Detect and Defer; Internet Safety Strategies – How to Read a URL

The World Wide Web is a wonderful place, but it can also be scary and dark where bad guys lurk with ill intentions. The Web is full of misinformation, fake websites, scams and cybercriminals. Websites which may appear legitimate may not be what they seem. Understanding how to read a website URL will greatly aid you in remaining safe on the Web.

Each website that you visit is composed of a URL – Uniform Resource Locator. In essence, a URL is the unique identifier used to locate a resource on the Web. It is important to know where clicking a link will take you. To be able to discern the composition of a URL, I have dissected the anatomy of a URL to attempt to make sense of what you see and how you can use it to safely navigate the Wild, Wild West of the World Wide Web.

An example URL may look like this: https://www.citruslibraries.org You can always find a URL at the top of the website that you’re viewing in the web address bar.

The first part of a URL is the protocol. The protocol represents a standard “language” that allows your computer to interact with web sites. The most common protocol is “http://” which stands for “hypertext transfer protocol.” Another common protocol is “https://” which is the secure, encrypted version of “http”. In the example URL, the protocol is “https://”, which is encrypted and secure. A lock symbol in the left side of the web address bar also indicates that the website is encrypted.

The next part of the URL is the domain name. The domain name (or hostname) is a unique identifier for any website on the internet. In the example, the domain name is “citruslibraries.org.” Some, but not all, web sites require you to enter the protocol and/or “www” (which stands for World Wide Web) before the domain name. However, if you do not type “http://” or “www.” before a web address, your web browser will usually add it automatically.

The domain name always includes a domain extension. In the example URL, the extension is “.org”. It is important to know a web site’s correct extension, as it is part of the unique domain identifier. For example, worldcat.org is the web site for an online library catalog; worldcat.com is the web site for a boat company. Note that countries sometimes have their own special extensions. For example, the extension for the United Kingdom is “co.uk” while “.de” is the extension for Germany (Deutschland). Popular domain extensions are listed below:

Every web site is made up of at least one web page. Most web sites contain many sub-pages. Each sub-page has its own “path” and may also have a “filename”. This information tells your computer exactly which sub-page of the web site to display. Consider this example: https://www.citruslibraries.org/locations/. You are still on the Citrus County Library System website, but you are currently on the Locations and Hours web page of the website. This is indicated by the forward slash between the domain name and the sub-page.

How will you use all of this information? I’m glad you asked! A common tactic used by cybercriminals is URL phishing, and these tactics include insertion, hyphenation, transposition, replacement, repetition, omission. These tactics are utilized to create what appears to be an official company URL, but characters are added, flipped or omitted that change the URL, and when you click it, you are taken to a completely different website. The following are a couple of examples of these URL phishing tricks:

The domain is paypal.com.bank and not paypal.com. Therefore, if you are not aware of how to look for the difference, you would be directed to a website that poses as PayPal, but is in fact a scam and will steal your information.

One more example of a phish URL:

The domain is    and not microsoft.com. Consequently, you would be lured into entering your email log-in information which would be sent directly to the bad guy who created the fake website acting as Microsoft. Your email log in information can then be used by the bad guy to hack into your other accounts, and because cybercriminals are typically talented at their evil work, this would most likely be done subliminally.

Bad guys use a variety of tactics to disguise the phish URL. Besides the domain name imitations, bad guys also use overly long URLs in the hopes that when a user hovers over the link to read the URL, he/she will not see the entire URL or will not take the time to properly examine the URL. Thus, the user will unwarily click on the malicious link.

The World Wide Web can be a wild place full of scams, malicious sites, misinformation and bad guys; however, exercising precaution and vigilance will protect you while on the Web. Examine the URL of a link before you click it, take the time to research and review websites before you visit them, especially before you download items from a website. Practice vigilance before entering payment or other sensitive information into a website. An effective and easy to remember adage to use on the Web is, “When in doubt, chicken out!” In other words, if you feel uneasy about clicking a link, avoid clicking the link and redirect elsewhere.

For further information, visit your local branch of the Citrus County Library System and ask about our free technology classes. Classes are held throughout the county on a wide range of topics and subjects including Online Safety and Privacy and Internet Basics. For additional information about programming, please call your local library branch, go to the library’s website, citruslibraries.org, or follow @CitrusLibraries on Facebook and Instagram.