - Read the text immediately before that
/— that is the full domain - Find the top-level domain (.com, .co.uk, .org) in that domain string
- The segment immediately before the TLD is the root domain — verify it matches exactly