How to spot a phishing domain: signs and detection methods
Phishing domains mimic real URLs to deceive users. Learn to read a suspicious URL, spot homoglyphs and misleading subdomains, and protect your brand.
A phishing domain imitates the visual appearance of a legitimate URL to deceive users into thinking they are on a trusted site. The signs to look for: slight modifications in the URL (a transposed letter, a different TLD, a misleading subdomain structure), the presence of HTTPS which proves nothing about legitimacy, and the appearance of reassuring words like "secure" or "official" in the domain itself. This article walks through how attackers build these domains, how to read a suspicious URL, and what brands can do when someone is impersonating them.
How attackers build a phishing domain
Four main techniques are used to create domains that deceive at a glance.
Typosquatting for phishing
Unlike commercial typosquatting (which aims to capture traffic), phishing typosquatting is designed to make users believe the URL is legitimate after they arrive via a link in an email or message. Common patterns: microsofft.com (doubled letter), arnazon.com (letter substitution), payapl.com (transposed letters).
The targets are predictable: banks, cloud platforms, payment processors, and social networks. According to the Anti-Phishing Working Group (APWG), financial institutions and payment services consistently rank among the most impersonated categories. Microsoft, Apple, PayPal, and Google appear in the top ten most imitated brands in APWG reports year after year.
Homoglyphs and IDN attacks
Internationalized domain names (IDNs) allow non-ASCII characters, which opens the door to visual impersonation using characters from other alphabets. The Cyrillic "а" (U+0430) is visually identical to the Latin "a" in virtually all fonts. The Cyrillic "р" is identical to the Latin "p". This means "раypal.com" (both р and а are Cyrillic) can be registered and displayed as "paypal.com" to a casual observer.
Most modern browsers now show the Punycode representation (xn--...) when a domain mixes scripts. But single-script substitutions, where the attacker uses a Cyrillic character that happens to match the Latin original, can still pass visual inspection. If a URL looks exactly right but something feels off, paste the domain into a Punycode converter to check.
Misleading subdomains
This technique is among the most effective because it exploits how people read URLs from left to right and stop at the first trusted word. The structure:
https://paypal.com.login-secure.xyz/account/verify
|___________|________________|_____|
Misleading Real domain TLD
subdomain (attacker)
The real domain here is login-secure.xyz. PayPal.com is just a subdomain. The rule to internalize: in any URL, what matters is the domain and TLD immediately before the first single slash. Everything before that last dot-separated segment before the slash is subdomain, not domain ownership.
Combinations of trust words
Adding words that signal safety or authority to the domain name itself: microsoft-account-verify.com, apple-id-secure.com, paypal-security-center.com. These words are warning signs, not reassurance. A legitimate service does not need to tell you it is "secure" or "official" in its domain name. The presence of "verify", "login", "account", "secure", "official", "support", or "help" in a domain you did not type yourself should raise immediate suspicion.
How to read a suspicious URL
A structured approach to URL analysis removes guesswork:
https://secure.login.paypal.com.attackerdomain.xyz/account/verify
[1] [2 ][3 ][4 ][5 ][6][7 ]
1. Protocol (https: proves encryption, not legitimacy)
2-4. Subdomains (can say anything; controlled by the domain owner)
5. Domain (who owns it. THIS is what matters)
6. TLD
7. Path (can say anything)
Three-step URL verification:
- Ignore everything before the last dot-separated segment before the first
/. - Identify the actual domain (the word between that last dot and the
/). - Compare it with the legitimate domain you expect.
For paypal.com.attackerdomain.xyz/account/verify, step 1 removes paypal.com., step 2 finds attackerdomain, step 3 shows it does not match paypal.
