Knowledge isn’t just power anymore — it’s security. As cyberattacks grow in both number and subtlety, so should your cybersecurity know-how.
That’s where Idaho Central Credit Union comes in. We’re here to show you how to tell the good guys and bad guys apart so you can browse with peace of mind. Up first is one of the most critical parts of any site: the URL. By knowing the anatomy of a URL and what each part does, you’ll be better prepared to make smart, secure decisions online.
What is a URL?
In nerd speak, a URL is a Uniform Resource Locator, aka the thing that specifies where resources like webpages are located on the internet. Just like your house has an address to help people find it, each webpage has an address (or URL) to help you find what you’re looking for in the digital world.
Why do URLs matter in cybersecurity?
Fakers create deceptive URLs that closely mimic legitimate sites. At first glance, those URLs can look like the real deal. By recognizing the fakes for what they are, you can avoid falling victim to cyberattacks of all kinds.
The 3 most important parts of a URL (in terms of cybersecurity
There are technically 10 different parts of a URL, and all are worth knowing. But when it comes to spotting fakes online, three stand out above the rest: the protocol (or scheme), domain, and subdomain.
The protocol (or scheme)
A URL’s protocol shows you how the webpage you’re visiting was accessed. You may recognize the most common protocols, which are ‘HTTP’ and ‘HTTPS.’ (An HTTPS connection is often represented by a lock on the left side of your search bar.)
Visiting pages that use HTTP is like leaving your house with the door unlocked and the windows wide open. When a page uses HTTP (Hypertext Transfer Protocol), its information, like browsing data and web content, are transmitted in plain text, which hackers can easily access. When a page uses HTTPS (Hypertext Transfer Protocol Secure), its data is encrypted as it’s transmitted, providing you with a higher level of security and privacy.
What to watch for
Most sites you access on a day-to-day basis use HTTPS because it’s industry standard. Many browsers show a lock icon at the beginning of the URL to denote an HTTPS connection. Steer clear of HTTP protocols when possible, particularly when submitting sensitive information (including logins) or making online transactions. Even if the HTTP site is legitimate, its weak protocol makes it more vulnerable to cyberattacks.
You may occasionally run into other protocols, like ‘FTP,’ ‘SFTP,’ or ‘mailto.’ Of these, SFTP is the safest — the ‘S’ here also stands for ‘secure.’ If you see a protocol you don’t recognize, proceed with caution. You may still be on a legitimate site but keep that info in your back pocket just in case. If you see other red flags (like typos, unsolicited requests for payments, etc.), leave the site immediately.
The domain and subdomain
If a URL is like your home address, the domain is like your home itself. It tells people which site they’re visiting. ICCU’s domain, for example, is the ‘iccu’ in iccu.com. Domains can only be registered to one entity (person or company), so they’re a pretty reliable way to tell if you’re on a trusted site.
A subdomain, on the other hand, is more like a room in your home. It goes right before the domain (separated by a period) and shows that you’re visiting a specific section of a website. When you log in to your eBranch account online, for example, you’ll see this URL: https://myebranch.iccu.com/Authentication. The domain is still ‘iccu,’ which shows that you’re still on our site, not a scammer’s dupe. The subdomain, ‘myebranch,’ shows that you’re on the Online Banking section of our site.
What to watch for
Since fraudsters can’t use a company’s actual domain on their fake site, they use slight variations instead. If you pay careful attention to the domain and subdomain, though, you can spot the difference easily. Here are a few examples of fake ICCU sites:
- lccu.com (with a lowercase ‘L’)
- myebranchiccu.com (no period between the subdomain and domain)
Most people don’t know the difference between a domain and a subdomain, which scammers love to take advantage of. If you see any site like the following, know that you are NOT going to a page on iccu.com:
- iccu.myebranch.com (takes you to myebranch.com)
- iccu.bankinglogin.com (takes you to bankinglogin.com)
- myebranch.idahocentral.com (takes you to idahocentral.com)
- iccu.finance.com (takes you to finance.com)
If you receive a link that navigates somewhere other than iccu.com, pay attention. While not every instance of this is a sure-fire scam (iccu.silvur.com will take you to our retirement partner’s site, for instance), you should pay attention to your gut when something doesn’t feel right. If you’re not sure, contact an ICCU employee in person, via phone, or by chat. They’ll let you know if something’s up.
