Understanding a URL Can Help You Stay Safe Online

URLs are one of the building blocks of the internet as we know it. They’re how websites build their pages and how your browser takes you to see them. But scammers and cybercriminals can also use them for trickery and fraud. If you don’t know what to look for, you might be taken in by their schemes and lose money or personal information to criminals. Understanding a URL isn’t as hard as it sounds, and this simple bit of computer literacy can help keep you safe online. URL stands for “Universal Resource Locator,” and their job is to direct your browser to a specific webpage. If you look at the address bar at the top of your browser, you can see the URL of the page you’re on right now. It consists of several different parts, such as protocols, domains, and paths, that we’ll talk about later. (For more technical details about URLs, you can read this article .) You can think of a URL as a bit like a mailing address for each webpage. If you put an address on an envelope and put it in the mail, the post office will deliver it to the house corresponding to that address. And if you put a webpage address (URL) into your browser, your browser will take you to the specific page. Just like you can’t get your envelope to 1234 Main Street if you address it to 1204 Main Street, tiny changes in a URL can take you to a completely different website. Understanding how a URL works can help you navigate websites. But it can also help keep you safe. Scammers love to do tricky things with URLs to create fake websites or trick you into thinking you’re on a trustworthy site when you’re really on a fraudulent one. If you know how to read a URL, it’s easier to spot these tricks. Some people use the terms “URL” and “link” interchangeably. They are very similar, but not quite the same. In most cases, which word you use doesn’t make a difference. But it sometimes makes sense to clarify how they’re different. And part of understanding URLs is understanding how they’re different from links. As previously mentioned, a URL is a little bit like an address. An address tells the mail service where to take your envelope, and a URL tells your browser how to get to a specific thing on the internet. A link is a specific functionality that lets you easily move from one thing online to another, usually by clicking or tapping. https://whatismyipaddress.com/learning is a URL. It’s an address to a specific webpage on the internet, and if you copied it and pasted it into your browser or typed it in, your browser would take you to that page. But it’s not a link, because you have to type it in. https://whatismyipaddress.com/learning is a link though, because if you click or tap on it, it will take you directly to that page. This text here is also a link , because it will also take you to a page if you click or tap it. Links don’t have to show you the correct URL, or even a URL at all. And they can go to places that aren’t URLs, like email addresses. In short, if a URL is an address, then a link is the teleportation machine that takes you directly to that address. The first step in understanding a URL is being able to look at it. And there are two different ways to do it, depending on whether or not you’re already on the page and what device you’re on. If you’re already on the webpage in question, you can see the URL in the address bar at the top of your browser. Some mobile browsers hide the address bar, so you may have to gently swipe down to see it if you’re on a smartphone. And some browsers may hide parts of it. Google Chrome often hides the protocol, and Safari often hides everything but the domain. You may have to click or tap on the address bar to see the full thing. If you’re not already on the webpage but have it as a link , you can preview it. On a laptop or desktop, hover the cursor over the link without clicking. A small box showing the full URL will appear in the bottom left corner of your screen. On a phone, you can press and hold on the link to open a menu that shows the full URL. Unfortunately, this isn’t always helpful. Sometimes, both to disguise malicious links or to make a very long URL easier to manage, people will use link shortening services. That will make the link preview something like “https://bit.ly/abc123” or “https://tinyurl.com/website”, but not tell you anything about the real URL. And some email systems, like Outlook, replace all URLs in email links with something else entirely. This makes understanding the URL a lot more challenging. URLs consist of multiple parts that come together to point to a single webpage out of the billions of pages on the internet. Knowing what the different parts are, what they mean, and which ones matter can help you understand a URL you’re looking at. These parts are generally separated by dots or slashes – with the exception of fragments and query strings, which we’ll talk about in a minute. When you’re reading a URL and come across a dot or a slash, you’ve come to a new part of the URL. All URLs have some of these elements. Without a protocol and a domain, your browser doesn’t know what to do. But subdomains, paths, extensions, query strings, and fragments are all optional. Many URLs don’t contain these, and are perfectly functional and useful without them. But it’s helpful to understand what they are and how they work so you can better read URLs – and spot the tricks that scammers and cybercriminals like to pull with them. Also called a “scheme,” this is the very first part of the URL. For webpages, it’s either going to http:// or https://. “HTTP” stands for Hypertext Transfer Protocol, and “HTTPS” stands for Hypertext Transfer Protocol Secure. There are other protocols out there, but if you’re visiting a website, it’s going to be one of these two. HTTPS adds encryption to the connection to make it more secure. Read more about the different types of protocols and what they do in this article . Some URLs have “www.” after the protocol. This