How to Check if a Link Is Safe Before Clicking: 2026 Guide
Every day, more than 3 billion phishing emails are sent worldwide, and a single careless click can hand over your passwords, drain your bank account, or install ransomware on your device. The good news? You don't need to be a cybersecurity expert to protect yourself. With a handful of free tools and a few simple habits, you can verify almost any link in under 30 seconds.
This guide walks you through exactly how to check if a link is safe before clicking, whether it arrives in an email, text message, social media post, or shortened URL.
Why Checking Links Matters More Than Ever in 2026
A malicious link is the entry point for over 80% of cyberattacks against individuals. Modern phishing pages are pixel-perfect copies of legitimate services like PayPal, Microsoft 365, or your bank — and AI-generated scams have made spotting fakes by eye nearly impossible.
Clicking a single bad link can lead to:
- Credential theft — fake login pages capture your username and password.
- Drive-by malware downloads — some sites install spyware just by loading.
- Financial fraud — fake payment pages or cryptocurrency drainers.
- Identity theft — phishing forms that harvest your personal data.
- Account takeover — session cookies stolen via malicious scripts.
7 Quick Red Flags of an Unsafe Link
Before using any tool, train your eye to spot the most common warning signs. If a link shows two or more of these traits, treat it as suspicious.
- Misspelled domains — paypa1.com, amaz0n-security.net, microsft-login.com.
- Unusual TLDs on a brand link — a Netflix email pointing to .xyz, .top, .click, or .zip.
- Excessive subdomains — login.secure.account.paypal.verify-us.com (the real domain is the part right before the TLD).
- HTTP instead of HTTPS — no padlock means traffic is unencrypted.
- URL shorteners hiding the destination — bit.ly, t.co, tinyurl links without context.
- Urgency or threats — "Your account will be closed in 24 hours, click here now."
- Unexpected attachments or downloads triggered by clicking the link.
Step-by-Step: How to Check if a Link Is Safe
Follow this checklist whenever you're unsure about a URL. It takes less than a minute and works on any device.
Step 1: Hover Before You Click
On desktop, hover your mouse over the link without clicking. The real destination appears in the bottom-left corner of your browser or email client. On mobile, press and hold the link to preview the URL in a popup. Compare what you see with what the link text claims.
Step 2: Inspect the Domain Carefully
Read the domain from right to left. The true owner is the word immediately before the top-level domain (.com, .org, etc.). For example, in support.apple.com.verify-id.ru, the actual domain is verify-id.ru, not Apple.
Step 3: Expand Shortened URLs
If the link is shortened, never click it blindly. Use a URL expander to reveal the full destination first. Trusted shorteners like Lunyb include built-in safety scanning, but third-party links should always be checked.
Free expander tools include:
- CheckShortURL.com — expands and previews shortened links.
- Unshorten.it — adds a safety reputation score.
- GetLinkInfo.com — shows the full redirect chain.
Step 4: Run the URL Through a Reputation Scanner
Copy the URL (right-click → Copy link address) and paste it into one of these free scanners. They check the link against millions of known malicious sites in real time.
| Tool | What It Checks | Best For |
|---|---|---|
| VirusTotal | Scans URL against 70+ antivirus engines | Comprehensive verdicts |
| Google Safe Browsing | Phishing & malware blocklist | Quick yes/no check |
| URLVoid | 30+ blocklist services + WHOIS data | Domain reputation |
| PhishTank | Community-verified phishing database | Email phishing |
| Sucuri SiteCheck | Malware, blacklists, outdated software | Website integrity |
Step 5: Check the Domain's Age and WHOIS Data
Most phishing domains are less than 30 days old. Use whois.domaintools.com or who.is to see when a domain was registered. A "Microsoft support" page registered last week from a privacy-protected account in another country is almost certainly fraudulent.
Step 6: Verify the HTTPS Certificate
Click the padlock icon in your browser to view the SSL certificate. A legitimate site like PayPal has a certificate issued to PayPal, Inc., not to a random hosting provider. HTTPS alone is not proof of safety — scammers use it too — but a missing or mismatched certificate is an instant red flag.
Step 7: Open Suspicious Links in a Sandbox
If you absolutely must view a suspicious page, use an online sandbox so the site never touches your real device:
- Browserling.com — opens any URL in a remote browser.
- URLScan.io — renders the page and shows screenshots, scripts, and connections.
- Joe Sandbox or Any.Run — full malware analysis environments.
Best Free Tools for Checking Link Safety
Here's a side-by-side look at the tools most security professionals recommend in 2026.
| Tool | Price | Strengths | Limitations |
|---|---|---|---|
| VirusTotal | Free | Multi-engine scan, screenshots, community comments | Public — don't submit private URLs |
| URLScan.io | Free / Paid tiers | Live screenshots, network analysis | Steeper learning curve |
| Google Transparency Report | Free | Backed by Google's massive index | Limited to phishing & malware |
| Norton Safe Web | Free | Easy interface, community ratings | Smaller threat database |
| IsItPhishing.ai | Free | AI-based real-time analysis | Newer, less battle-tested |
How to Check Links on Mobile Devices
Mobile phishing ("smishing") has surged because previewing links is harder on small screens. Use these techniques:
On iPhone (iOS)
- Long-press any link in Safari, Mail, or Messages to see a preview card with the full URL.
- Enable Settings → Safari → Fraudulent Website Warning.
- Use the Shortcuts app to create a "Check URL" action that sends links to VirusTotal.
