How to Check if a Link Is Safe Before Clicking: The Complete 2026 Guide

Every day, billions of links circulate through emails, text messages, social media posts, and chat apps. Most are harmless, but a growing percentage hide phishing scams, malware downloads, and credential-stealing traps. Knowing how to check if a link is safe before clicking is no longer optional — it's a core digital survival skill.

This guide walks you through 10 reliable methods to verify any URL, the red flags that scream "danger," and the free tools security professionals use every day. Whether the link came from a stranger, a friend, or your bank, you'll know exactly how to evaluate it in under 60 seconds.

Why Checking Links Matters More Than Ever

A malicious link is a one-click gateway to identity theft, ransomware, drained bank accounts, and hijacked social media profiles. Phishing remains the number-one delivery method for cyberattacks, accounting for over 80% of reported security incidents in recent years.

Attackers have grown sophisticated. Modern phishing URLs use legitimate SSL certificates, mimic real brand domains with character swaps, and hide behind shortened links. The good news: a few quick checks can defeat nearly all of them.

Common Threats Hidden in Unsafe Links

• Phishing pages that steal logins for banks, email, and social accounts
• Drive-by malware downloads triggered by simply loading the page
• Cryptocurrency drainer scripts that empty connected wallets
• Tech support scams using fake browser warnings
• Affiliate fraud and redirect chains that profile your device

10 Ways to Check if a Link Is Safe Before Clicking

Below are the most effective methods, ordered from fastest to most thorough. Use the first three for everyday links, and combine multiple checks when the stakes are high.

1. Hover Over the Link to Preview the Real URL

On desktop, hover your mouse over any hyperlink without clicking. Your browser or email client will display the actual destination URL in the bottom-left corner. On mobile, press and hold the link to reveal a preview.

Compare the displayed text to the real URL. If an email says "click here to log in to PayPal" but the URL points to paypa1-secure.xyz, it's a scam.

2. Inspect the Domain Name Carefully

Look at the part of the URL right before the first single slash (after https://). That's the real domain. Everything before it (subdomains) can be faked.

For example, https://login.microsoft.com.security-alert.ru/verify is NOT a Microsoft URL — the real domain is security-alert.ru.

Watch for:

• Typosquatting: arnazon.com, g00gle.com, faceboook.com
• Homoglyphs: Cyrillic "а" replacing Latin "a" (looks identical)
• Suspicious TLDs: .zip, .top, .xyz, .click, .work
• Excess hyphens or numbers: apple-id-verify-account.com

3. Use a Free URL Scanner

Paste any suspicious link into a dedicated scanner before clicking. These tools check the URL against dozens of malware and phishing databases in seconds.

Tool	Best For	Cost
VirusTotal	Multi-engine scanning (70+ AV engines)	Free
Google Safe Browsing	Quick reputation check	Free
URLVoid	Domain reputation reports	Free
PhishTank	Verified phishing database	Free
urlscan.io	Visual page render + network analysis	Free
Sucuri SiteCheck	Malware and blacklist scanning	Free

4. Expand Shortened URLs Before Visiting

Short links from services like bit.ly, t.co, tinyurl, or lunyb hide the destination by design. That's convenient for marketers but useful for attackers too.

Use a URL expander to reveal the final destination:

1. Visit a service like CheckShortURL.com or Unshorten.it
2. Paste the short link
3. Review the full URL and reputation score before deciding

Reputable shorteners like Lunyb include built-in malware filtering and link preview options to make this safer by default. If you're choosing a shortener for your own use, see our 2026 buyer's guide for security-focused options.

5. Check the SSL Certificate (But Don't Trust It Alone)

The padlock icon means the connection is encrypted — not that the site is honest. Phishing sites routinely use free SSL certificates from Let's Encrypt.

That said, the absence of HTTPS on a login or payment page is an instant red flag. Click the padlock to view the certificate details and confirm the organization name matches what you expect for major brands.

6. Search the URL in Google

Copy the URL or domain and paste it into Google search with quotes around it. Look for:

• Recent scam reports or Reddit warnings
• Legitimate company mentions and press coverage
• Domain age (very new domains for established brands = suspicious)

If a "major bank" URL has zero search results or only complaints, walk away.

7. Look Up the Domain's WHOIS Information

WHOIS records show when a domain was registered and (sometimes) by whom. Tools like whois.domaintools.com or who.is reveal this instantly.

Red flags include:

• Domain registered within the last 30 days
• Privacy-shielded registration for a supposed major company
• Registrar based in a country unrelated to the brand

8. Open the Link in a Sandbox or Isolated Browser

If you absolutely must see what a link does, never open it on your main device. Use one of these isolation options:

• urlscan.io — renders the page on their servers and shows you screenshots
• Browserling or Browserstack — remote browser sessions
• A virtual machine with no saved credentials
• Incognito mode on a guest profile as a last resort (least safe)

9. Use Browser Security Extensions

Modern browsers offer extensions that automatically flag dangerous links before you click:

• Bitdefender TrafficLight
• Malwarebytes Browser Guard
• Norton Safe Web
• uBlock Origin (blocks many malicious domains via filter lists)

These add real-time warnings to search results and social feeds — a passive defense layer that catches threats before you act.