TLDs with elevated phishing risk
Some TLDs appear disproportionately in phishing campaigns. This does not mean every site on these TLDs is malicious, but a higher baseline of suspicion is warranted:
| TLD | Notes |
|---|---|
| .xyz | Low cost, high volume phishing use |
| .top | Frequently appears in brand impersonation |
| .tk | Free (Tokelau); disproportionate phishing use |
| .ml, .ga, .cf | Free ccTLDs frequently abused |
| .click | Used in click-fraud and phishing campaigns |
That said, .com remains the TLD appearing in the most phishing URLs in absolute terms, simply because it dominates overall domain registration. The ratio of phishing to legitimate sites is worse on the free and near-free TLDs, but .com phishing exists at very high volumes.
HTTPS does not mean safe
This needs to be said clearly: a padlock in the browser means the connection is encrypted, not that the site is trustworthy. TLS certificates are issued freely by Let's Encrypt with no identity verification. Any attacker can get an HTTPS certificate for their phishing domain in under a minute. According to PhishLabs, over 80% of phishing sites now use HTTPS. The padlock is a security indicator for the connection, not for the destination.
Tools to check a suspicious domain
When you encounter a domain you are unsure about:
- Google Safe Browsing Lookup (transparencyreport.google.com/safe-browsing/search): check if a URL is already flagged as phishing or malware.
- VirusTotal (virustotal.com): submit a URL for analysis across dozens of security engines simultaneously.
- URLScan.io: scan a URL and see a screenshot of the page without visiting it directly. Also shows DNS records and network requests.
- Punycode Converter: convert a domain to its ASCII representation to detect hidden homoglyphs.
- Domain Sentinel RDAP lookup: check when a domain was registered, who the registrar is, and whether it was just created. A domain registered this week that looks like a major brand is almost certainly suspicious.
Brand perspective: protecting your users from phishing in your name
The preceding sections focus on how to identify phishing. This section addresses what to do when you are the brand being imitated.
When a domain imitating your brand is used for phishing, your customers are the victims. You have both an ethical obligation and a practical business interest in acting quickly. The faster you identify and report a phishing domain, the fewer victims it claims.
Four actions to take when you discover a phishing domain:
-
Check the RDAP record for the abuse contact of the registrar. Every domain's RDAP data includes an entity with the role "abuse" and a contact email or URL. Submit a detailed abuse report including: the phishing domain, screenshots of the fraudulent page, your legitimate domain, and trademark evidence if available.
-
Report to Google Safe Browsing (safebrowsing.google.com/safebrowsing/report_phish) and Microsoft SmartScreen (microsoft.com/en-us/wdsi/support/report-unsafe-site). Both feed browser warning systems. A domain flagged in these databases will show a full-screen warning before users can access it.
-
Submit to the APWG eCrime Exchange or PhishTank if the phishing campaign appears to be active and ongoing. These databases are used by security vendors to update blocklists.
-
Notify your users proactively if you have reason to believe they have been targeted. A brief notification through your standard communication channels, explaining the fake site and how to identify your legitimate domain, limits damage and builds trust.
How to contact a registrar's abuse team effectively
The RDAP record for the phishing domain contains the registrar's abuse contact. A useful abuse report includes:
- The full URL of the fraudulent page (not just the domain)
- A screenshot showing the fraudulent content
- The legitimate URLs being imitated
- Your trademark registration number if available
- Your contact details for follow-up
Vague reports ("this domain looks suspicious") are less effective than specific, evidence-backed complaints. Registrars receive thousands of abuse reports and prioritize those with clear documentation.
Five signals that should make you suspicious of any URL: the domain root does not match the expected service; the domain contains subdomains that say a brand name before an unrelated domain; words like "secure", "login", or "verify" appear in the domain itself; the TLD is .xyz, .top, .tk, or another free extension on a supposed major-brand site; or the domain was registered very recently. For brands, the best protection for your users starts with detecting lookalike domains before they go live for phishing campaigns. Domain Sentinel's watchlist does exactly this.
Start with a domain you care about
Look it up for free. If you want alerts when status changes or expiry gets close, create an account. Takes about 30 seconds.