stands for World Wide Web. Many modern websites don’t include the www. in their URLs because they think it looks outdated. But URLs with and without the www. are both valid URLs. A website that’s been set up properly should work whether or not it has the www. in it. When you’re trying to understand a URL, you can safely ignore this part as it doesn’t make a difference. The domain is a unique combination a domain name and a top-level domain, or TLD. A domain name (also called a second-level domain) can be almost any combination of letters (including non-English characters), numbers, and hyphens from one to 255 characters long. A TLD is the bit with a dot and two to four characters after the domain name. You’re probably familiar with ones like .com, .org, and .net. These are the most common TLDs. There are also less common ones, like .io, .ai, .info, .co, .biz, .love, and more. Some TLDs are for restricted use only. The TLD .gov, for example, can only be used for official government domains, .edu can only be used for educational institutions, and .mil for military organizations. Each country also has its own two-character country code that can go on the end of the regular TLD. So .co.uk is a TLD from the United Kingdom, and .com.au is one from Australia. The important thing to remember about domains is that the combination of domain name and TLD must be unique. There can only be one amazon.com. If you were a scammer trying to pretend to be Amazon , you couldn’t create a fake website at amazon.com. But you might be able to create one at amazon.io (same domain name, different TLD) or amazon52.com (slightly different domain name, same TLD) might not be. Subdomains separate parts of a large website into different areas. A subdomain can be any combination of letters, numbers, and hyphens. It goes in front of the domain name in a URL, with a dot between the subdomain and the domain to indicate that they are separate. Many website systems treat subdomains as completely separate sites, even though they technically are part of the same site. They may look a lot like the main site, or they may look and function completely differently. There are a lot fewer restrictions on setting up a subdomain than there are on a domain. Subdomains don’t have to be unique on the internet. https://information.redsite.com, information.bluesite.com, and information.bluesite.net are all valid URLs – even though the subdomain is the same, the domains are different, so it won’t be a problem. Paths, pages, and subdirectories are different names for the same thing, at least when it comes to understanding URLs. This comes after the TLD in a URL (separated from the TLD by a slash) and represents the navigation of a website. Not all URLs include pages. The main page or homepage of a website, for example, often doesn’t have a path in its URL. Paths are unique becuase a URL can contain mulitple levels of paths, each separated by a slash. If the URL of the page you’re on is shoppingsite.com/profile/past-orders, you’re currently on a page called “past-orders” that is a sub-page of “profile.” If you’re looking at a particular file on a website, the file name (and extension – more on that in the next section) will be the last part of the path. Understanding how paths work in URLs can help you figure out where you are in a website. Extensions tell you what type of file you’re looking at. They look similar to a TLD, in that they have a dot and two to four characters after it. But they come after the TLD and at the end of any paths. Most URLs don’t include extensions. If there is no extension, or the extension is .html or .php, you’re looking at a regular webpage. This is most common. If you’re not looking at a regular webpage, the extension can tell you what kind of file you’re looking at. Extensions like .jpg, .png, .webp, and .gif indicate you’re looking at an image file. Common audio or video file extensions are .mov, .avi, .mp3, and .mp4. The .exe and .pkg extensions are executable files, which usually means it will install some kind of program on your device. Zipped files, usually ending in .zip, are folders with other types of files in them that are compressed together to save space. Browsers can find these kinds of files, but they can’t display them. If you end up on a URL ending in one of these extensions, your browser will either ask you if you want to download it or start downloading it automatically, depending on your settings. Most URLs don’t have fragments, but some do. Fragments come at the very end of a URL, past any paths or extensions. They start with a pound sign (#) and have a little bit of text after. Their purpose is to have the URL go to a specific part of a webpage instead of the top like normal. So if your URL is wikipedia.org/wiki/URL#syntax, it’s going to take you directly to the “Syntax” section of the page, not to the beginning of the page. You can remove a fragment from a URL without causing problems. If you remove a fragment, the URL will just go to the very top of the webpage. Most URLs don’t include query strings. Query strings can be used for different purposes, and most of them are entirely irrelevant to use as an ordinary internet user. But understanding how they function in a URL will help you spot if they can be a problem. A query string is at the end of a URL, past any paths or extensions, and starts with a question mark. Query strings are used for a few different purposes. For some websites, they automatically fill in parts of a form or other information. Marketers also use them for tracking – for example, they might post the same URL as a link to Facebook and LinkedIn, but add “?utm_source=facebook” on Facebook and “?utm_source=linkedin” on LinkedIn. The links will both go to the same place, but the marketers will be able to tell how many of the visits were from Facebook and how many from LinkedIn. Query strings only work with a specific set of commands. If whatever is in the query string isn’t one of those