How to Check if a Link Is Safe Before Clicking: The Complete 2026 Guide

Every day, billions of links are shared across email, social media, and messaging apps — and a frightening number of them lead to phishing pages, malware downloads, or scam sites. Knowing how to check if a link is safe before clicking is one of the most valuable digital skills you can develop in 2026. This guide gives you a complete, step-by-step toolkit: free scanners, manual inspection tricks, browser-level defenses, and the exact red flags that separate trustworthy URLs from dangerous ones.

Why Checking Links Before Clicking Matters

Link safety verification is the practice of analyzing a URL's destination, reputation, and behavior before opening it in your browser. It matters because a single click can trigger credential theft, drive-by malware downloads, or financial fraud — and modern phishing sites are designed to look identical to legitimate ones.

According to industry reports, more than 90% of cyberattacks begin with a malicious link. Attackers exploit shortened URLs, lookalike domains, and urgent messaging to bypass your judgment. The good news: with a 30-second check, you can avoid the vast majority of these threats.

10 Proven Ways to Check if a Link Is Safe

Below are the most reliable methods, ranked from fastest to most thorough. Use one for casual links and combine several for anything involving payments, logins, or downloads.

1. Hover Over the Link to Preview the Destination

On desktop, hover your mouse over a hyperlink without clicking. The real URL appears in the bottom-left corner of your browser. On mobile, press and hold the link until a preview menu appears. If the displayed text says "paypal.com" but the actual URL is "paypa1-secure.xyz," that's a phishing attempt.

2. Use a Free URL Scanner

URL scanners analyze a link against threat intelligence databases without opening it on your device. The most trusted free tools include:

• VirusTotal — Scans against 70+ antivirus engines and blocklists.
• Google Safe Browsing Transparency Report — Google's own threat database.
• URLVoid — Aggregates 30+ reputation services.
• PhishTank — Community-driven phishing database.
• Sucuri SiteCheck — Detects malware and blacklist status.

Paste the suspicious URL into any of these tools and review the verdict before clicking.

3. Inspect the Domain Carefully

Read the domain from right to left, starting at the top-level domain (.com, .org, etc.). The real domain is the word directly before the TLD. For example, in amazon.secure-login.ru, the real domain is secure-login.ru, not Amazon. Watch for:

• Misspellings (faceboook.com, g00gle.com)
• Extra subdomains pretending to be the brand
• Unusual TLDs (.zip, .top, .xyz, .click) often used in scams
• Hyphens added to legitimate names (apple-support.com)

4. Expand Shortened URLs Before Visiting

Short links from services like bit.ly, tinyurl, or t.co hide the destination. Use a URL expander to preview where they actually lead:

• CheckShortURL.com
• Unshorten.it
• ExpandURL.net

Reputable shorteners — including Lunyb — apply safety filters and link previews to reduce abuse, but expanding a link yourself is always the safest practice. For a deeper look at which providers handle security best, see our 2026 buyer's guide to URL shorteners.

5. Check for HTTPS and the Padlock Icon

A padlock and "https://" mean the connection is encrypted — but it does not mean the site is legitimate. Phishers now routinely buy SSL certificates. Treat HTTPS as a minimum requirement, not proof of safety.

6. Look Up the Domain's Age and WHOIS Information

Brand-new domains are heavily favored by scammers because they have no reputation yet. Use whois.domaintools.com or who.is to check when a domain was registered. A site claiming to be a major retailer but registered three weeks ago is almost certainly fraudulent.

7. Use Browser Built-In Protection

Modern browsers include real-time link scanning. Make sure these are enabled:

• Chrome: Settings → Privacy and Security → Enhanced Safe Browsing
• Firefox: Settings → Privacy & Security → Block dangerous content
• Edge: Settings → Privacy → Microsoft Defender SmartScreen
• Safari: Preferences → Security → Fraudulent website warning

8. Run the Link Through a Sandbox

For higher-risk links, online sandboxes like urlscan.io, Joe Sandbox, or any.run open the URL inside an isolated virtual environment and report what happens — redirects, downloaded files, scripts run, and screenshots of the page. This is the gold standard for investigating suspicious links.

9. Verify Through an Independent Channel

If a link arrives by email or DM claiming to be from your bank, courier, or employer, don't click it. Open a new browser tab and navigate to the official site manually, or call the company using a number from their verified website. This single habit defeats most phishing attempts.

10. Use Encrypted DNS and Threat-Blocking Resolvers

Switching your device or router to a security-focused DNS resolver blocks known malicious domains at the network level — before your browser even loads them. Free options include:

• Cloudflare 1.1.1.1 for Families (1.1.1.2)
• Quad9 (9.9.9.9)
• NextDNS (customizable filter lists)

Free Link Safety Tools Compared

Here's a quick comparison of the most popular free tools so you can pick the right one for your situation.

