Good Web Address / URL security practices can be a major protection against phishing and malware injection attempts, these attacks have grown in complexity and frequency as they have shown to be very effective.
Through this guide, I will cover tools and techniques you can use to determine if a link is safe to click and the best way to respond to emails or messages asking for information.
Web Address Structure
A standard website address consists of a domain name (google) and a top-level domain suffix (.com .net .org .co.uk), they can also include a subdomain preceding the domain name (maps.google.com).
If a web address has a large string of random characters at the beginning you should immediately be suspicious as this is used in automatically generated backend services, not publically accessed. This is also one technique to distract as you will stop reading the address when they see it is long and the length will hide the domain information in the address bar.
Another common technique for making an address look legitimate is the use of additional subdomains, you can tell this by the number of “.” in an address. google.com/maps is legitimate and google.com.co/maps will send you to the Google subdomain on a com.co server.
URL Scanning
For less mainstream services and for links you receive that are suspicious I suggest you copy the link and run it through a URL scanner. These services check the authenticity of an address but also check the code against several security services to ensure no malware or malicious code is running on the website.
Some services I suggest are
Summary
Modern web browsers have protection in place to try to reduce the risk of malicious links and websites but these systems rely on known threats and are often too late to protect against new threats.
The best process for reviewing a link is to first look at its structure, if it looks correct but is still unexpected or asks for sensitive information, login or personal details, then copy the link to a URL scanner to verify.
Wherever possible seek independent verification of the request, for many sites this would mean logging into the website directly and seeing if any notifications are available on your account.