On Android
- Long-press the link → "Copy link address" → paste into a scanner.
- Enable Google Play Protect and Safe Browsing in Chrome settings.
- Install a reputable mobile security app like Bitdefender or Malwarebytes for real-time link scanning.
How to Spot a Phishing Link in Emails and Messages
Phishing relies on social engineering, not just bad URLs. Combine link-checking with content analysis.
- Check the sender address — "service@paypa1-support.com" is not PayPal.
- Look for generic greetings — "Dear Customer" instead of your real name.
- Watch for grammar and tone — though AI has made this less reliable, awkward phrasing still appears.
- Verify out-of-band — if your bank "emailed" you, log in by typing the URL yourself, never click the link.
- Report and delete — forward phishing emails to reportphishing@apwg.org and your provider's abuse address.
Are Shortened URLs Safe?
Shortened URLs are not inherently dangerous — they're used by every major platform, from Twitter (t.co) to LinkedIn (lnkd.in). The risk comes from hidden destinations. A trustworthy shortener provides preview features, link analytics, and active malware scanning.
When choosing a shortener for your own links, pick one that protects your audience as well as your brand. Services like the top URL shorteners reviewed in 2026 include automated threat detection so you don't accidentally redirect users to a compromised page. For a deeper comparison of pricing and safety features, see our Rebrandly review and the Lunyb honest review.
What to Do If You Already Clicked a Suspicious Link
Don't panic — fast action limits damage. Follow these steps in order:
- Disconnect from the internet to stop ongoing data transfer.
- Do not enter any credentials on the page that opened.
- Close the browser tab and clear cookies/cache for that site.
- Run a full antivirus scan with Windows Defender, Malwarebytes, or your preferred tool.
- Change passwords for any account you might have entered — start with email and banking.
- Enable two-factor authentication everywhere it's available.
- Monitor financial statements for the next 30–60 days.
- Report the incident to your bank, employer's IT team, or the FTC (reportfraud.ftc.gov).
Building Long-Term Habits for Safer Browsing
Tools help, but habits are your real defense. Adopt these practices:
- Use a password manager — it won't autofill credentials on a fake domain, which is a huge red flag.
- Keep browsers, OS, and antivirus updated — most exploits target known vulnerabilities.
- Install a reputable browser extension like Bitdefender TrafficLight, Netcraft, or Malwarebytes Browser Guard.
- Bookmark important sites (bank, email, work tools) and access them only via bookmarks.
- Treat unsolicited links — even from friends — as suspicious until verified. Accounts get hacked.
- Educate family members, especially older relatives, who are disproportionately targeted.
Frequently Asked Questions
Can a link infect my device just by clicking it?
Yes, in some cases. "Drive-by downloads" exploit unpatched browser or plugin vulnerabilities to install malware without further interaction. Keeping your browser and operating system updated reduces this risk to nearly zero, but it's still safer to verify the link first.
Is HTTPS enough to know a site is safe?
No. HTTPS only means the connection is encrypted, not that the site is legitimate. Over 80% of phishing pages now use HTTPS because free SSL certificates are easy to obtain. Always combine the padlock check with domain inspection and a reputation scanner.
Are URL shorteners safe to use?
Reputable shorteners are safe and widely used by major brands. The danger comes from clicking shortened links from unknown sources. Use an expander tool like CheckShortURL or choose shorteners that show a preview page and scan destinations for malware.
What's the fastest way to check a link on my phone?
Long-press the link to copy it, then paste it into VirusTotal.com or Google's Safe Browsing site status checker. Both work in any mobile browser and return a verdict in seconds. For frequent use, set up a one-tap shortcut in iOS Shortcuts or an Android automation app.
Should I report suspicious links I receive?
Absolutely. Report phishing emails to reportphishing@apwg.org and to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish. Reporting helps protect millions of other users and gets malicious sites taken down faster. If the link impersonates a specific brand, forward it to that company's abuse address (e.g., phishing@paypal.com).
Final Thoughts
Knowing how to check if a link is safe is one of the most valuable digital skills you can build in 2026. The combination of hovering to preview, inspecting the domain, expanding shortened URLs, and running a quick scan through VirusTotal or URLScan.io catches the vast majority of threats in under a minute. Pair these habits with a good password manager, two-factor authentication, and up-to-date software, and you'll be safer than 95% of internet users.
When in doubt, don't click. Type the address yourself, contact the sender through a verified channel, or simply walk away. No deal, prize, or urgent notice is worth the cost of a compromised account.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Create Branded Short Links: A Complete Step-by-Step Guide
Branded short links replace generic URLs with your own custom domain, boosting trust and click-through rates. This step-by-step guide shows you how to choose a domain, connect it to a URL shortener, and create professional branded links in under 10 minutes.
How to Set Up Link Retargeting: The Complete 2026 Guide
Link retargeting lets you build advertising audiences from anyone who clicks your shortened URLs—even links to third-party content. This guide walks you through setting up retargeting pixels, creating shortened links, and launching campaigns that convert.
How to Report a Data Breach to PDPC Singapore: Complete 2026 Guide
A complete step-by-step guide to reporting a data breach to PDPC under Singapore's PDPA. Learn what counts as notifiable, the 3-day and 30-day timelines, penalties, and best practices for staying compliant in 2026.
How to Report a Data Breach to the ICO: A Complete UK Guide
UK GDPR requires you to report notifiable personal data breaches to the ICO within 72 hours. This step-by-step guide explains what counts as a breach, what information to include, and how to notify affected individuals while avoiding costly fines.