Internet Basics: Browsers, Search, Downloads, and Online Safety

New course

8 pages

All courses > Information Technology > Basic informatics ::

Understanding Links, URLs, and Website Identity

Capítulo 4

Estimated reading time: 6 minutes

+ Exercise

Links vs. URLs: What You’re Actually Clicking

A link (or hyperlink) is a clickable element on a page—text, a button, or an image—that takes you somewhere else. A URL (web address) is the destination the link points to.

Two links can look identical but lead to different places. For example, the visible text might say yourbank.com, but the URL behind it could be yourbànk.com or yourbank.com.login-check.example. Learning to read URLs helps you predict where you’ll land before you click.

Breakdown of a URL (with Real Examples)

Here is a typical URL with labeled parts:

https://accounts.example.com/settings/security?device=phone&ref=email#recovery

Part	Example	What it means
Protocol (scheme)	`https://`	How your browser connects to the site (rules for communication).
Subdomain	`accounts.`	A section of the site. Common ones: `www`, `mail`, `shop`, `login`.
Domain name	`example`	The main site name you intend to visit.
Top-level domain (TLD)	`.com`	Category/region ending such as `.com`, `.org`, `.net`, `.edu`, `.gov`, `.uk`.
Path	`/settings/security`	Specific page or section on that site.
Query string	`?device=phone&ref=email`	Extra parameters sent to the site (often tracking, filters, or navigation state).
Fragment	`#recovery`	Jumps to a section on the page; usually not sent to the server.

Key idea: the “real site” is the domain + TLD

In https://accounts.example.com/..., the core site identity is example.com. The subdomain (accounts) can be legitimate, but it’s still under example.com.

Compare these:

Continue in our app.

You can listen to the audiobook with the screen off, receive a free certificate for this course, and also have access to 5,000 other free online courses.

Or continue reading below...

Download the app

https://login.example.com → core site: example.com (likely legitimate if you expect it)
https://example.com.login-check.net → core site: login-check.net (not example.com)
https://example.com@login-check.net → core site: login-check.net (the example.com@ part is misleading)

How to Preview Where a Link Goes (Before Clicking)

On a computer (mouse/trackpad)

Hover your pointer over the link (do not click).
Look at the status bar (often bottom-left of the browser window) to see the destination URL.
Check the core domain carefully (domain + TLD). Ignore long paths and tracking text until you confirm the domain.
If it’s a button or image, hovering still usually shows the URL in the status bar.

On a phone/tablet (touch)

Press and hold the link (long-press).
A preview menu often appears showing the URL and options like “Open in new tab.”
Read the domain before choosing to open it.

Copy-and-check method (works on most devices)

Right-click (computer) or long-press (mobile) the link.
Select Copy link address (wording varies).
Paste it into a notes app or the browser address bar (do not press Enter yet).
Inspect the domain and spelling.

Shortened Links: What They Are and How to Handle Them

A shortened link is a compact URL that redirects to a longer one. Examples include formats like:

https://bit.ly/3AbCDef
https://t.co/xyz123
https://tinyurl.com/abcd

Short links are common in messages and social media, but they hide the final destination until you open them.

Safer ways to deal with shortened links

Prefer known sources: if it came from an official site/app you trust, it may be fine.
Use link preview features: some apps show a preview card with the destination domain.
Expand the link using a URL expander (a tool that shows the final destination) if your organization recommends one.
Be extra cautious if the message creates urgency (account locked, prize, invoice due) and uses a short link.

Recognizing Spoofed or Misspelled Domains

Attackers often register domains that look similar to a real one. Your goal is to notice small differences in the core domain.

Common tricks

Misspellings: paypaI.com (capital i) instead of paypal.com
Extra words: paypal-security.com (not the same as paypal.com)
Subdomain confusion: paypal.com.login-check.example (core domain is example)
Look-alike characters: some letters can be swapped with similar-looking characters from other alphabets (your browser may display them in a way that’s hard to notice)
Different TLD: example.net vs. example.com (could be legitimate, but don’t assume)

Quick checklist: “What is the real domain?”

Find the last two meaningful parts: domain.tld (example: example.com).
Ignore everything before it (subdomains) until you confirm the core domain.
Read it slowly, character by character if needed.

HTTPS and the Padlock: What It Means (and What It Doesn’t)

HTTPS means your connection to the website is encrypted in transit. This helps protect against someone on the same network reading or changing what you send (like passwords) while it travels.

How to check HTTPS

Look at the address bar: it should start with https://.
Look for the padlock icon (or a “tune/settings” icon that reveals security details).
Click the icon to view connection information (the exact wording varies by browser).

What HTTPS does guarantee

Your browser is using an encrypted connection to the site you’re connected to.
It reduces the risk of interception on public Wi‑Fi and similar networks.

What HTTPS does NOT guarantee

It does not guarantee the site is honest, safe, or official.
A scam site can also use HTTPS and show a padlock.
It does not mean the content is accurate or that the business is legitimate.

Use HTTPS as a minimum requirement for sensitive actions (signing in, payments), but still verify the domain carefully.

Guided Activity: Compare Safe vs. Suspicious URLs

Read each URL and answer two questions: (1) What is the core domain? (2) Does anything look suspicious?

URL	Core domain (domain + TLD)	Notes
`https://www.yourbank.com/login`	`yourbank.com`	Looks consistent; path is normal for sign-in.
`https://yourbank.com.security-check.info/login`	`security-check.info`	Suspicious: `yourbank.com` is only a subdomain.
`https://accounts.yourbank.com/settings`	`yourbank.com`	Likely legitimate subdomain; still verify you expected it.
`https://yourbànk.com/login`	`yourbànk.com`	Suspicious: look-alike character in the name.
`http://yourbank.com/login`	`yourbank.com`	Risky for sign-in: not HTTPS.
`https://yourbank.com@secure-login.net/`	`secure-login.net`	Suspicious: misleading `@` trick; real site is after `@`.
`https://secure-login.net/yourbank`	`secure-login.net`	Suspicious: bank name appears in the path, not the domain.
`https://bit.ly/3AbCDef`	`bit.ly`	Unknown destination until expanded; treat with caution.

Step-by-step: practice on your own (safe method)

Find a link in an email or message you received.
Hover (computer) or long-press (mobile) to preview the URL.
Identify the core domain and write it down.
Check for red flags: misspellings, extra words, strange TLD, @ symbol, or the brand name appearing only in a subdomain/path.
If it’s a shortened link, try to confirm the destination domain using a preview/expander method before opening.
Only proceed if the domain matches what you intended to visit.

Now answer the exercise about the content:

When previewing a link before clicking, what should you focus on first to confirm the website’s identity?

You are right! Congratulations, now go to the next page

You missed! Try again.

To verify where a link really goes, first identify the core domain (domain + TLD). Subdomains, paths, and tracking text can be misleading. HTTPS is important for encryption but does not prove a site is legitimate.