How to Check if a Link Is Safe Before Clicking: The Complete 2026 Guide
Every day, billions of links are shared through email, social media, and messaging apps — and a meaningful percentage of them lead somewhere you really don't want to go. Phishing pages, drive-by malware downloads, fake login portals, and crypto-draining sites all rely on one simple thing: you clicking before you check. This guide walks you through exactly how to check if a link is safe before clicking, using free tools, browser tricks, and a few habits that will dramatically reduce your risk of getting compromised.
Why Checking Links Before Clicking Matters
A malicious link is the most common starting point for cyberattacks against individuals and businesses. According to multiple threat reports, more than 80% of reported security incidents begin with a phishing message that contains a link. The danger isn't just stolen passwords — a single click can install spyware, hijack browser sessions, drain cryptocurrency wallets, or quietly enroll your device in a botnet.
The good news: most malicious links reveal themselves if you know what to look for. A 15-second inspection routine is enough to filter out the overwhelming majority of threats.
10 Quick Ways to Check if a Link Is Safe
Here is a fast checklist you can apply to any suspicious link, in order of speed and reliability:
- Hover before you click to preview the real destination URL.
- Inspect the domain carefully for misspellings and lookalike characters.
- Check for HTTPS, but don't trust it alone.
- Scan the URL with Google Safe Browsing or a similar reputation service.
- Run it through VirusTotal to check 70+ security engines at once.
- Expand shortened links with an unshortener before opening.
- Use URLVoid or URLScan.io for a deeper reputation lookup.
- Check the WHOIS record to see how old the domain is.
- Open it in a sandbox or isolated browser if you must visit.
- Trust your gut — if context feels off, don't click.
Step 1: Hover Over the Link to Preview the URL
On desktop, hovering over a hyperlink shows the actual destination in the bottom-left of your browser or email client. This is the single most effective first check. The visible text might say "www.paypal.com", but the real URL could be paypa1-secure-login.tk. On mobile, press and hold the link until a preview appears — do not tap.
If the hovered URL doesn't match the displayed text, or if it points to a completely unrelated domain, treat it as hostile until proven otherwise.
Step 2: Inspect the Domain Like a Detective
Attackers rely on the fact that humans skim. They register domains that look almost identical to legitimate ones using a technique called typosquatting or homograph attacks.
Common Domain Tricks to Watch For
- Character swaps:
arnazon.cominstead ofamazon.com(rn vs m). - Number substitution:
g00gle.com,paypa1.com. - Extra subdomains:
apple.com.secure-login.xyz— the real domain issecure-login.xyz, not Apple. - Unusual TLDs: Be skeptical of
.tk,.ml,.gq,.cf, and other free top-level domains often used for phishing. - Hyphenated brand names:
netflix-billing-update.comis almost never legitimate.
The true domain is always the part immediately before the first single slash, reading right to left from the TLD. Practice this once and you'll spot fakes instantly.
Step 3: Use Free Online Link Scanners
If a link looks suspicious but you can't tell for sure, paste it into a dedicated scanner. These services check the URL against threat databases without you having to visit the page.
Top Free Link Safety Scanners
| Tool | What It Does | Best For |
|---|---|---|
| Google Safe Browsing | Checks against Google's malware and phishing database | Quick reputation check |
| VirusTotal | Scans URL with 70+ antivirus engines | Multi-engine consensus |
| URLScan.io | Loads the page in a sandbox and shows screenshots, redirects, requests | Deep technical analysis |
| URLVoid | Checks 30+ blocklists and reputation services | Domain reputation |
| PhishTank | Community-verified phishing URL database | Confirmed phishing pages |
| Sucuri SiteCheck | Scans for malware, blacklist status, and injected code | Website integrity checks |
For maximum confidence, run a suspicious link through two of these tools. If both come back clean, the link is very likely safe. If even one flags it, walk away.
Step 4: Expand Shortened Links Before Clicking
Shortened links from services like bit.ly, t.co, tinyurl, or branded shorteners hide the real destination. That's useful for clean sharing, but it also means you can't visually verify where you're going.
