How to spot a phishing site
Check the domain. Read it right‑to‑left: the true site is the last two labels before the first slash.
🔒
https://login.microsoftonline.com.signin.secure.thisisfugazi.com/account
- Verify the domain. The registrable domain is the last two labels before the first slash (e.g., microsoft.com). Anything to the left can be a trick: accounts.microsoft.com.attacker.com is actually attacker.com.
- Padlock ≠ trustworthy. HTTPS means encryption only. Attackers get free certificates, so the lock icon doesn’t validate who owns the site — the domain does.
- Avoid email-triggered logins. Phishing emails rush you to click. Instead, open a new tab and type the address or use a saved bookmark. On mobile, long‑press links to preview the real URL.
- Use MFA and report fast. MFA blocks most takeovers even if a password leaks. If you clicked or entered anything, change your password and notify Greenwire Solutions immediately.