Almost every phishing attack funnels toward the same moment: you land on a sign-in page, type your username and password, and hand them straight to an attacker. The page looks right. The logo is correct. The form works. But the credentials go to a criminal, not the company.
These pages are effective because they’re convincing and because they prey on habit. Below are the signals worth checking — followed by an honest look at why even careful people still get caught.
1. Check the domain, character by character
The single most reliable tell is the web address. Attackers register lookalike domains using typos, extra words, or swapped characters: micros0ft-login.com, apple-id-verify.net, yourbank.secure-access.co. One 2024 study found more than 30,000 lookalike domains targeting just the 500 most-visited websites, over 10,000 of them confirmed malicious. [1]
Look at the part right before the first single slash. The real domain is the last word before that slash — account.google.com is Google; google.com.login-secure.net is not.
2. Don’t trust the padlock alone
You may have been taught that a padlock (HTTPS) means a site is safe. It no longer does. Roughly 80% of phishing sites now use HTTPS, precisely because people were trained to look for it. [2] The padlock means the connection is encrypted — not that the site is honest.
3. Be suspicious of how you arrived
Legitimate sign-in prompts usually come from you — you went to the site. Phishing prompts come from a message that creates urgency: a “suspended account,” a “failed payment,” a “document to review.” If a link or QR code took you to a login page, slow down. The Verizon DBIR found the median person clicks a phishing link in about 21 seconds — urgency is the weapon. [3]
4. Watch for off details
- The page asks for more than usual — your password and your card number, or your one-time code on a screen that shouldn’t need it.
- Links around the page are dead, or all point to the same place.
- The branding is slightly stale — an old logo, a wrong typeface, a region that doesn’t match.
- The domain was registered very recently. (Brand-new domains imitating established brands are a major red flag.)
Why the checklist isn’t enough
Here’s the uncomfortable truth: this advice helps, but it asks every person to be a forensic analyst, every time, under pressure. Attackers specifically engineer pages to pass casual inspection — perfect clones, valid HTTPS, near-identical domains. And infostealer malware delivered through these pages rose 84% year over year in IBM’s 2025 analysis, capturing not just passwords but session tokens that can sidestep multi-factor authentication entirely. [4]
The reliable fix is to not rely on the human eye as the only line of defence. A tool that inspects the page itself — its structure, its behaviour, the age and legitimacy of its domain — can flag a fake the instant it loads, before anyone types anything.
Let your browser do the checking
SafeToOpen Browser Security inspects each page in real time and blocks fake login pages — including brand-new ones — before you enter a password.
How Browser Security works →The takeaway
Checking the domain, ignoring the padlock-as-proof, and distrusting urgency will catch many fakes. But the most convincing pages are built to beat exactly those checks. Treat the signs as your first filter — and let real-time page analysis be the backstop for the ones that get through.