You got an email – or a text – from your bank, Fedex, the IRS, or someone you tend to pay attention to when they send emails. So, wondering where your shipment is or attempting to resolve a financial issue, you click on the link in that message, log into your account, and … oops. You just fell for a phishing attack. A scammer has your login credentials.

Phishing is a clever scam designed to trick you into giving important login credentials to a thief who wants to use those credentials to rob you.

It is the most common form of internet crime, according to the FBI’s Internet Crime Complaint Center, with 241,342 known victims in 2020. This type of scam is most often done via email but is sometimes also done by text (smishing) or phone (vishing.) Whatever you call it, this form of theft is expensive to both individuals and businesses. Every minute, $17,700 is lost to phishing attacks.

If you fall for one of these scams, you might realize it after you log in and don’t end up at your bank or the account you were trying to access. Now, you are in a race with an unknown thief to get into your account and change the password before the thief can wire themselves your money or lock you out of your account and buy whatever they want. If you fail to realize what’s happened, your first clue might be when money starts leaving your account or your Facebook is hacked or you can’t access your own email.

The best policy is to never enter your login credentials (or any other sensitive information) when you got a website by following a link in an email, text, social media — or unless you are very sure —  a search.

If you live any part of your life online, it’s smart — and will make you feel like a detective — to know how to identify a phishing website. Sometimes bad links show up in social media posts or are shared by people you know and you can’t rely on being able to spot a website that’s not legit once you get to it. Scammers are very skilled at creating duplicate sites that look exactly like the real thing. They even embed links to the real site so if you can click around and see all sorts of things that look real and familiar.

But there are clues, hiding in every bad URL, that will tell you that this site is not legit.

Here are five super-easy ways to spot the difference between a URL that will lead somewhere legitimate and one that is the lure of a clever thief.

An Email that Asks You to Log In

The biggest red flag telling you the site’s not real — is that it came in on an email (or text) that urgently asks you to click an embedded link and then log into your bank account — or some other high-value account. Your bank will never do that. (If they do, get a bank with better security practices!) Banks, brokers, and every company that manages any kind of sensitive information know that phishing is a huge problem and are doing their best to get the message — Don’t click links in emails!!! — across to customers.

You can almost guarantee that an urgent email asking you to log into your account is from a scammer and that the link in it is one you do not want to click. Emails telling you that your account is about to be deactivated if you don’t log in and update your credit card number is another big red flag.

An Email with Attachments

Scammers are so clever. They know you are on the watch for phishing, so they might send you an email that’s alarming, knowing you probably won’t click the link but might, instead, open a browser and go right to your bank’s website, like a smart surfer. But, even if they can’t get you to click their link, maybe they can get you to download an attachment? That attachment will likely be a keylogger that captures what you type so that the scammer can also go to your bank and log in. And this is why you should never click on attachments that come to you via unsolicited emails.


 The URL Is Not Quite Right

Let’s assume that, despite my previous warning, you clicked on a link that came to you in an email or perhaps one you saw on social media. Now you are at the Web site.

Before you trust it, look carefully at the URL in the address bar. If the site is a fake, there will be something wrong with it. The name of the company in the domain might look right. But there is a slight misspelling, the number 1 replaces the letter L, or there are extra characters before or after the bank name. Sometimes these differences are obvious but, when the scammer is good, they can be very difficult to spot. Still, it will be there somewhere. Even if you can’t see it, though, good anti-virus software should spot it. The consequences of getting this wrong can be dire, so I highly recommend that you turn on the real-time scanning of websites your anti-virus software provides so that you have a warning system in place so you don’t make mistakes.


The URL is Too Short

One clever way that scammers hide a URL that’s not quite right is by using a link shortener like Bitly. So that, even if you examine the link before you click it, you can’t see where it really goes. Link shorteners are used for legitimate reasons so this, in itself, does not make a link bogus. If you want to see where a shortened link goes before you click on it, use a link expander to see the full-length link. Here’s how: Right-click on the link in the email that you are unsure of. Click “Copy link address” from the drop-down menu that appears.

(Or copy the link from social media.) Then go to the Web site CheckShortURL and paste the address where it says, “Enter your short URL here.” It will tell you the title, description, keywords, and author of the page, among other things, and if the hidden link is safe or not.


There are Strange Character Strings

Another way scammers conceal where a URL will take you is by doing some clever URL Encoding. This is a bit like putting their URL in another language — a machine language — so you can’t understand it. There are legitimate ways this can happen but you should be very wary of any URL that is not clearly readable. If you happen upon one of these, and you want to go to the link but are — rightfully — wary, run it through a link decoder. Copy the link just like in the last tip and go to URLDecoder. Paste the link in the field that says “Type (or paste) here…” and it will tell you in the bottom field where that link will go.