What phishing sites try to steal
Phishing pages imitate trusted brands — banks, PayPal, Netflix, Microsoft, postal carriers, and crypto wallets. They exist to capture usernames, passwords, two-factor codes, and card numbers. Many victims only realize after money moves or accounts are locked.
Phishing links arrive by email, SMS, social DMs, and search ads. The page may look pixel-perfect; the giveaway is almost always the URL or how you got there.
URL tricks scammers use
Before entering any password, read the full hostname character by character. Scammers rely on hurry and small visual differences.
- Typosquatting: paypa1-secure.com, netflx-account.net, apple-id-verify.co
- Subdomain abuse: login.microsoft.com.evil-site.ru (only the registrable domain at the end counts)
- Hyphenated brand names: sparkasse-konto-login.de, amazon-security-check.com
- Recently registered domains with brand keywords
- Redirects: the link starts at one domain and lands on another
On-page signals of a fake login
Even when the URL looks plausible, the page content often reveals a fake.
- Urgent warnings: “Your account will be closed in 24 hours”
- Asking for 2FA codes, PINs, or recovery phrases on a web form
- Missing footer links to the real company’s privacy or help center
- Poor grammar or mismatched language (German bank, English-only page)
- Login form on a page that also pushes unrelated downloads
Safer habits than clicking email links
The most reliable defense is to never authenticate via a link someone sent you. Open the official app or type the URL yourself.
- Type the official domain manually or use a saved bookmark
- Use the brand’s mobile app for account alerts instead of SMS links
- Run suspicious domains through a free trust check before entering credentials
- Enable hardware or app-based 2FA — not SMS alone
If you already entered your password
Speed matters. Assume the account is compromised until you change credentials from a clean device.
- Change the password immediately on the real site — not via the suspicious link
- Enable or reset two-factor authentication
- Check for forwarded email rules or changed recovery phone numbers
- Contact your bank if you entered payment or banking details
Step-by-step checklist
- 1
Stop — do not enter data yet
If you arrived via email, SMS, or an ad, pause before typing anything.
- 2
Inspect the full URL
Compare the hostname to the official domain letter by letter. Look for hyphens, wrong TLDs, and extra subdomains.
- 3
Verify with a trust check
Paste the URL into VerifyThisSite to see domain age, threat-database flags, and phishing heuristics.
- 4
Open the real site separately
Type the official URL yourself or open the app. If there is a real alert, you will see it there too.
- 5
Report and delete the message
Forward phishing emails to your provider’s abuse address, then delete. Do not reply or click “unsubscribe.”
Frequently asked questions
- Can Google or my browser always block phishing?
- Browsers and Safe Browsing catch many known pages, but new phishing sites appear hourly. A clean scan today does not guarantee safety tomorrow — verify the URL and prefer typing it manually.
- Why do phishing SMS links use short URLs?
- Short links hide the real destination and fit in text messages. Never trust a courier or bank fee link from SMS — open the official carrier or bank app instead.
- Is a site safe if the padlock icon shows?
- No. The padlock only means the connection is encrypted. Phishing sites use HTTPS routinely. Focus on the domain name and how you reached the page.