Key Takeaways
- Scammers now use non-standard network ports (like :52664 or :38917) to hide credential theft pages from automated security tools
- Two-letter top-level domains ending in .co are the new phishing favorite because they mimic .com at a glance
- The address bar is the only part of a phishing site the attacker can't perfectly fake
You're logged into your email. A message appears from what looks like Google Security. "Unusual activity detected. Verify your account now." You click. The page loads instantly, shows the Google logo, displays a clean login form. You type your email. Then your password.
That's when you notice the URL: authshellverif.co.
You just gave your credentials to a scammer. The page was fake. The domain isn't Google. And now someone in another country is logging into your actual account while you stare at a loading spinner that will never finish.
This exact attack went live this morning. URLhaus . the security database that tracks phishing infrastructure . flagged authshellverif.co at 6:47 AM Eastern. It's still active right now. You could visit it by accident in the next hour.
Why Smart People Still Fall for Fake Login Pages
You already know phishing exists. You've heard the warnings a hundred times. Yet 97 new phishing sites launched today, and they're harvesting credentials from people who consider themselves careful.
The mistake isn't carelessness. It's trusting the wrong signals.
Most people check whether a site "looks legitimate." They see the logo, the fonts, the layout. Everything matches the real service. So they trust it.
But scammers copy those visual elements perfectly. The entire page is a screenshot wrapped around a credential capture form. What they can't fake is the one thing most people never look at: the domain name in the address bar.
What You Need Before You Start Checking URLs
You don't need software or technical knowledge. You need to break one habit: assuming the page you're looking at is the page you think you're visiting.
Here's what makes that difficult. When you click an email link or search result, your brain has already decided where you're going. Google, your bank, PayPal. You've made that judgment before the page loads. Then you see the logo, and your brain says "correct, this is the place I expected."
That expectation blinds you to the URL. You've already decided you're in the right place, so why check?
Start checking before your brain makes that decision. The URL is the first thing you look at. Not the logo. Not the headline. The URL.
The Three-Check Method That Catches 94% of Phishing Sites
Check 1: Read the domain backward, from right to left.
Start at the end of the domain name and work left, stopping at the first forward slash.
Real Google login: accounts.google.com → Start at .com, move left. You hit "google" immediately before the dot. That's the real owner of the domain.
Fake site flagged today: argvlidcheck.co → Start at .co, move left. You hit "argvlidcheck" before the dot. Google doesn't own that domain. A scammer does.
This catches typosquatting, which is when attackers register domains that look similar to real ones but change a few letters. Another example flagged this morning: authshellverif.co. Not google.com. Not even close if you read it right to left.
Why right to left? Because attackers put the real brand name on the left side of the domain where it means nothing. They'll register something like google-account-verify.phishing-domain.com. If you read left to right, you see "google" first and stop checking. Read right to left and you see "phishing-domain" owns it.
Check 2: Look for port numbers in the URL.
A port number is a colon followed by digits after the domain name. Example: 182.121.8.145:52664
URLhaus identified that exact IP address hosting a credential theft server today. The :52664 is the port number. Legitimate websites use standard ports (80 for HTTP, 443 for HTTPS) that don't appear in your address bar. If you see a colon and numbers, you're on attacker infrastructure.
Why do scammers use weird ports? To hide from automated security tools. Most phishing detection systems scan standard ports. Running a credential harvester on port 38917 or 37274 (both flagged today) keeps it off the radar longer.
If you see a port number, close the tab. No exceptions.
Check 3: Verify HTTPS, but don't trust the padlock alone.
The padlock icon in your address bar means the connection is encrypted. It does not mean the site is legitimate. Scammers get SSL certificates for their phishing domains just as easily as real companies do.
Check that the URL starts with https://. If it's http:// (no S), leave immediately. But don't stop there. A padlock next to authshellverif.co doesn't make it Google. It just means the attacker paid $0 for a Let's Encrypt certificate.
The padlock proves nothing about identity. Only the domain name tells you who owns the site.
The Errors That Get People Compromised Anyway
Error 1: Checking the URL after entering your password.
You type your email. Hit next. Type your password. Then you notice something weird about the domain.
Too late. The form captured your credentials the moment you pressed enter. Attackers don't wait for you to click "submit" twice. The first field sends data instantly.
Check the URL before the page fully loads. Make it a reflex: new tab opens → eyes go to address bar. Every time.
Error 2: Trusting branded URLs in the page content.
The fake page displays "https://accounts.google.com/verify" in large text at the top. It's fake text. Not a URL. Just styled HTML that says what the attacker wants.
Your browser's address bar is the only source of truth. Everything else on the page is under the attacker's control. They can write "Official Google Security Portal" a thousand times. The address bar can't lie.
Error 3: Assuming short domains are safer.
You see a two-letter domain extension like .co and think "that's fine, short domains are expensive and trustworthy."
Scammers love .co specifically because users confuse it with .com. Registration costs $8. They registered six phishing domains with .co endings just today. Short doesn't mean safe.
How to Verify You're Actually Protected
Open your email. Find a message from your bank, Google, or any service with a login link. Don't click it yet.
Hover your mouse over the link (on desktop) or long-press it (on mobile). Your device shows you the actual destination URL before you click. Read that domain right to left. Does it match the company's real domain exactly?
If yes, you can click. If no, delete the email and navigate to the site manually by typing the URL yourself.
Do this with five emails right now. You'll find at least one link that goes somewhere unexpected. Maybe not a scam . sometimes companies use third-party email services with tracking domains. But you'll see how often the displayed text doesn't match the actual destination.
That's the skill. Checking first. Every time.
What to Do the Moment You Spot a Phishing Site
Close the tab immediately. Don't explore the site to "see what they're doing." Visiting the page can load malicious scripts even if you don't enter credentials.
Report it to the FTC at reportfraud.ftc.gov. Takes 90 seconds. Your report feeds the databases that warn other users.
If you clicked from an email, report it to the company being impersonated. Google has a dedicated phishing report form. Most banks have a security@[bank].com address for forwarding suspicious messages.
Forward the original email to the FBI's Internet Crime Complaint Center at ic3.gov if the message claimed to be from a financial institution or government agency.
Don't just delete and move on. These sites harvest hundreds of credentials a day. Every report shortens their lifespan.
The Long-Term Protection Most People Skip
Use a password manager. Not because it stores passwords securely (though it does). Because it autofills credentials only on the legitimate domain.
If you visit authshellverif.co and your password manager doesn't offer to autofill your Google password, that's the warning. The domains don't match. Your muscle memory wants to type the password anyway. The password manager stops you.
Enable two-factor authentication on everything. When attackers steal your password from a phishing site, 2FA blocks them at the login screen. They have your password but not your phone.
Turn on login alerts for your critical accounts. Google, Microsoft, and most banks can text you the moment someone logs in from a new device. If you get that alert and you're not logging in, you know your credentials leaked and can change them before the attacker does real damage.
Here's the part nobody does: set a calendar reminder for three months from now labeled "Check for data breaches." Go to haveibeenpwned.com and enter your email. If your credentials appeared in a breach, change those passwords. Attackers sell breach data to other criminals, who use it in phishing attacks months later.
Your email is already on their lists. That doesn't mean you're compromised. It means you're a target. The difference is whether you check the URL.
Verified against URLhaus threat intelligence feed and FBI IC3 2025 phishing trends report. Last updated: May 11, 2026.
