Back to Learn

Phishing basics: how to spot risky links before you sign in or pay

A practical guide to recognizing phishing links, suspicious login pages, and fake checkout flows — with quick checks you can do in under a minute.

Jan 18, 20266 min read
phishingbasics
Phishing basics: how to spot risky links before you sign in or pay

Phishing is still the most common way people lose accounts and money — not because it’s “super technical”, but because it’s designed to look normal. The goal is simple: get you to click, then sign in or pay.

This guide focuses on checks that work in real life: on a busy day, on mobile, with a hundred tabs open.

TL;DR (the habit that prevents most mistakes)
  • Read the domain before login or payment — not the logo, not the page title.
  • Pause when the request is unexpected (refund, delivery, “account locked”).
  • Use a safe path: bookmark / typed URL / password manager — not the message link.
  • If you already entered data, act fast (password reset / bank alerts).

What phishing looks like today

Modern phishing often avoids obvious “Nigerian prince” vibes. Instead it looks like:

  • a delivery update (“Your package is waiting”)
  • a payment alert (“Card verification required”)
  • a customer support message (“Refund available”)
  • an internal work tool notification (“Shared document”, “Password expired”)

The message is rarely the danger. The danger is the link and where it takes you.

The fastest check: read the domain, not the page

Before you type a password or enter a card number, look at the address bar and answer two questions:

  1. What is the domain? (the main site name, not the page title)
  2. Is it exactly the domain you expected?

A phishing page can copy logos and UI perfectly. The domain is harder to fake.

If you want a deeper explanation of domain tricks, read look-alike domains and typosquatting. If you’re worried about payment scams, see fake checkouts and payment traps.

Examples of “looks right” but isn’t

  • account-google.com (not the same as google.com)
  • support-paypal-secure.com (extra words don’t mean “official”)
  • paypaI.com (capital “I” instead of lowercase “l”)
  • google.com.account-security.example (real brand appears inside a longer domain)

If you’re unsure, stop and open the brand’s site from your own bookmark or by typing it manually, then navigate from there.

Common phishing patterns you’ll see

1) Urgency and consequences

Phrases like “within 10 minutes”, “final notice”, “account locked”, “refund expires” are designed to reduce thinking time.

2) A “safe-looking” page after a redirect

A link may briefly open a real page, then redirect to a fake login or payment step.

3) Fake “support” or “refund” pages

Scammers love “support” because users expect to share personal details there.

4) Brand impersonation (look-alike domains)

One of the most effective techniques. The domain is “close enough” to bypass quick attention.

Browser warning illustration

A quick 60-second flow you can reuse

Pause before interacting
Don’t type, don’t pay, don’t download yet. Treat the page as unverified for a moment.
Read the domain carefully
Look for extra words, swapped letters, and unusual endings (.co, .top, .xyz) when you expected something else.
Check the context
Did you request this? Were you already logging in or paying? If not, assume it’s a trap.
Use a safer path
Open the official site from a bookmark or typed URL, then navigate to the page you need. If the request is real, you can complete it there.

Checklist: before you sign in

  • The domain matches the real brand
    Not “close enough”, not extra words, not a different ending — exactly what you trust.
  • The login flow looks normal for that brand
    Unexpected “verify card” steps or extra prompts can be a red flag.
  • No strange redirects
    If the address bar changes multiple times before login, stop and verify.
  • You didn’t arrive from a random message
    For sensitive actions, prefer bookmarks or typed URLs over links in emails/SMS/DMs.

Checklist: before you pay

Payment phishing is often more subtle than login phishing. A fake checkout can look “professionally designed”.

  • The store domain is the store domain
    Not a separate payment site you’ve never seen, not a new domain mid-checkout.
  • The payment provider is expected
    If you expected Apple Pay / PayPal / Stripe and see something unfamiliar, pause.
  • The address bar stays consistent during checkout
    Phishing checkouts often bounce you through multiple domains quickly.
  • You can find the same product page again
    If the product page only exists via that one link, be extra cautious.

What to do if you clicked a suspicious link

If you clicked but didn’t enter anything: you’re probably fine — but close the page and be cautious.

If you typed a password:

  1. Change the password on the real site (from a safe path).
  2. Enable 2FA if available.
  3. Check “recent activity / devices / sessions”.
  4. If you reuse passwords, change them elsewhere too.

If you entered a payment card:

  1. Contact the bank or card provider.
  2. Monitor transactions.
  3. Consider freezing the card temporarily.

How GhostGuard can help (without getting in the way)

GhostGuard is designed to show a clear warning before sensitive actions on suspicious pages — especially when something about the domain or flow doesn’t match common safe patterns. It’s not a replacement for basic checks, but it helps reduce “I was in a rush” mistakes.

If you want to try it, see download options. If you’re evaluating for a team, see /pricing.

FAQ

What is the #1 sign a link is risky?

A domain that is not exactly what you expected — especially before login or payment.

Is a lock icon (HTTPS) enough?

No. HTTPS only means the connection is encrypted. Scam sites can have HTTPS too.

Are phishing links only in email?

No. They’re common in SMS, social DMs, ads, and even fake support pages found via search.

What should I do if I’m not sure?

Stop and re-open the brand from a bookmark or typed URL. If the request is real, you’ll be able to complete it safely.

Summary

  • Phishing succeeds when it steals your attention and time.
  • The best habit is reading the domain before login or payment.
  • Use a simple repeatable flow (pause → domain → context → safer path).
  • When in doubt, don’t continue on the link — go via a trusted route.
Tagsrisky-linkslogin-pagespaymentsemailsms
Try GhostGuard in your browser

Get a clear warning with AI-assisted risk context when a page looks suspicious — before you sign in or pay.

Download optionsAdd to Chrome
Related
QR-code phishing (quishing): what it is and how to stay safe
Jan 18, 20264 min read
QR-code phishing (quishing): what it is and how to stay safe

QR codes can hide malicious links behind a simple scan. Learn how quishing works, the most common traps, and practical checks to verify where a QR code leads before you sign in or pay.

phishingmobile
Read
Is HTTPS (the lock icon) enough? What it means — and what it doesn’t
Jan 18, 20264 min read
Is HTTPS (the lock icon) enough? What it means — and what it doesn’t

HTTPS protects your connection, not your trust. Learn what the lock icon really means, how scams still use HTTPS, and the fastest checks to verify a site before you sign in or pay.

basicsbrowser-safety
Read
Fake checkouts and payment traps: how to avoid scams when buying online
Jan 18, 20266 min read
Fake checkouts and payment traps: how to avoid scams when buying online

A practical guide to spotting fake checkout pages, suspicious payment redirects, and refund/chargeback scams — with fast checks before you enter card details.

paymentsphishing
Read