Lookalike Domains and Typosquatting
One of the most common tactics attackers use to steal credentials is registering domains that closely resemble legitimate ones. This technique is called typosquatting — exploiting the small errors people make when typing URLs, or creating domains that look correct at a glance but contain subtle substitutions.
Common examples include paypa1.com (a "1" in place of an "l"), arnazon.com (swapping letters in Amazon), and g00gle.com (zeros replacing the letter "o"). Attackers also register domains with added words — like paypal-secure-login.com — or use different top-level domains, such as paypal.net instead of paypal.com. Domain registration is cheap and fast, meaning a convincing lookalike can be live within minutes.
The HTTPS Padlock Misconception
Many people believe that a padlock icon in the browser address bar means a website is safe. This is one of the most dangerous misconceptions in everyday cybersecurity. HTTPS means the connection between your browser and the server is encrypted — it says nothing at all about whether the site itself is legitimate or trustworthy.
Attackers freely obtain SSL/TLS certificates for their fake domains. Certificate authorities issue these automatically at no cost through services like Let's Encrypt. A convincing phishing site will have a padlock. Do not rely on it as a trust signal.
Visual Cloning
Modern phishing sites are not crude approximations. Attackers can replicate the visual design of a target website pixel-perfectly — copying logos, fonts, colour schemes, form layouts, and even dynamic elements. A cloned bank login page can be indistinguishable from the real one to the untrained eye. The only reliable signal is the URL in the address bar.
If you're ever unsure whether a site is real, don't enter credentials. Close the tab, navigate directly to the official website by typing the URL manually into the address bar, and log in there.
How to Inspect a URL Properly
The domain name is the authoritative part of a URL — and the part attackers manipulate. To read a URL correctly, find the last dot before the first single forward slash. Everything to the left of that slash that falls between the last two dots is the actual domain. For example, in login.paypal.com, the domain is paypal.com. In paypal.com.phishing-site.net, the domain is phishing-site.net.
- Check the actual domain name in the address bar — not just the page title or logo displayed on the page
- Look for subtle character substitutions — "rn" can look like "m" in some fonts; "1" like "l"; "0" like "o"
- Be suspicious of domains with extra words or hyphens around a brand name (e.g., secure-paypal-login.com)
- Check the top-level domain — if you expect .com, question .net, .org, .info, or country codes
Additional Verification Methods
When in doubt, several tools and habits help verify whether a site is legitimate before you interact with it.
- WHOIS / domain age — newly registered domains (days or weeks old) are a major red flag. Use whois.domaintools.com to check
- VirusTotal — paste a suspicious URL at virustotal.com to check it against dozens of security engines
- Google Safe Browsing — Chrome and Firefox check URLs against this database automatically and warn you before loading flagged pages
- Browser warnings — never click through certificate errors or "Not Secure" warnings to proceed; these exist for a reason
- QR code caution (Quishing) — QR codes in the physical world can point to fake sites; use a QR scanner that previews the URL before opening it
- Use bookmarks — for your bank, email provider, and other sensitive services, save the official URL as a bookmark and always navigate via that bookmark rather than clicking links in emails