How to Check if a Link Is Safe Before Clicking (2026 Guide)
Every day, more than 3.4 billion phishing emails are sent worldwide, and a single careless click can drain a bank account, lock up a business, or hand criminals the keys to your digital identity. Knowing how to check if a link is safe before clicking is no longer a niche skill for IT professionals — it's a basic literacy requirement for anyone who uses the internet.
The good news: most malicious links reveal themselves within seconds if you know where to look. This guide walks you through nine practical methods, from quick visual inspection to free online scanners, so you can verify any URL with confidence.
Why Checking Links Before Clicking Matters
A malicious link is a URL designed to harm the user who clicks it, typically by delivering malware, stealing credentials through a fake login page, or triggering an unauthorized download. According to the FBI's 2024 Internet Crime Report, phishing remained the top reported cybercrime, with losses exceeding $18 billion globally.
Attackers favor links because they bypass most security software. Antivirus tools scan files; firewalls block ports — but a clean-looking URL inside a familiar email slips through both. The defense layer that matters most is you, the human reading the message before clicking.
Common Threats Hiding Behind Bad Links
- Phishing pages: Cloned login screens for banks, Microsoft 365, PayPal, or social media designed to harvest passwords.
- Drive-by malware: Sites that exploit browser vulnerabilities to install malware without your interaction.
- Tech-support scams: Pop-ups that lock the browser and demand a phone call.
- Cryptocurrency drainers: Fake wallet connection prompts that empty your funds in one signature.
- Affiliate or ad fraud: Redirects through shady networks that may also drop tracking malware.
9 Proven Ways to Check if a Link Is Safe
1. Hover Before You Click
The simplest test takes one second. On a desktop browser or email client, hover your cursor over the link without clicking. The real destination URL appears in the bottom-left corner of the window or as a tooltip. On mobile, press and hold the link to preview the destination.
Compare the visible link text with the actual URL. If an email says "Sign in to PayPal" but the hover preview shows http://paypa1-secure.ru/login, that mismatch is your first red flag.
2. Inspect the Domain Carefully
The domain is the part between https:// and the next /. Read it from right to left. The true owner sits immediately to the left of the top-level domain (.com, .org, .net).
For example, in https://accounts.google.com.security-check.tk/login, the real domain is security-check.tk — not Google. Attackers love subdomains because most users only scan the start of a URL.
3. Watch for Typosquatting and Homograph Tricks
Typosquatting uses domains that resemble legitimate brands: arnazon.com (rn instead of m), microsft.com, g00gle.com. Homograph attacks go further by using non-Latin characters that look identical to English letters — a Cyrillic "а" instead of a Latin "a," for instance.
If a domain looks correct but feels off, copy it into a plain text editor. Suspicious Unicode characters often appear differently outside the styled browser bar.
4. Use a Free URL Scanner
When in doubt, paste the URL into a dedicated scanner. These services check the link against threat intelligence databases and, in some cases, load the page in a sandboxed environment.
| Scanner | What It Does | Best For |
|---|---|---|
| VirusTotal | Aggregates 90+ antivirus and blocklist engines | Quick reputation check |
| URLVoid | Scans against 30+ blacklist services | Domain reputation |
| Google Safe Browsing | Checks Google's malware/phishing database | Verifying flagged sites |
| urlscan.io | Loads URL in sandbox, captures screenshots | Inspecting suspicious pages safely |
| PhishTank | Community-reported phishing URLs | Verifying known phishing |
Run any unfamiliar link through at least two scanners. Brand-new phishing sites can take hours to appear in databases, so a clean result isn't a guarantee — but a flagged result is almost always accurate.
5. Expand Shortened URLs
Shortened links from services like Bitly, TinyURL, or t.co hide the destination. Before clicking a shortener, expand it using a tool like CheckShortURL, Unshorten.it, or ExpandURL. These services reveal the final destination without sending your browser there.
Reputable shortening platforms now include built-in protections. Lunyb, for example, scans destinations against malware and phishing blocklists before redirecting users, blocking known threats automatically. You can read more about how modern shorteners handle safety in our Lunyb review and our Bitly review.
6. Verify HTTPS — But Don't Trust It Blindly
HTTPS (the padlock icon) means traffic between you and the site is encrypted. It does not mean the site itself is safe. Free SSL certificates are easy to obtain, and over 80% of phishing sites now use HTTPS.
Treat the padlock as the bare minimum. A missing padlock on a login page is a hard stop; a present padlock simply means "keep evaluating."
7. Check Domain Age and WHOIS Records
Phishing domains are typically registered days or weeks before an attack. A WHOIS lookup using whois.com or who.is reveals when a domain was registered, by whom (when not redacted), and where the servers are located.
Rules of thumb:
- Domain registered less than 90 days ago: high suspicion for any brand impersonation.
- Privacy-protected registration on a "corporate" site: worth a second look.
- Mismatched country of registration vs. the brand it claims to represent: red flag.
8. Look for Context Clues in the Message
Links almost never travel alone. The surrounding email, text, or social post often gives away the scam:
- Urgency: "Your account will be suspended in 24 hours."
- Generic greetings: "Dear Customer" instead of your name.
- Spelling and grammar errors in supposedly corporate communications.
- Mismatched sender domain: An email from "support@paypal-help.co" rather than "@paypal.com."
