URL Safety Basics
A quick, practical guide to spotting risky links before you click.
This page is client-side only. It does not collect or transmit any data.
How to Read a URL
Focus on the registered domain and treat everything else as noise.
https://login.paypal.com/security?ref=email
- Registered domain: paypal.com
- Subdomain: login (owned by paypal.com)
- Scheme: https (encrypted)
https://paypal-secure-login.support.example.com/
- Looks like PayPal, but the registered domain is example.com
- Words to the left of the domain can mislead
High-Risk Signals
| Signal | Why it matters | Example |
|---|---|---|
| “@” in the authority | Everything before “@” can be a decoy; the real host is to the right | https://secure-login.paypal.com@evil.example.net/ |
| Internationalized or look-alike characters | Homoglyphs (e.g., l vs I) and IDNs can mimic trusted brands | https://paypaI-login.example.net/ |
| URL shorteners | Hide the destination; often used to bypass filters | https://bit.ly/abc123 |
| IP-literal hosts | No clear brand identity | http://185.199.110.153/signin |
| Uncommon ports | Legit sites rarely need ports other than 443/80 | https://login.example.com:8080/ |
| Suspicious keywords | “verify”, “reset”, “secure”, “appeal”, “invoice”, etc. in path or query | https://brand.example.com/support/verify-account |
Five-Second URL Check
- Read the domain from right to left and stop at the last two labels, e.g.,
example.com - Ignore everything before the domain, especially if you see words like “secure” or brand names
- Hover to preview the real destination before you click
- If a link came from email or text, navigate to the site manually instead
- When in doubt, use the URL Risk Checker to inspect static signals offline
About URL Schemes
Common
- https:// encrypted web
- http:// unencrypted, avoid for logins
- mailto: opens your email app
Be cautious
- javascript: can execute code
- data: embeds content directly
- file: local file access; should not appear on websites
Tracking Parameters to Know
These don’t always mean “phish,” but they add noise and can expose personal data if shared.
utm_source, utm_campaign, gclid, fbclid, mc_eid, msclkid, ref, affiliate, session, token
- Remove trackers before sharing a link
- Avoid clicking shortened links that add or hide trackers
🧩 Common Parameters Explained
These don’t always mean phishing, but they can reveal tracking data and sometimes personal information if shared.
| Parameter | Platform / Meaning | Purpose |
|---|---|---|
| utm_source, utm_medium, utm_campaign | Google Analytics (Urchin Tracking Module) | Identify which email, ad, or post brought you to a site. |
| gclid | Google Ads Click ID | Connects ad clicks to Google Ads conversions. |
| fbclid | Facebook Click ID | Tracks users clicking outbound links from Facebook. |
| mc_eid | Mailchimp Email ID | Identifies which subscriber opened a newsletter link. |
| msclkid | Microsoft Ads Click ID | Used by Bing Ads to attribute conversions. |
| ref | Referral Code | Indicates where the visitor came from (affiliate, forum, etc.). |
| affiliate | Affiliate / Partner ID | Identifies which partner referred the sale for commission. |
| session, token | Session or temporary identifiers | Track sessions or authenticate users, sometimes leaking unique IDs if shared. |
🔒 Tip: You can safely remove these parameters before sharing a link — everything after the ? is usually optional.
What To Do If a Link Looks Suspicious
- Do not enter credentials or MFA codes
- Close the tab and navigate to the site manually
- Use a separate device or VM if you must investigate
- Report the message to your provider or security team
This page is provided for educational purposes only. CyberLifeCoach and its affiliates make no warranties regarding completeness or accuracy. Always verify domains and context through trusted channels before entering credentials, payment details, or MFA codes.