What a phishing link is
A phishing link is a web address crafted to look like it belongs to a company or service you trust, so that visiting it hands an attacker something valuable: your password, your card number, or a foothold on your device. The page it opens is a decoy. It might be a pixel-perfect copy of a bank sign-in screen, a shared-document prompt, or a parcel-tracking form, and its only job is to collect what you type or to talk you into running a file. CISA describes phishing as social engineering that solicits personal information by posing as a trustworthy source, and the link is the hook that carries you to the fake.
The link matters because a web address is easy to disguise and hard to read at a glance. A few characters in the wrong place send you somewhere you never meant to go, while the visible text still reads as something reassuring.
How a phishing link is built
Attackers lean on a handful of tricks to make a hostile address look friendly:
- Look-alike domains. A domain registered to read almost like the real one, swapping a character (paypa1.com for paypal.com) or bolting on an extra word (secure-paypal-login.com). It is a genuine domain the attacker controls, so it can host a convincing page and even show a valid padlock.
- Subdomain stacking. The trusted name is pushed to the front as a subdomain, as in paypal.com.account-verify.net. The real destination is the part just before the first single slash (account-verify.net here), not whatever appears earliest.
- Homograph and punycode tricks. Some letters from other alphabets are near-identical to Latin ones. An address that swaps in a look-alike character can read like a familiar brand while resolving somewhere else, and browsers expose these as an
xn--punycode name when you inspect them. - Shortened and redirect links. A bit.ly or similar short link hides the destination completely until you follow it, and an open redirect on a legitimate site can bounce you onward to the fake.
- Credentials in the address. An older trick puts text before an
@sign, as inhttps://yourbank.com@evil.example. A browser ignores everything before the@, so the real host is evil.example.
None of these need a flaw in your browser. They exploit the way people skim an address rather than read it. The phishing URL checker unpacks a suspicious link and shows you where it really goes, and how to tell if a link is safe walks through reading one by eye.
How phishing links reach you
Most arrive inside a message that manufactures a reason to hurry. The FTC and NCSC point to the same delivery routes, email, text message, and phone call, wrapped around a story you will want to act on quickly. Common ones are a warning about suspicious sign-in activity, a fake invoice for something you never bought, a delivery that supposedly needs a small fee or a corrected address, and a refund waiting to be claimed. Here is a reliable anchor: a legitimate company will not email or text you a link to confirm a password or payment detail out of the blue. When a message pushes you toward a link and a deadline in the same breath, that pairing is itself the warning sign.
Links also travel through channels people trust more than email, including social-media direct messages, QR codes printed on posters or invoices, calendar invitations, and search ads sitting just above the real result.
What actually happens when you click
Clicking is not the same as being hacked. Opening the link loads a page, and the harm usually needs a further step from you: typing your password into the fake form, or opening a file it offers. Infection from the visit alone is possible but uncommon, and it depends on an unpatched browser or operating system, which is why keeping software current closes most of that gap. The FTC states the two main outcomes plainly: a phishing link may lead to a request for personal information, or it may download malware. Browsers screen many known-bad addresses through services like Google Safe Browsing and show a full-page red warning, though that list always lags brand-new pages, so treat it as a safety net rather than a guarantee. What happens if you click a phishing link breaks down each outcome and how much a single click really risks.
What to do about it
If a link looks wrong, do not click it. Reach the site by typing its address yourself or using a bookmark you already trust, exactly as CISA advises, instead of following the link in the message. When you want a second opinion on a specific address before opening it, run it through the phishing URL checker.
If you have already clicked, the priority is what you did next. Entering a password calls for changing it and turning on two-factor authentication; downloading a file calls for a malware scan. What to do if you clicked a phishing link sets out the recovery steps in order, including when to worry and when you can ease off.