A friend once forwarded me a link and asked: "It says paypal.com, so it's PayPal, right?" Unfortunately, no. The most convincing fake links don't misspell the brand at all. They spell it perfectly, then bury it inside an address the brand doesn't own. One reading habit spots the trick: find the ending, and read right to left.

How does the trick work?

When someone registers a domain, say verify-account.net, they can put any text they like in front of it. Those extra pieces are called subdomains: the free-text words to the left of the domain, separated by dots. No permission is needed, and no connection to the brands they mention.

So whoever controls verify-account.net can create paypal.com.verify-account.net in about a minute. Your eye reads the familiar part at the front. The internet only reads the part at the back.

Realpaypal.comthe brand's registered domain
Fakepaypal.com.verify-account.netthe actual domain is verify-account.net

The same trick comes in three flavors: the brand as a subdomain (paypal.com.verify-account.net), the brand glued on with a hyphen (paypal.com-secure-login.info), and the brand parked in the middle of a longer name (secure-paypal-login.com). Every example address in this article is invented for illustration, but the shapes are the ones scammers actually use.

One rule for all three: read right to left

Every web address has exactly one part that identifies who you're dealing with: the registered domain. It's whatever sits immediately to the left of the last ending, the .com, .net or .info at the end of the hostname (the full dotted name before the first slash). Everything further left is decoration the owner typed in.

So don't read a link the way you read a sentence. Start at the end, find the ending, and read one step left. That's the name that matters.

One wrinkle: some endings are two words, like co.uk or com.au. This is why folk rules that count from the left ("the domain comes right after the third slash", "take the last two words") eventually break down, while anchoring on the ending holds up better: you find the ending first, however many words it takes, then read one step left.

Here's the rule applied to four addresses:

The addressWhat your eye readsThe actual registered domain
paypal.com.verify-account.netpaypal.comverify-account.net
paypal.com-secure-login.infopaypal.comcom-secure-login.info
secure-paypal-login.coma PayPal login pagesecure-paypal-login.com (not paypal.com)
paypal.com.account-check.co.ukpaypal.comaccount-check.co.uk

The hyphen version deserves a second look, because it's the sneakiest of the family. In paypal.com-secure-login.info, the dot after "paypal" doesn't end the domain; it makes "paypal" a subdomain. The registered domain is com-secure-login.info, and the "com" your eye trusted is just the first three letters of a made-up name. Sneaky, isn't it? 😅

Realpaypal.comthe address ends in the brand's own name
Fakepaypal.com-secure-login.infothe domain is com-secure-login.info; "paypal" is a subdomain

And secure-paypal-login.com plays no subdomain games at all. The whole thing is one registered domain, just not one PayPal ever owned. Read right to left and it falls apart the same way: the ending is .com, the name before it is secure-paypal-login, and that is not paypal.

How does IP Tracker read these addresses?

IP Tracker applies the same rule, mechanically. When you paste a domain or a sender's email address into the popup, it first works out the registered domain using a bundled list of valid endings, including common two-word ones like co.uk, before any check runs.

Lookalike detection then runs on that extracted domain, not on the full hostname. A brand name buried in a subdomain can't distract the check, because the check never sees the decoration: paste paypal.com.verify-account.net and the lookalike check evaluates verify-account.net, by name. Brand entries also include official sibling domains (paypal.de-style regional addresses), so a brand's real regional domain isn't flagged by mistake.

Around that sit the other signals: Google Safe Browsing (Google's public list of reported dangerous sites), security-vendor verdicts from VirusTotal, community abuse reports, and the domain's creation date from WHOIS, the public record of who registered a domain and when. If the domain is under 90 days old, the result adds a "Registered N days ago" line as a corroborating detail, never a verdict on its own.

The honest limits: the lookalike list covers roughly 100 widely impersonated brands, not every brand. Google's list often lags behind brand-new phishing sites. IP Tracker flags what it finds and names the trick. It can't click for you, and it won't promise a site is safe.

How do you find the real domain in any link?

  1. Reveal the address without clicking. On a computer, hover over the link and read the full address in the corner of the window. On a phone, press and hold the link and choose "copy", not "open".
  2. Ignore everything after the first single slash. That's the path, the part after the domain, and it can be made to say anything, including another brand's name.
  3. Find the ending. It's the last piece after the final dot, and remember it can be two words: co.uk, com.au.
  4. Read one step left of the ending. That name plus the ending is the registered domain, the only part that says who you're dealing with.
  5. Compare it with the brand's real domain. If it doesn't match, or you're not sure, paste it into a checker like IP Tracker before typing anything. The free tier is 25 checks a day, no account needed, and only the value you paste is looked up.

But are long addresses automatically scams?

No, and this is the flip side worth stating plainly: real companies use odd-looking subdomains of their own domains all the time. accounts.google.com really is Google, because the registered domain is google.com. The question is never how long the hostname is. Only which domain it ends in.

Occasionally a real company even signs you in on a domain you don't recognize; Microsoft famously uses microsoftonline.com. When right-to-left reading leaves you unsure instead of reassured, that's precisely the moment for a second opinion, not a guess.

A clean result is a signal, not a promise. "Not flagged" means none of the checks found anything yet; brand-new scam domains often haven't been reported anywhere. Treat every result as input to your own judgment, especially when money or passwords are involved.

Whatever the tools say, keep the habit. A scammer can decorate everything to the left of the domain, but they can't register paypal.com itself. The closest they can get is a lookalike domain, and lookalikes are a different trick with their own tells. The registered domain is where the truth lives.

To summarize:

Find the ending; read right to left. That's the whole habit. 😎