Before clicking any short link from an unfamiliar sender, expand it using a free unshortener such as CheckShortURL, Unshorten.it, or ExpandURL. These tools follow the redirect chain server-side and show you the final destination plus any intermediate hops — which is where many tracking and malware redirects hide.
Reputable short-link providers, including Lunyb, route links through infrastructure that blocks known malicious destinations, but it's still smart to verify any short URL from an unknown source. If you're choosing a shortener to share links yourself, our 2026 buyer's guide to URL shorteners covers which providers have the strongest abuse protections.
Step 5: Check the Padlock — But Don't Rely On It
HTTPS (the padlock icon) means traffic between you and the website is encrypted. It does not mean the site is legitimate. Modern phishing kits ship with free SSL certificates by default, so over 90% of phishing pages now show a valid padlock.
Use HTTPS as a baseline filter — any site asking for a password without it should be rejected immediately — but never as proof of safety on its own.
Step 6: Look Up the Domain Age
Legitimate brands have domains registered for years or decades. Phishing domains are typically registered hours or days before they're used. A free WHOIS lookup (try whois.domaintools.com or who.is) reveals when a domain was created.
Rule of thumb: if a domain claiming to be a major bank, retailer, or service was registered within the last 90 days, it's almost certainly fraudulent.
Step 7: Read the URL Path and Parameters
Even when the domain looks legitimate, the path can reveal trouble. Watch for:
- Long random strings of letters and numbers in unusual places.
- Encoded characters like
%2F,%3A, or large amounts of base64. - Parameters that include email addresses, tokens, or instructions like
?redirect=. - Multiple chained redirects through unrelated domains.
None of these are automatically malicious, but combined with an unfamiliar sender they're a strong warning sign.
Step 8: Match the Link Against the Context
Phishing thrives on emotional manipulation: urgency, fear, curiosity, or reward. Before you click, pause and ask:
- Was I expecting this message?
- Does the sender's address actually match the brand?
- Is the message pressuring me to act fast?
- Does the offer or threat make sense if I think about it for 10 seconds?
- Could I get to the same destination by typing the URL myself or using a bookmark?
If you have any doubt, navigate directly to the official site in a new tab instead of clicking the link. A real bank, courier, or tax authority will never punish you for logging in the normal way.
Step 9: Use Browser and Device Protections
Modern browsers ship with built-in link safety features. Make sure these are enabled:
- Chrome: Settings → Privacy and security → Enhanced Safe Browsing.
- Firefox: Settings → Privacy & Security → Deceptive Content and Dangerous Software Protection.
- Safari: Preferences → Security → Fraudulent website warning.
- Edge: Microsoft Defender SmartScreen (on by default).
For extra protection, consider using encrypted DNS resolvers such as Cloudflare's 1.1.1.1 for Families or Quad9, which automatically block known malicious domains at the network level before your browser even sees them.
Step 10: Open Risky Links Safely (When You Must)
Sometimes you genuinely need to visit a suspicious link — security researchers, journalists, and IT staff face this regularly. In that case:
- Use a sandboxed analysis service like URLScan.io or Browserling that renders the page remotely.
- Use a disposable virtual machine snapshot you can roll back.
- Use a private, isolated browser profile with no saved credentials.
- Disable JavaScript before loading if possible.
- Never enter real credentials, even out of curiosity.
Red Flags Cheat Sheet
If you see any combination of these, treat the link as malicious until proven otherwise:
| Red Flag | Why It's Suspicious |
|---|---|
| Display text doesn't match the real URL | Classic phishing disguise |
| Misspelled brand name in the domain | Typosquatting attack |
| Unusual TLD (.tk, .top, .zip, .xyz) for a major brand | Cheap throwaway domains |
| Urgent threats: "account suspended," "verify in 24h" | Pressure tactic |
| Domain registered within the last 90 days | Newly created phishing infrastructure |
| Request for password, SSN, or seed phrase | No legitimate company asks for these |
| No HTTPS on a login page | Bare-minimum failure |
| Sender domain doesn't match the brand | Spoofed identity |
Special Cases to Watch For in 2026
QR Code Phishing (Quishing)
QR codes hide their destination by design. Use a QR scanner app that previews the URL before opening it, and apply the same checks you would to any link. Be especially wary of QR codes stuck on parking meters, restaurant tables, or printed flyers — these are increasingly tampered with.
