Skip to main content

Understanding URLs

National Cyber Security Awareness Month

October is National Cyber Security Awareness Month.  It is the responsibility of every user of computers and the internet to learn how to be safe online.  Most of us either have experienced an online scam or know someone who has.  As encouraged at www.staysafeonline.org, please Stop, Think and then Connect.  All scams can be avoided if you think.  There are a lot of resources to learn about online safety, including www.staysafeonline.org, provided by the National Cyber Security Alliance.  I’d like to cover just one topic today for online safety: Understanding URLs.

URLs, or Uniform Resource Locators, are the addresses you type into a web browser, such as Internet Explorer, Firefox, Chrome or Edge, to reach a specific web site.  In the screen image below, the URL is https://www.att.com, as circled in red.  Some users type a name in to www.google.com or another search engine to reach websites rather than typing in a URL into the browser’s address field.  To be secure, you need to look at the specific URL to ensure you’re going to the web site you want.  Scammers are very good at making web sites that look just like the company’s website you’re trying to visit.  Just because you see a home page that includes graphics from the company, do not assume this is their website.  It is very easy to capture graphic images and create a fake web site that looks just like the official web site. 

Example URL

In the screen image above, there are several items to observe:

  • Notice that this URL starts with https:// rather than http:// and that there is a padlock icon next to the address.  This indicates that this is an encrypted website and personal information passed from you to this website cannot easily be intercepted.  NEVER conduct any financial transactions or reveal any personal information unless you’re on a secure website with a prefix of https:// and a padlock icon in your browser. 
  • This URL ends with att.com.  The last part of the domain name (att.com) is what you need to verify to ensure it is the right web site.  It is very easy to create a website at, say, http://attwebhome.internethacker.com.  Obviously, you might recognize this one as being bad because of the internethacker.com, but scammers won’t be so obvious.  They’ll try to fool you with clever domain names.  If I’m trying to visit my AT&T account, I need to ensure that I’m going to a domain that ends with att.com.   Know the domain name of the company you’re trying to visit and do not stay on similar, but wrong, domain name web sites.
  • For the sake of brevity, many people will post a link to a web site using an abbreviated URL.  Those are easy to create at places like www.tinyurl.com.  But if you click on a shortened link, you cannot tell which web site you’re going to be taken to.  It might be good to decide not to click that link.  If you must, carefully notice the domain of the website you are taken to. 
  • Sometimes, you will see a “subdomain” to the left of the domain.  For example, you might see https://login.att.com.  That is still a page controlled by the owner of att.com.  As long as the domain ends with att.com, you can be assured that this is an AT&T web page.
  • If you click on Login at https://www.att.com, you will be taken to https://www.att.com/olam/loginAction.olamexecute?source=IC4425j4900s2000.  The information AFTER att.com/ are options that are being passed to att.com.  Be careful to notice the first slash (/).  That is the end of the domain name, so look immediately to the left of the first slash to see the domain name.  Notice also that https:// (the “s” stands for “secure”) is still at the beginning.  Anytime you’re typing any personal information into any website, look again at the URL to make sure it is still secure.  If it isn’t, STOP.  DO NOT provide any personal information.
  • If you see a URL that is 4 numbers separated by dots (e.g., https://192.168.1.1), STOP.  You cannot tell whose website you are visiting.  No legitimate business is EVER done on a website like this.
  • Be careful not to fall for clever domain names.  If your URL is https://att-secure-login.com, STOP.  This domain is probably NOT controlled by AT&T.  Anyone can register a domain name like this and setup a website for it. Watch for symbols in URLs.  A domain like https://www.att.com@account-login.info is NOT from AT&T.  Malicious developers insert symbols to try to fool you.  The domain here is account-login.info, NOT att.com.