Skip to main content
Protect Yourself

The Anatomy Of A URL

So much of our time is spent online nowadays, both for business and pleasure. We do our shopping online, read the news, check our email, we even handle our banking and bills online. With each of these processes we are using Uniform Resource Locators, or URLs, constantly. Even though we use them all the time, most people don’t give much thought to what a URL actually is or what its structure reveals. Understanding the anatomy of a URL isn’t just important for tech professionals. It’s a critical skill that can help anyone recognize suspicious links and avoid falling for social engineering attacks.

Let’s break it down.

What Is a URL

A URL is like a digital street address. You may even have heard it referred to as a “web address.” It tells your browser where to go to fetch a webpage, file, or image.

A typical URL looks like this:

https://www.example-site.com/products/item?id=123

Even though it might look like a jumble of characters, each part of this URL serves a purpose. Here’s how it all breaks down:

The Structure of a URL

1. Protocol: https://

This is the communication method used to access the resource. Common protocols include:

http:// (Hypertext Transfer Protocol)

https:// (Secure HTTP—encrypted for security)

ftp:// (File Transfer Protocol)

You should prefer https:// whenever possible, especially when entering personal data. The “s” stands for “secure,” meaning your data is encrypted between your browser and the server. Keep in mind, just because the data is encrypted in motion doesn’t mean it’s going to a legitimate source!

2. Subdomain: www.

This is a subset of the domain, used primarily for organizational purposes. Not all sites use “www” anymore (it’s optional). Other subdomains you may recognize might include things like:

  • mail.example.com
  • login.example.com

A misleading subdomain like paypal.phishing-site.net (subdomains in bold) may trick unwary users into thinking a URL is legitimate. A site may even have more than one subdomain like sub1.sub2.example-site.com!

3. Domain Name: example-site

This is the core name of the website. It’s what people recognize and what organizations register. In example-site.com, the domain is “example-site.”

The domain is the most important part of a URL when verifying a site’s legitimacy. Be cautious of domains that are misspelled (like amaz0n.com), or mimic real companies (like accounts-amazon.com). Just because a familiar word is in the domain name does not mean it is domain name. To identify this, it may help to look for the TLD and work left.

4. Top-Level Domain (TLD): .com

This is the last part of the domain name. Common TLDs include:

  • .com (commercial)
  • .org (organization)
  • .gov (government)
  • .edu (education)
  • .net, .info, and country-specific TLDs like .uk, .ca, .ru

Some TLDs like .gov or .edu are regulated, but others are not. Domains can be quite cheap and easy to obtain which makes it critical that you are wary of the legitimacy of sites you visit.

5. Path: /products/item

This part of the URL tells the server what page or resource you want to view. It works like folders on your computer.

The path can help you understand what kind of page you’re being directed to. But because the host determines paths and file names, it’s not a great metric for page validity.

6. Query String: ?id=123

This comes after a question mark and passes data to the server. It often appears in search results or product pages and not every URL will have a query string.

Query strings are usually harmless but can be used to hide tracking tools or disguise phishing links. Be wary if an additional web address appears after this point as it may be exploiting a redirection feature.

The Anatomy of a URL

Understanding Dots, Slashes, and Hyphens

  • Dots (.) separate parts of the domain. Each dot moves you a step closer to the root domain. For instance, in login.bank.example.com, “example” is the root domain.
  • Slashes (/) divide sections of the path or indicate the beginning of a path after the domain.
  • Hyphens (-) are often used to make URLs easier to read, like my-cool-site.com. But they’re also a common tool in phishing to impersonate real domains (e.g., apple-support-secure.com, instead of support.apple.com).

Spotting Suspicious URLs

Understanding the structure of a URL can help you spot red flags. Here are a few tips:

    • Check the domain carefully: Don’t be fooled by extra words or hyphens. netflix-help.com is different from netflix.com or help.netflix.com!
    • Beware of unusual TLDs: Domains like .tk, .xyz, or .top are often used by scammers, but don’t assume a .com or .org is legit just because it’s familiar!
    • Look for HTTPS: While it’s not a guarantee of safety, the lack of HTTPS should raise concerns, especially on login or payment pages.
    • Don’t trust just the subdomain: Just because it starts with ‘PayPal’ or ‘Microsoft’ doesn’t mean it’s safe. Look all the way to the root of the domain.
    • Hover before clicking: On a desktop, hovering over a link will show you the full URL in the corner of your browser. On mobile, you can usually hold down the link to preview it. Better yet, avoid an accidental click. Navigate directly to a legitimate domain by typing a known safe URL into your browser directly.

    You don’t need to be a cybersecurity expert to stay safe online. A basic understanding of how URLs work can go a long way toward protecting you from common scams. In a digital world filled with cleverly disguised traps, being URL-aware is a smart, simple defense.

    To further expand your skills, check out the variety of courses offered but Social-Engineer, LLC!

    Written by:
    Faith Kent
    Human Risk Analyst at Social-Engineer, LLC

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now