Assessing URL Safety
A URL (Uniform Resource Locator) is the technical term for the address of content on the internet, colloquially known as the website address. Whenever you click on a link on a webpage, you are navigating using a URL.
Scammers will use any technique that will increase their odds of being able to take advantage of you. This includes abusing URLs so that they can rediect you to an unsafe website.
This page covers some basic principles that will help you identify URLs that may be used as part of a scam.
Does the URL point to a URL shortener?
URL shortening services allow their users to hide a complicated URL behind a shorter, simpler, URL. While these have legitimate uses they can, unfortunately, also be used to camouflage malicious sites. The format of such URLs can vary but https://bit.ly/3J1GQa2 or https://tinyurl.com/36yn3ecp are fairly typical examples.
Luckily there are services such as Unshorten.It! or GetLinkInfo.com which can be used to see the actual URL that you will be sent to.
Validating a URL using an external service
Services such as Google Safe Browsing or Virustotal can be used to check if the URL has been reported as malicious by someone else. Please note that the service terms for Virustotal mean that they can share anything you provide them with their associated providers.
Even if the above do not flag the URL as not being malicious, they are essentially reactive in their nature. This means that a clever scammer can have a window where their URL has a clean bill of health before the above services start reporting on them. Therefore, it is safest to consider a negative result (i.e. they consider the URL to be safe) to be a potential false negative unless you have scrutinised it yourself.
Inspecting the URL
Depending on how you count, a URL can have as many as 9 distinct parts! For our purposes, we will only be focusing on two of these, the protocol and the host. While the steps below seem laborious, with a little bit of practice, it becomes really quick and easy to do.
To find the host, start at the left of the URL and continue until you hit the first :. The vast majority of URLs that you will encounter will use https, but you may encounter some legitimate sites still using http. In most cases the host name starts after the :// and continues until the end of the URL or if one of the following characters is encountered: :, #, /, ?. The exception to this rule is where the URL includes user credentials. This can be identified by the use of @ (see the final example below). If you encounter this form of URL it is best to consider it to be unsafe.
Examples:
-
https://foo.test.com/bar/baz (protocol: https, host: foo.test.com)
-
https://buzz.test.com#stuff (protocol: https, host: buzz.test.com)
-
https://baz.test.com:1234 (protocol: https, host: baz.test.com)
-
https://myuser:mypassword@scam.test.com (protocol: https, host: scam.test.com)
The host portion is broken up into parts - each part separated by a '.'. When inspecting it, we look at the parts from right to left. Starting from the right, the first 1-2 parts are what is colloquially known as the TLD - example of one part TLDs include com, ly, org and net whereas 2-part TLDs include co.uk, ac.uk and co.za. If you are unsure if TLD for the host is a 1-part or 2-part TLD, trying searching for the potential 2-part TLD - e.g. 'xxx.zzz tld'.
Immediately to the left of the TLD is the URL's domain. This is the key part we look at when deciding if the URL is legitimate within the context of the email in which it was received. So, for example, in smile.amazon.com, the domain is 'amazon'. Be wary of domains that are 'lookalikes', where the scammer has swapped out similar-looking characters, e.g. faceb00k.com.
Anything to the left of the domain is known as the subdomain. In the example smile.amazon.com, the subdomain is 'smile'. Anything that is in the subdomain does not add to the credibility of the domain - e.g. in the URL amazon.test.co.uk, the domain name is 'test' and the 'amazon' portion should be ignored.