How Web Addresses Work
Approximately 3.4 billion phishing emails are sent globally every single day. The Anti-Phishing Working Group observed nearly 1 million phishing attacks per quarter throughout 2024. Every one of those attacks includes a destination — a link designed to look like somewhere you trust.
Before you can spot a fake, you need to understand how real web addresses work. It takes about five minutes to learn, and it will change the way you look at every link for the rest of your life.
A web address is like a mailing address
Think of a web address (also called a URL) like a physical mailing address. Each part tells your browser something different about where to go:
https://www.amazon.com/gp/your-account/orders
Let’s break it down:
| Part | What It Is | Analogy |
|---|---|---|
https:// |
The protocol — how you travel there | The method of delivery (encrypted mail vs. postcard) |
www |
The subdomain — which entrance | Which door you walk through at the building |
amazon.com |
The domain — who owns it | The building itself — this is what matters |
/gp/your-account/orders |
The path — a page on the site | A room inside the building |
The most important part is the domain: amazon.com. That’s who you’re actually visiting. The subdomain (www) is just which entrance you use — it doesn’t change who owns the building. The path (/gp/your-account/orders) is a room inside. And https:// is how you get there.
The one rule you need
Here’s the single most important thing in this entire course:
The real domain is the last two parts before the first single /.
That’s it. No matter how long or complicated a web address looks, the real domain is always those last two parts (the name and the extension) before the path begins.
Let’s practice:
| Full Address | The Real Domain | Who Owns It |
|---|---|---|
https://www.amazon.com/orders |
amazon.com |
Amazon |
https://mail.google.com/inbox |
google.com |
|
https://portal.mycompany.com/login |
mycompany.com |
Your company |
https://accounts.apple.com/sign-in |
apple.com |
Apple |
https://login.microsoftonline.com/oauth2 |
microsoftonline.com |
Microsoft |
Notice how the subdomains change — www, mail, portal, accounts, login — but the domain stays the same. The subdomain is just a door. The domain is the building.
Now make it harder
Ready to test yourself? For each address below, identify the real domain:
| Full Address | Real Domain |
|---|---|
https://secure.chase.com/web/auth/login |
chase.com |
https://id.atlassian.com/login |
atlassian.com |
https://auth.openai.com/authorize |
openai.com |
https://chase.com.secure-login.net/verify |
secure-login.net |
https://amazon.com.order-status.info/track |
order-status.info |
https://www.my-payroll-portal.com/employee |
my-payroll-portal.com |
https://support.google.com.account-alert.com/reset |
account-alert.com |
https://login.bank-of-america.security-update.net/auth |
security-update.net |
The last five are fakes. Did you catch them? In each case, a familiar brand name appears early in the address, but the actual domain — the last two parts before the / — belongs to someone else entirely. We’ll explore those tricks in detail in the next lesson.
The HTTPS padlock myth
You’ve probably heard that a padlock icon in your browser means a website is safe. That was reasonable advice in 2010. It’s dangerously wrong today.
The padlock means the connection between your browser and the website is encrypted — it means nobody can eavesdrop on what you type. It says absolutely nothing about who runs the website or whether they’re trustworthy.
Here’s the problem: over 90% of phishing sites now display the padlock icon, according to research from PhishLabs. Getting an HTTPS certificate is free (via Let’s Encrypt) and takes about two minutes. Attackers do it as routinely as registering a domain.
A padlock means your data is encrypted in transit. It does NOT mean the person receiving your data is legitimate. Think of it this way: a locked mailbox on a stranger’s porch still delivers your letter to a stranger.
Country-specific domains
Some countries use two-part endings instead of one:
| Country | Domain Ending | Example |
|---|---|---|
| United Kingdom | .co.uk |
barclays.co.uk |
| Australia | .com.au |
commbank.com.au |
| Japan | .co.jp |
toyota.co.jp |
| Brazil | .com.br |
bradesco.com.br |
For these, the rule extends to “the last three parts before the first /.” The country ending (.co.uk) functions as a single unit, so the domain is the name plus the full country extension:
online.barclays.co.uk → owned by Barclays
app.commbank.com.au → owned by CommBank
But the tricks still work the same way:
barclays.co.uk.secure-login.com → owned by secure-login.com (NOT Barclays)
If you see a country-specific ending like .co.uk, just include all three parts. The principle doesn’t change.
The Rule: The real destination is the last two parts before the first slash.