AI-Generated Phishing
Generative AI has eliminated the broken-English giveaways that used to make phishing easy to spot. Messages are now grammatically perfect and contextually personalized. Trust the URL inspection, not the writing quality.
Browser-in-the-Browser Attacks
Some phishing pages render a fake browser window inside the real one, complete with a fake URL bar showing a trusted domain. Try dragging the "window" outside the browser viewport — if it can't move beyond the page, it's fake.
Short Link Abuse
Always expand short links from senders you don't fully trust. If you create short links yourself for marketing or sharing, choose a provider with active abuse monitoring. We compare options including Rebrandly and other major shorteners in our comparison guide.
What to Do If You Already Clicked
If you clicked a link and now suspect it was malicious, act fast:
- Disconnect from the internet if you suspect a download started.
- Don't enter any credentials on the page that opened.
- Close the tab and clear browser cache and cookies for that site.
- Run a full antivirus scan with an up-to-date engine.
- Change passwords on any account whose credentials you may have entered, starting with email.
- Enable two-factor authentication wherever it isn't already on.
- Watch financial statements closely for the next 60 days.
- Report the link to Google Safe Browsing, PhishTank, and the spoofed brand.
Building a Long-Term Habit
Link safety isn't a one-time skill — it's a reflex you build with repetition. The three-second routine of hover, read the domain, then decide will protect you from the vast majority of online threats. Combine that with a modern browser, encrypted DNS, two-factor authentication on important accounts, and a healthy skepticism toward urgency, and you'll be safer than 99% of internet users.
Frequently Asked Questions
Is it dangerous to just click a link without entering any information?
It can be. Most modern attacks require you to enter credentials or download a file, but drive-by exploits targeting outdated browsers or plugins can compromise a device on click alone. Keeping your browser fully updated reduces this risk to near zero, but the safest habit is still to verify before clicking.
Does HTTPS guarantee a link is safe?
No. HTTPS only means the connection is encrypted, not that the site is trustworthy. The majority of phishing sites today use valid SSL certificates. Use HTTPS as a minimum requirement, not as proof of legitimacy.
What's the fastest way to check a link on my phone?
Press and hold the link to reveal the full URL in a preview, then read the domain carefully. If anything looks off, copy the link and paste it into VirusTotal or Google Safe Browsing in a separate browser tab rather than opening it directly.
Are shortened links inherently unsafe?
No, but they hide their destination, which makes verification harder. Reputable shorteners actively block malicious URLs and provide analytics for transparency. When you receive a short link from an unknown sender, expand it first using a free unshortener tool.
Can antivirus software catch every malicious link?
No. Antivirus and browser protections rely on databases of known threats, but brand-new phishing pages can stay undetected for hours or days before being flagged. Your own inspection habits — hovering, reading domains, and verifying context — are an essential layer that no software can fully replace.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Protect Your Privacy Online in 2026: The Complete Guide
A practical, step-by-step guide to protecting your privacy online in 2026. Covers password managers, encrypted DNS, secure browsers, private messaging, and safer link sharing—without the buzzwords.
How to Encrypt Your Internet Traffic: A Complete 2026 Guide
Encrypting your internet traffic protects your privacy from ISPs, attackers, and trackers. This complete 2026 guide walks through HTTPS, encrypted DNS, Tor, secure messaging, and home network hardening — step by step, no technical background required.
How to Remove Your Data from the Internet: Complete 2026 Guide
Your personal information is scattered across hundreds of websites, data broker databases, and search engines. This step-by-step guide shows you exactly how to remove your data from the internet and reclaim your online privacy in 2026.
How to Password Protect a Short Link: Complete 2026 Guide
Password-protecting a short link adds a critical layer of security to anything you share online. This guide walks you through the exact steps, tools, and best practices for keeping your shortened URLs private in 2026.