- Unexpected attachments alongside the link.
If two or more of these are present, treat the link as hostile by default.
9. Open Suspicious Links in a Sandboxed Environment
If you absolutely must visit a questionable URL — for research, work, or curiosity — never use your daily browser. Options include:
- urlscan.io or Browserling — view the page remotely without ever loading it on your device.
- A virtual machine with no saved credentials.
- A privacy-focused browser in a fresh, isolated profile. See our guide to the best privacy-focused browsers in 2026.
- A VPN combined with private browsing for an extra layer of separation. We break down what each actually protects in Private Browsing vs VPN.
Red Flags to Memorize
Train your eye on these patterns so they trigger an instinctive pause:
| Red Flag | Example | Risk Level |
|---|---|---|
| IP address instead of domain | http://192.168.4.21/login | Very High |
| Excessive subdomains | secure.login.update.brand.xyz.com | High |
| Unusual TLD for a major brand | microsoft-update.tk | High |
| Hyphenated brand names | apple-id-verify.com | High |
| Encoded characters | %2E%2E%2F or excessive %20s | Medium |
| Nested redirects | site.com/redirect?url=... | Medium |
| Non-Latin characters in domain | аpple.com (Cyrillic а) | Very High |
What to Do If You Already Clicked
Mistakes happen. If you suspect you clicked a malicious link, act fast:
- Disconnect from the internet if a download started or a strange app opened.
- Do not enter credentials on the page that opened, even if it looks legitimate.
- Run a full antivirus scan using your built-in tool (Microsoft Defender, XProtect) plus a second opinion like Malwarebytes.
- Change passwords for any account that may have been exposed, starting with email and banking. Use a different device if possible.
- Enable two-factor authentication on every important account if you haven't already.
- Monitor financial statements for the next 30 days and consider a credit freeze if sensitive data was entered.
- Report the link to Google Safe Browsing, PhishTank, and the impersonated brand so others are protected.
Building Long-Term Habits
Tools help, but consistent habits prevent the vast majority of incidents. Adopt these as defaults:
- Type bank, email, and government URLs directly into the address bar instead of clicking links.
- Bookmark the real login pages of services you use often.
- Use a password manager — it auto-fills only on the genuine domain, refusing fake lookalikes.
- Keep your browser and OS updated; many drive-by attacks target unpatched flaws.
- When you share links yourself, use a reputable shortener with built-in malware scanning. Our comparison of Lunyb vs competitors covers which providers prioritize link safety.
Frequently Asked Questions
Is it safe to click a link just to see where it leads?
No. Some malicious sites exploit browser vulnerabilities the moment they load — no further interaction required. Always preview the URL with a scanner like urlscan.io, which renders the page remotely and shows you a screenshot without exposing your device.
Are shortened links automatically dangerous?
Not at all. Shortened links are a normal part of the web, used everywhere from newsletters to social posts. The risk lies in the unknown destination. Use an expander tool, or rely on shorteners that perform automatic safety checks before redirecting users.
Does HTTPS mean a website is safe?
HTTPS only confirms that data between you and the server is encrypted. It says nothing about who owns the server or what they intend to do with your information. The majority of modern phishing sites use HTTPS, so treat the padlock as a baseline rather than a stamp of trust.
Can my antivirus catch every malicious link?
No antivirus is 100% effective, especially against zero-day phishing pages registered hours before being sent. Layered defense — antivirus plus DNS filtering plus careful human inspection — provides far better protection than any single tool.
What's the fastest way to check a link on mobile?
Press and hold the link to preview the full URL. If it looks suspicious, copy it (don't open it) and paste it into VirusTotal or Google Safe Browsing in your browser. Most mobile browsers also include built-in safe-browsing protection — keep it enabled in your settings.
Final Thoughts
Checking a link before clicking takes less time than recovering from a single phishing attack. Train yourself to hover, inspect the domain, watch for the classic red flags, and lean on free scanners whenever something feels wrong. Combine those habits with a password manager, two-factor authentication, and updated software, and you'll defuse the overwhelming majority of attacks aimed at you.
The internet rewards skepticism. When in doubt, don't click — verify first.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Report a Data Breach to PDPC Singapore: 2026 Step-by-Step Guide
Singapore's PDPA requires organizations to report notifiable data breaches to PDPC within 3 days. This 2026 guide walks through the full notification process, deadlines, thresholds, and penalties. Learn how to assess, contain, and report a breach correctly.
How to Report a Data Breach to the ICO: Complete UK Guide 2026
A complete UK guide to reporting a data breach to the ICO within 72 hours. Learn what counts as a notifiable breach, what information you need, the step-by-step submission process, and how to avoid penalties under UK GDPR.
How to Encrypt Your Internet Traffic: Complete Guide to Online Privacy in 2026
Learn how to encrypt your internet traffic using VPNs, HTTPS, Tor, and other methods. This comprehensive guide covers everything from basic encryption techniques to advanced security practices for protecting your online privacy in 2026.
How to Password Protect a Short Link: Complete Security Guide for 2026
Password-protected short links provide an essential security layer for controlling access to sensitive content while maintaining the convenience of shareable URLs. This comprehensive guide covers implementation methods, security best practices, and platform comparisons to help you effectively protect your links.