URL Safety Basics

A quick, practical guide to spotting risky links before you click.

Open Tool
This page is client-side only. It does not collect or transmit any data.

How to Read a URL

Focus on the registered domain and treat everything else as noise.

https://login.paypal.com/security?ref=email
  • Registered domain: paypal.com
  • Subdomain: login (owned by paypal.com)
  • Scheme: https (encrypted)
https://paypal-secure-login.support.example.com/
  • Looks like PayPal, but the registered domain is example.com
  • Words to the left of the domain can mislead

High-Risk Signals

SignalWhy it mattersExample
“@” in the authority Everything before “@” can be a decoy; the real host is to the right https://secure-login.paypal.com@evil.example.net/
Internationalized or look-alike characters Homoglyphs (e.g., l vs I) and IDNs can mimic trusted brands https://paypaI-login.example.net/
URL shorteners Hide the destination; often used to bypass filters https://bit.ly/abc123
IP-literal hosts No clear brand identity http://185.199.110.153/signin
Uncommon ports Legit sites rarely need ports other than 443/80 https://login.example.com:8080/
Suspicious keywords “verify”, “reset”, “secure”, “appeal”, “invoice”, etc. in path or query https://brand.example.com/support/verify-account

Five-Second URL Check

About URL Schemes

Common

  • https:// encrypted web
  • http:// unencrypted, avoid for logins
  • mailto: opens your email app

Be cautious

  • javascript: can execute code
  • data: embeds content directly
  • file: local file access; should not appear on websites

Tracking Parameters to Know

These don’t always mean “phish,” but they add noise and can expose personal data if shared.

utm_source, utm_campaign, gclid, fbclid, mc_eid, msclkid, ref, affiliate, session, token

🧩 Common Parameters Explained

These don’t always mean phishing, but they can reveal tracking data and sometimes personal information if shared.

Parameter Platform / Meaning Purpose
utm_source, utm_medium, utm_campaign Google Analytics (Urchin Tracking Module) Identify which email, ad, or post brought you to a site.
gclid Google Ads Click ID Connects ad clicks to Google Ads conversions.
fbclid Facebook Click ID Tracks users clicking outbound links from Facebook.
mc_eid Mailchimp Email ID Identifies which subscriber opened a newsletter link.
msclkid Microsoft Ads Click ID Used by Bing Ads to attribute conversions.
ref Referral Code Indicates where the visitor came from (affiliate, forum, etc.).
affiliate Affiliate / Partner ID Identifies which partner referred the sale for commission.
session, token Session or temporary identifiers Track sessions or authenticate users, sometimes leaking unique IDs if shared.
🔒 Tip: You can safely remove these parameters before sharing a link — everything after the ? is usually optional.

What To Do If a Link Looks Suspicious

© CyberLife Coach Tools — This page is informational and runs entirely in your browser.