The real domain is before the first slash

The real domain is before the first slash

Read why this is the most important tip to detect phishing links virtually beyond a reasonable doubt. […]

“Phishing” is a kind of portmanteau of “password” and “fishing”. This is how criminals use methods to steal data from their victims, usually usernames and passwords to e-banking and other online accounts, often including credit card numbers and other personal information.

The criminals usually send e-mails with a catchy design, e.g. in the design of a certain bank, to tens of thousands of indiscriminately collected e-mail addresses. A small proportion of those addressed are guaranteed to have an account with that financial institution. The content of these mails usually revolves around the fact that something is allegedly wrong with the e-banking or other account, which is why users should log in to the e-banking or other account immediately to fix the problem. The criminals combine the alleged “importance” of the concern with time pressure, so that the victims could not think too long or research and the fraud could come to the creeps.

In the recently described case of phishing against Raiffeisen Bank customers, it was not mails, but Google ads, which led to equally fake links.

That’s good to know: First, banks don’t actually send you emails. Second, for banking and other accounts (e.g. PayPal, Google, Microsoft, Dropbox, etc.), you may want to enable two-factor authentication.

What if mails still snow in that look real and plausible? In order to distinguish a real link from a fake one, you would actually need to know more precisely how a link or URL is usually structured. Basically like this: After the protocol (https://) often follows a subdomain or a hostname (e.g. “www”), followed by a dot, the domain name (e.g. “pctipp”) and the top-level domain (e.g. “.ch”). This is followed by a slash (/), after which subfolder (e.g. /support/downloads/), direct document or page names (e.g. driver list.html) and other parameters.

When it comes to finding out if the link actually leads to the specified company, most of it doesn’t need you to worry at all! It’s much easier.

With the domain everything stands and falls

The whole thing can be reduced to two rules that allow you to reliably debunk an estimated 95% of phishing links.

Short version for urgent

  • Rule 1: The actual domain in a link is always right before the first slash.
  • Rule 2: If the actual domain does not belong to your bank, then the link does not lead to your bank.

From this follows this quick guide

In the URL after the https:// from left to right, look for the first slash (/), see A in the following screenshot.

From there, drive back to the left until you reach either the second point meeting or ending up at the protocol (https://), see B. Everything between A and B is the domain name of this link, see C. If this is not the expected domain of that bank or other company, the link does not lead to it.

If the domain determined in the above way is a different one and the expected domain name of the bank or similar only occurs elsewhere in the URL, then it is phishing.

Useful tips: By the way, there is practically never a reason to click on a banking link in an email. A bank will notify you of problems with your account primarily by letter mail or after logging into e-banking. It is best to put the link to your e-banking in the favorites. Or even better: Type the official address including top-level domain (e.g. raiffeisen.choirs instead of just raiffeisen) into the address line. This will open the web page instead of just “googling” for the name of the bank. Once on the bank’s homepage, you will always find a link to e-banking. If you have clicked on the link, continue to pay attention to the lock icon in the browser and check who the certificate is approved for.

On the following page a few examples of the tricks of criminals.

Tricks of the phishers

Of course, the scammers try all sorts of tricks. You put the expected name of the alleged bank domain somewhere else in the link. Sometimes garnished with terms like “admin” or “security”. The following examples are just made up by the author for illustrative purposes; however, they are inspired by actually seen phishing links.

Like this. Which domain does the link lead to?

Or something. Which is the domain?

Or something. Even the “.ch” with dot separated. But is the actual domain in this link?

So also the da:

Even more tricks of the phishers

Wrong link behind correct hiding

In mails, on web pages, and even in Word documents, you can use a snippet of text like “ ” mark and give him a link like “ ” miss. If you just read the text and click immediately, you may not see that the link leads anywhere else. For example, if you hover over a link in your mail program without clicking on it, the actual linked address will appear either in the status bar or in a small pop-up, depending on the mail program.

The IP Address Trick

Some phishers confuse their victims with links that do not point to a text domain, but to an IP address. This could look like this (and yes, the author knows that it actually only goes to 255):

If you encounter something like this, it is suspicious anyway and hopefully rattled through you as an attempt at fraud. The procedure is basically the same. Find the first slash and look at what should actually be the domain name. If it’s an IP address, it’s not your bank’s.

The Hex IP Trick

IP addresses can also be written as hex codes, for example like this, here with the IP address of our reputable com colleagues; the link is constructed by the author and of course only leads to a 404 error:


But again, this is a trick that has already been seen in phishing emails.

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: