How to spot a phishing domain
The most common scam category and the easiest to defend against, once you know what to look for.
What it is
A phishing domain is a web address designed to look like a real brand's site. The attacker registers something close to the real domain, builds a copy of the login page, and sends links to victims via email, SMS, or DMs. When the victim signs in, the credentials go straight to the attacker.
The four signals
Real banks, exchanges, and government services use short, recognisable web addresses. Fakes try to look like the real thing without being it. Watch for: (1) extra words after the brand name, like paypal-secure-login.com (real PayPal is paypal.com); (2) small spelling changes, like amaz0n.com with a zero; (3) unusual TLDs, like a 'bank login' page ending in .online or .xyz; (4) padding subdomains, like commbank.update.com.cn where the real-looking part is buried inside a longer fake.
Where AVA fits
For any domain you can paste in, AVA combines multiple independent signals to produce a 0-to-100 trust score with explainable reasoning. See the public how-it-works summary for our methodology overview.
What to do
Slow down. Read the part of the URL right before the .com (or .com.au) carefully. That is the part criminals cannot fake. If you are unsure, paste the URL into AVA. The check is free.
Practice spotting this in AVA Scam Hunter
The more you see, the faster you spot. Play AVA Scam Hunter — free, 3 minutes, no signup needed.
📚 Read the full lesson at AVA Academy
This page is a quick spotter card. The full plain-English lesson lives in the AVA Academy. Read the Phishing Domain lesson → or browse all 9 lessons.