10. Verify Through a Second Channel

The single most reliable check: if a link claims to be from your bank, employer, or a friend, contact them through an independent method. Call the number on the back of your card, open the official app directly, or send a fresh message to your friend asking, "Did you really send this?"

This one habit defeats nearly every targeted phishing attempt.

Red Flags That a Link Is Probably Unsafe

Even without tools, certain warning signs should make you pause. If a link shows any two of these, treat it as hostile.

Visual and Structural Red Flags

• Misspelled brand names or domains
• Unusual TLDs like .tk, .gq, .ml, .zip, or .mov
• Long random strings of characters in the URL
• IP addresses instead of domain names (e.g., http://192.168.4.22/login)
• URLs that use @ symbols (a classic obfuscation trick)
• Excessive subdomains: login.account.verify.secure-bank.example.ru

Contextual Red Flags

• Urgent language: "Your account will be closed in 24 hours"
• Unexpected attachments, invoices, or shipping notifications
• Prizes, refunds, or crypto giveaways
• Messages from friends with no personal context
• Requests to "verify" your password or 2FA code
• Links sent via DM from accounts you didn't follow

How to Check Links on Mobile Devices

Mobile makes safe browsing harder because URLs are often truncated and hovering isn't possible. Here's the mobile-specific playbook.

On iPhone (iOS)

1. Touch and hold the link until a preview card appears
2. Review the full URL at the top of the preview
3. Tap "Hide Preview" if you want only the URL without loading the page
4. Copy the link and paste it into VirusTotal in Safari

On Android

1. Long-press the link to open the context menu
2. Choose "Copy link address"
3. Paste into a scanner like Google Safe Browsing or urlscan.io
4. Enable Google Play Protect and a mobile security app for real-time scanning

What to Do If You Already Clicked a Suspicious Link

Clicking a bad link isn't always fatal. Acting quickly limits the damage.

1. Disconnect from the internet immediately if anything downloaded or a strange page loaded.
2. Do not enter credentials on the page that opened, even if it looks familiar.
3. Close the tab and clear your browser cache and cookies.
4. Run a full antivirus and anti-malware scan using Malwarebytes, Bitdefender, or Windows Defender.
5. Change passwords for any account you might have exposed — start with email and banking.
6. Enable two-factor authentication on every important account if you haven't already.
7. Monitor financial statements for the next 30 days and consider a credit freeze if you entered personal data.
8. Report the link to Google Safe Browsing, PhishTank, and the impersonated brand.

Building Long-Term Link Safety Habits

Tools help, but habits protect you 24/7. Adopt these practices and link-based attacks become drastically less effective.

• Use a password manager — it auto-fills only on the real domain, so phishing pages stay empty.
• Enable 2FA everywhere, preferably with an authenticator app or hardware key rather than SMS.
• Keep your browser and OS updated — most drive-by attacks exploit known, patched bugs.
• Bookmark important sites (banking, email, work tools) and access them only from bookmarks.
• Slow down — urgency is the attacker's favorite weapon. Pause for 10 seconds before clicking anything unexpected.
• Use a reputable URL shortener for the links you create yourself. Services with built-in malware scanning and link previews protect both you and your audience.

Comparing Free Link Checkers Side by Side

If you want one tool to bookmark today, choose based on how you'll use it most.

Use Case	Recommended Tool	Why
Quick reputation check	Google Safe Browsing	Instant, no signup, trusted source
Deep malware analysis	VirusTotal	70+ engines, file + URL scanning
See the page without visiting	urlscan.io	Server-side screenshots and network logs
Expand short links	CheckShortURL	Reveals destination plus safety rating
Investigate a domain	URLVoid + WHOIS	Combines blacklist + registration data

FAQ: Checking Link Safety

Is it dangerous to just click a link without entering anything?

It can be. Some malicious pages exploit browser vulnerabilities to install malware automatically — a technique called a drive-by download. Modern, updated browsers block most of these, but the safest approach is to scan unknown links before clicking rather than relying on luck.

Are shortened links always unsafe?

No. Short links from reputable services are perfectly safe and widely used by major brands. The risk comes from not knowing the destination. Always expand short links from unknown senders, and when creating your own short links, choose a provider with malware filtering and preview features. For a deeper look at trustworthy options, see our URL shorteners comparison and our Rebrandly review.

Does the green padlock mean a site is safe?

Only that the connection is encrypted, not that the site is honest. Over 80% of phishing sites now use HTTPS. Treat the padlock as a baseline requirement, not proof of legitimacy.

What's the fastest way to check a link on my phone?

Long-press the link to preview the full URL, then copy and paste it into Google Safe Browsing or VirusTotal in your mobile browser. Both work without an account and return results in seconds.

Can I get hacked just by previewing a link in messages?

Link previews are generally safe because they're generated server-side by the messaging platform, not your device. However, zero-click exploits do exist for sophisticated targeted attacks. Keep your apps updated and disable rich previews from unknown senders if you're high-risk.

Final Thoughts

Learning how to check if a link is safe takes about 15 minutes once and saves you from years of potential headaches. Combine three habits — hover to preview, scan with VirusTotal, and verify through a second channel — and you'll defeat the vast majority of phishing and malware attempts you encounter.

The internet rewards skepticism. When a link looks even slightly off, trust your instinct and verify before you click. Your future self will thank you.