Stop Telling People to “Just Look at the URL”: You're Not That Special

You’ve heard it before—hell, maybe you’ve said it before.

“You can spot a phishing site by checking the URL.” “It’s got a weird character in it, look closely.” “The domain looks almost the same.”

And you know what? That’s great advice—if you're a cybersecurity engineer with years of experience, an eye for homoglyph attacks, and time to squint at every single character before you log in.

But here’s the reality: you are not the user. And they are not you.

The Great URL Myth

Telling everyday users to "check the URL" is the security equivalent of telling people to spot counterfeit money by checking the watermark, serial number pattern, and ink density. It’s a nice idea, but it completely misses how people behave in the real world.

Hackers know this. That’s why homoglyph attacks exist.

Take these for example:

• apple.com vs аррӏе.com – looks the same, but those are Cyrillic characters.

• microsoft.com vs mícrosоft.com – go ahead, squint harder.

• paypal.com vs paypaI.com – that’s a capital “i”, not an “l”.

And yes, even if your browser highlights the domain, and even if you blow the font size up to 200%, most people aren’t really looking. They’re conditioned to click links and go.

Security People, Calm Down

Here’s the tough pill to swallow for those of us in security: We are not the main characters.

Our job is not to make people become us—it’s to design systems that protect people as they are.

You don’t solve phishing by teaching every user to be a forensic linguist. You solve it by giving them tools that do the checking for them—and teaching them how to actually use those tools.

The Right Solution: Password Managers (And Not Just “Use It”)

Password managers aren’t just for storing passwords. They’re phishing protection tools.

When a user visits a fake site—even if it looks pixel-perfect—the password manager won’t autofill. Why? Because it matches domain, not design.

If gmail.com isn’t gmail.com, it doesn’t fill. That’s it.

But there’s a catch:

Most users don’t know:

• How to install a password manager.

• Why browser-native managers are better than nothing but not always ideal.

• That they shouldn’t “copy-paste” passwords from the manager to the site (this bypasses domain checking).

• That using a master password like “123456” defeats the point.

We need to train users not just to “use a password manager” but to use it right. That’s our job now.

Shift the Narrative

Let’s stop this elitist gatekeeping that makes security feel like a secret club of URL detectives.

Instead:

• Push password managers as essential security tools, not optional utilities.

• Build onboarding and training that makes sense to normal people.

• Reinforce the idea that tools protect you from tricks your eyes can’t catch.

TL;DR (because let’s be honest, people skim):

• Homoglyph URLs are designed to fool the human eye.

• Telling users to "check the URL" is a lazy, elitist approach to phishing.

• The real answer is proper training + password managers.

• Password managers stop phishing by refusing to autofill on fake domains.

• We in security need to stop acting like we're the main character.

If you really want to protect users, stop teaching them to spot pixel-level deception. Start giving them tools that do it for them.

And maybe—just maybe—start listening to how normal people actually use the internet.