URLs

You might not know it’s called a URL, but you’ve probably seen one:

https://en.wikipedia.org/wiki/Hamster

A uniform resource locator (URL) can identify:

Checking the URL is the best way to tell whether a website is genuine. It’s usually shown at the top of your browser — can you see martinedwards.co.uk if you look up there now?

Part 1: https

The first part is either http or https followed by a colon and two slashes:

https://en.wikipedia.org/wiki/Hamster

https means your interaction with the site is protected against eavesdropping or interference by your Internet provider, employer, government — or just someone else on the cafe Wi‑Fi.

Most sites now use https, so your browser may no longer show this bit. Instead, a secure connection will be indicated simply by a padlock, while plain old http will carry a warning like Not Secure.

But the padlock has nothing to do with whether a site is genuine. A bogus site can just as easily use https. It’s no consolation knowing your conversation is private if the person you’re talking to isn’t who you think they are!

Part 2: the domain name

This is the important bit. The domain name continues until either a slash / or the end of the URL, whichever comes first. In our example, it’s en.wikipedia.org:

en.wikipedia.org/wiki/Hamster

Computers actually read domain names from right to left, separating them at the dots. Usually the rightmost part, or two, indicates a country or type of organisation. These are called top-level domains. For example:

The next part to the left is typically the name of the organisation:

Note: There are exceptions, like diy.com for do-it-yourself retailer B&Q.

Combining these parts, we have fully qualified domain names:

These are the best indicator of the legitimacy of a site. Remember, what matters is the bit immediately before the first single slash or, if there is no slash, the end of the URL:

blogs.unicef.org

blogs.unicef.org/blog/ukraines-water-heroes/

Bogus domains

Fake or malicious sites might use a misspelling of a genuine domain:

Special cases

Thank you for reading this far. If you’ve had enough, do finish here, happy knowing you’re equipped with the knowledge to avoid the vast majority of online scams!

For keen readers, though, it would be foolish of me not to detail five caveats that can make it harder to interpret URLs – or harder to tell the authenticity of a site from its URL – in certain cases.

Strange-looking but genuine subdomains

Sometimes, you’ll see subdomains like this:

secure-appldnld.apple.com/itunes12/

Is this the real Apple website? Yes! Check the rightmost part of the domain – just before the first slash, remember – and you’ll see it’s apple.com:

secure-appldnld.apple.com/itunes12/

Apple has simply chosen to name a server secure‑appldnld. (Can you work out the abbreviation?)

Trick subdomains

On the other hand, a crafty bogus site might use a subdomain in this fashion:

bbc.co.uk-news-health-39217858.martinedwards.co.uk

Is this the real BBC website? No! At a glance, it looks like an article in the News > Health section, but there’s no slash after bbc.co.uk — the domain name continues, in this case to the end of the address. It’s an elaborate one which, if it was real, would probably resolve to martinedwards.co.uk:

bbc.co.uk-news-health-39217858.martinedwards.co.uk

I could create a fake page there, mimicking the BBC but with a notice saying you needed to update some software to watch a video. Of course, the ‘update’ would actually be malware!

Redirects

A domain name that looks suspicious at first might actually redirect to a genuine site. For example, if you’re on John Lewis’s mailing list, the emails you receive might contain links to promotions like this:

johnlewis.us13.list-manage.com/track/click?u=eef5926

This site is genuine. The domain list-manage.com is used by MailChimp to track subscribers clicking links, to help John Lewis (in this case) learn about its customers.

Because you can’t usually tell where a redirect will go, you need to wait until you arrive at the destination before checking the URL in the address bar.

Shorteners

Some companies use shorteners to make URLs that are more compact and easier to communicate. These are really just redirects, but deserve a special mention. This one uses Twitter’s shortener to redirect to Gordon Buchanan’s documentary about wolves on iPlayer:

t.co/Rk466PgT3r

And this one uses Microsoft’s shortener to redirect to the much longer URL of the Windows Update Troubleshooter. It’s much more convenient for their technicians to dictate on the phone:

aka.ms/wudiag

Trick hyperlinks

This isn’t a URL issue per se, but, a link in an email or website may be made to look like a URL that’s different from its actual destination. Try clicking this link and see where it takes you — it’s harmless!

https://www.bbc.co.uk

You can often reveal the true destination by hovering your mouse over it or, on a phone or tablet, long-pressing it — pressing and holding for a second or two. But for reasons beyond the scope of this guide, even this isn’t foolproof so – as with redirects – the lesson is to check the address bar at the top of the browser once you arrive on the page.