Tool	Best For	Speed	Shows Page Preview?	Cost
VirusTotal	Multi-engine malware check	Fast (5–10 sec)	No	Free
urlscan.io	Deep behavioral analysis	Medium (15–30 sec)	Yes (screenshot)	Free
Google Safe Browsing	Quick reputation lookup	Instant	No	Free
URLVoid	Reputation aggregation	Fast	No	Free
PhishTank	Confirmed phishing URLs	Instant	No	Free
CheckShortURL	Expanding short links	Instant	Partial (metadata)	Free

Warning Signs of an Unsafe Link

Even without tools, certain patterns reliably indicate a malicious URL. If you spot any of the following, do not click:

• Urgency or threats in the surrounding message ("Your account will be closed in 24 hours")
• Random character strings in the URL (e.g., secure-update-x7f9d2.com)
• IP addresses instead of domain names (e.g., http://192.168.4.21/login)
• Mismatched display text and actual URL
• Unusual file extensions at the end (.exe, .scr, .zip, .iso)
• Requests for credentials, payment, or 2FA codes on a page you reached via a link
• Punycode characters that mimic Latin letters (e.g., "аpple.com" with a Cyrillic "а")
• Excessive redirects when expanding the URL

How to Check Links on Mobile Devices

Mobile makes link inspection harder because there's no hover preview. Here's the process for each platform:

1. iOS (Safari, Mail, Messages): Touch and hold the link. A pop-up appears showing the full URL and page preview. Tap "Hide Preview" if you don't want it to load.
2. Android (Chrome, Gmail): Long-press the link, then tap "Copy link address." Paste it into a URL scanner before opening.
3. WhatsApp, Telegram, Signal: Long-press the link → copy → paste into VirusTotal or urlscan.io.
4. Install a mobile security app with web protection (Bitdefender, Malwarebytes, or Kaspersky offer free tiers).

How to Check Links in Emails Safely

Email is still the #1 delivery method for malicious links. Follow this checklist before clicking anything in your inbox:

1. Confirm the sender's full email address — not just the display name.
2. Hover over every link and compare the visible URL with the destination.
3. Look for spoofed domains in the "From" header (support@amaz0n-billing.com).
4. Be skeptical of attachments combined with urgent links.
5. Use your email provider's built-in scanner — Gmail, Outlook, and ProtonMail all flag known phishing.
6. When in doubt, forward the message to your IT team or report it to reportphishing@apwg.org.

What to Do If You Already Clicked a Suspicious Link

If you clicked first and worried second, act quickly:

1. Disconnect from the internet to stop any active downloads or callbacks.
2. Do not enter any credentials on the page that opened.
3. Run a full antivirus scan using a reputable tool like Malwarebytes or Windows Defender.
4. Change passwords for any accounts you may have exposed, starting with email and banking.
5. Enable two-factor authentication on critical accounts if it isn't already on.
6. Monitor your financial statements and credit report for the next 30–60 days.
7. Report the incident to your bank, employer, or local cybercrime authority.

How URL Shorteners Affect Link Safety

Shortened links aren't inherently dangerous — they're used by every major platform — but they do obscure the destination. The safest shorteners include automatic malware filtering, link previews, and the ability to disable a link after creation. When choosing a service for your own links, look for those security features explicitly. Our reviews of Rebrandly and Lunyb compare exactly how each provider handles abuse prevention and safe-link technology.

Building a Personal Link-Safety Routine

The fastest way to stay safe is to make verification automatic. A simple daily routine:

1. Enable browser safe-browsing features once and forget them.
2. Switch your DNS to a filtering resolver like Quad9 or Cloudflare for Families.
3. Bookmark VirusTotal and urlscan.io for one-click pasting.
4. Never click links from unknown senders — navigate manually.
5. Treat every unexpected "urgent" message as suspicious by default.

Within a week, these habits become second nature, and your real-world risk drops dramatically.

Frequently Asked Questions

Is it dangerous just to click a link without entering anything?

It can be. Some malicious pages exploit browser vulnerabilities through "drive-by downloads" that install malware automatically. Keeping your browser and operating system fully updated dramatically reduces this risk, but the safest approach is to verify before clicking.

Can a link give me a virus on my phone?

Yes, though it's less common than on desktops. Mobile threats usually involve tricking you into installing a malicious app, granting permissions, or entering credentials on a fake login page. iOS is more locked down than Android, but neither is immune.

Are shortened links like bit.ly or lunyb.com safe?

Reputable shortening services scan links for abuse and remove malicious ones quickly, so they're generally safe. The risk is that the destination is hidden. Always expand short links from unknown sources using a tool like CheckShortURL before clicking.

How can I tell if a website is a phishing site after I've already landed on it?

Check the URL carefully for misspellings, look at the SSL certificate details (click the padlock), and watch for poor grammar, low-quality images, missing contact pages, or urgent demands for personal data. If anything feels off, close the tab immediately and don't enter information.

What's the single best free tool to check if a link is safe?

For most people, VirusTotal offers the best balance of speed, accuracy, and breadth — it checks a URL against dozens of security engines in seconds. For deeper analysis with screenshots and behavior tracking, urlscan.io is the top free choice.

Final Thoughts

Learning how to check if a link is safe takes only a few minutes, but it pays back countless times in avoided scams, stolen accounts, and malware infections. Combine a quick visual inspection with a trusted scanner, enable your browser's built-in defenses, and treat unexpected messages with healthy skepticism. With these habits in place, you'll click confidently — and safely — for years to come.