commands, your browser will ignore them. So sometimes people use query strings to add additional text to a URL without changing where the URL leads to. Because query strings are entirely irrelevant to your browsing experience, you can safely delete them as long as you don’t delete anything before the question mark. There are even browser extensions that will remove a query string from a URL if you click on a link that has one. One of the biggest benefits of understanding how to read a URL is that you can use that knowledge to spot when criminals are trying to trick you. Scammers and fraudsters use all kinds of tricks with URLs. Some of them are very effective in making people think a website is legitimate when it’s not. If you know what to look for, you can spot when something is off. As we said before, domains have to be unique. But a domain is a combination of the domain name and the TLD. There can only be one facebook.com on the internet. But facebook.io, facebook.biz, and facebook.info are still unique. They may have the same domain name, but since the TLD is different, it’s technically unique. Some people see the correct domain name and assume they’re on the right site. But if the TLD is different from what you expect – or one you’re not familiar with – it might be fake. Also be cautious if the website should be on a restricted domain, but it’s not. Real government agencies can use the .gov TLD. If you’re trying to visit the IRS website but you’re on irs.net, that’s most likely fraudulent. Subdomains and paths don’t have to be unique on the internet, and fragments and query strings can include just about anything you want. So scammers sometimes put the legitimate company or domain somewhere else in the URL in hopes that you’ll see it and not realize it’s in the wrong place. For people who don’t have an understanding of how to read a URL, it often works! If a scammer wants you to think you’re on amazon.com, they could put “amazon” or “amazon.com” in the URL somewhere else. It could look like amazon.fakesite.com (subdomain), abc123.io/amazon (page/path), aowuht4508ua.ai#amazon.com (query string), or definitelyreal.net?amazon.com (query string). All of these do have “amazon” or “amazon.com” in the URL, but since that’s not the domain, they’re actually taking you somewhere else. Just because the right words are in the URL somewhere doesn’t mean it’s legit. They also have to be in the right place. One of scammers’ favorite URL tricks is to just make it look like a real URL with lookalike characters. This includes using a capital I instead of a lowercase L (or vice versa) or using a zero instead of an O. One that’s unfortunately common and quite tricky to spot is using Cyrillic letters instead of Latin letters. Some Cyrillic letters look almost identical to Latin ones, but computers read them differently, so a domain may look identical to human eyes while being unique according to computers. Look very carefully at URLs to spot these lookalikes before you visit the page. Typing it in instead of clicking or copy-and-pasting can help avoid this. One trick to spot common lookalikes and Cyrillic letters is to copy the URL and paste it into Notepad (if you’re on a Windows computer) or somewhere you can change the font. Changing the font or putting it in Notepad will help you spot any unusual characters. Be extremely suspicious if the extension on a URL is different than you expected. If you’re anticipating a webpage, it should have no extension, .html, or .php. Anything else is probably suspicious. The exception, of course, is if you’re expecting a media file. If the URL is supposed to go to an image, for example, .jpeg or .webp are normal and expected extensions. Know what kind of file you’re trying to open and be alert for extensions that are unusual. Especially be suspicious if the extension is .exe, .pkg, or .zip. These are almost always program files, so unless you’re actually trying to download and install a piece of software, a URL ending in one of these is probably going to install malware . These programs are often self-running, so once they download, they’ll install themselves. If you are trying to download a program or software, make very sure you’re on the legitimate download site before you do! How’s your understanding of how to read a URL? Test it now. Which of these leads to a legitimate Microsoft Support webpage? The answer is: B B is the only answer with the domain “microsoft.com” (Microsoft’s real domain). a. TLD trickery: The domain name is microsoft, but the TLD is .io, not .com c. Right word, wrong place: “Microsoft” is in this URL as a subdomain d. Right word, wrong place: “Microsoft” is in this URL as a fragment What is the domain of this URL? https://www.ln52.warranty.shoestore.net/sub/profile/profile82.php?leaf27.com&source=facebook.com The answer is: D This one is tricky becuase it has multiple subdomains! The TLD is .net, so the text to the right of .net is the domain name, making shoestore.net the domain. a. facebook.com is part of the query string, because it came after the question mark b. leaf27.com is also in the query string, becuase it came after the question mark c. ln52 and warranty are both subdomains in this URL In this URL, the number 487 is in the …? https://website36.webpagehelper.co.uk/pages/new487/infopage.php?utm_source=google&utm_campaign=info21campaign The answer is: C a. The domain is webpagehelper.co.uk b. The subdomain is website36 c. The query string is everything after the question mark, and 487 is before the question mark Is this URL trustworthy or suspicious? https://fbi.gov/report The answer is: Trustworthy! Restricted TLDs like .gov can’t be used by anyone not affiliated with the government. Since the TLD on this URL is .gov, it’s a genuine government website. Is this URL trustworthy or suspicious? https://weIIsfargo.com/ The answer is: Suspicious! The L’s in this URL are actually capital I’s. This is a tricky one, but lookalike characters are very common in scams.