Quick Tip: If someone sends you a shortened URL (i.e. “bitly.com/2xTy1K”), don’t click on it until you can verify the domain. Shortened URLs are often used by scammers because they disguise the full domain. If you hover over the shortened URL, the real one will often appear. If the real URL leads to a site you don’t recognize (or doesn’t appear after hovering), don’t click the link.
Less important (but still cool) parts of a URL
TLD: The ‘.com,’ ‘.net,’ ‘.org,’ etc.
Port: Websites sometimes use different entrances to the internet. The port is like a gate number. You usually don’t need to worry about a port because the protocol often makes it redundant. (Remember, a protocol shows you how the webpage you’re visiting was accessed. Sounds kind of like a port, right?)
Subdirectory and path: In the URL iccu.com/blog, the “/blog” is the subdirectory. On most websites, the subdirectory will take you to a specific section of the website (kind of like a subdomain) and the path will tell you more about the page you’re about to see. On most of our blog posts, for example, you’ll see: https://www.iccu.com/blog/financial-education/title-of-blog-article/. Because the info after each slash further describes what the reader is about to see, it’s all considered part of the subdirectory or path.
Fragment (or HTML anchor): A fragment takes you to a specific spot on a specific page. If we wanted to take you to the top of this article, we would add a fragment to the link. It would come after the path and look something like this: “#whatisaurl.”
Query strings and parameters: These are generally used for tracking, page personalization, and analytics because it passes information about a click through the URL. If you navigate to a website by clicking on an ad, your URL might have a different query string and parameters than if you gotten there through a Facebook link. Query strings begin with a ‘?’ and each break between parameters is represented by an ‘&.’
URL Do’s and Don’ts
Now that you know what makes a URL legitimate, you’re ready to spot the fakes in the wild. But remember, URLs aren’t only found in the search bar – links count, too. In fact, scammers use email and text to send out most of their fake links.
Not sure where to start? If you receive an unsolicited link, see a suspicious ad, or stumble upon a questionable URL, follow these steps to verify your URLs:
- Make sure you can view the true URL. If you get a shortened link (usually starts with ‘bit.ly’) or a clickable image/ad, hover over it to see the full URL. Often, it will appear directly above the link, but depending on your browser and device, it could also appear at the bottom of your screen. If the hover trick doesn’t work, do NOT click the link. You’re better off deleting the message entirely, particularly if you receive it by text or email.
- Check the domain name. Once you have the full URL in hand, look at the phrase that comes just before ‘.com’ (or ‘.net,’ ‘.org,’ .etc.). Is it the official domain of the site you’re trying to visit? If you’re not sure, look up the company’s Google profile or call the company directly. Remember, a subdomain is NOT the same as a domain.
- Look at the sender’s address if you’re struggling to verify an email or text link. Only click on links that come from an official domain, like email@example.com. Delete messages that have gibberish as their address (i.e. hB012dpl5@icloud.com).
- Look for a secure protocol. Legitimate sites value visitors’ privacy and online safety, so they almost always use protected protocols like HTTPS. If you see a lock icon on the left-hand side of your search bar (or if the URL begins with ‘https://’), the site is more likely to be secure.
Found a fake ICCU URL? We want to know about it. Report any fake sites, messages, and other financial scams to firstname.lastname@example.org or call 1-800-456-5067. If you did share your personal or financial information with the fraudster, shut down your cards with CardControl, then report the incident to your local law enforcement agency.
Found a random URL scam? Report online scams to the Federal Trade Commission or the Internet Crime Complaint Center (IC3), which is a partnership between the FBI and National White Collar Crime Center.