How to Check if a Link Is Safe Before Clicking: The 2026 Guide

Every day, billions of links travel across email, social media, and messaging apps — and a meaningful percentage of them lead somewhere you do not want to go. Phishing pages, malware drops, fake login screens, and scam stores all rely on one simple action: a click. Learning how to check if a link is safe before you click is one of the highest-impact security skills you can develop, and it takes less than 30 seconds once you know what to look for.

This guide walks through the practical checks, free tools, and red flags that help you separate trustworthy links from traps. Whether the link arrived in an email, a DM, a QR code, or a shortened URL, the same principles apply.

Why Link Safety Matters More Than Ever

Malicious links are the entry point for the majority of cyberattacks worldwide. According to industry threat reports, phishing remains the number-one initial attack vector, and attackers have become exceptionally good at making fake URLs look real. A single click can hand over passwords, install a remote access tool, or drain a crypto wallet.

The good news: most malicious links share recognizable patterns. Once you train your eye and combine that with a couple of free scanning tools, the risk drops dramatically.

What Makes a Link Unsafe?

An unsafe link is any URL that leads to a destination designed to harm you — through deception, malware, or data theft. The most common categories include:

Phishing pages that mimic real login screens (banks, email, social media).
Malware downloads disguised as documents, invoices, or installers.
Drive-by exploit pages that attack outdated browsers automatically.
Scam stores selling counterfeit or non-existent products.
Tracking and ad fraud redirects that hijack clicks for profit.
Cryptocurrency drainer pages that empty wallets on connect.

The 30-Second Visual Check

Before reaching for any tool, do a quick visual inspection of the URL itself. This catches a surprisingly large share of attacks.

1. Read the Domain From Right to Left

The real domain is the part immediately before the first single slash. In https://secure-paypal.login-verify.com/account, the actual domain is login-verify.com — not PayPal. Attackers love stuffing trusted brand names into subdomains and paths.

2. Look for Typosquatting

Check for swapped, doubled, or missing characters: arnazon.com, g00gle.com, microsft.com, paypa1.com. Cyrillic and other look-alike characters (homoglyphs) are common in advanced attacks — if a URL looks slightly off, it probably is.

3. Check the TLD

Be extra cautious with rarely used TLDs frequently abused by spammers, such as .zip, .mov, .top, .xyz, and free TLDs like .tk or .gq. Legitimate brands rarely use these for primary services.

4. Verify HTTPS — But Don't Trust It Alone

HTTPS only means the connection is encrypted, not that the site is honest. Almost every phishing site today uses HTTPS. The padlock icon is necessary, not sufficient.

How to Check a Shortened URL Safely

Shortened links (bit.ly, t.co, tinyurl, and similar) hide the destination by design. That is fine when they come from sources you trust, but risky otherwise. Here is how to safely reveal where a short link actually goes.

Use a URL Expander

Free expander services like CheckShortURL, Unshorten.it, and ExpandURL reveal the final destination without you clicking. Paste the short link, hit expand, and review the real URL before deciding.

Pick a Trustworthy Shortener in the First Place

If you're the one creating short links to share, use a reputable provider with built-in safety features. We covered the best options in our 2026 buyer's guide to URL shorteners, and reviewed individual platforms including Lunyb and Rebrandly. Quality shorteners scan destinations for malware and block known-bad domains automatically.

Hover Before You Click (Desktop)

On a computer, hover your mouse over any link to see the real destination in the browser's status bar (bottom-left corner). On mobile, long-press the link to preview the full URL before opening it.

Free Tools to Scan Any Link

When a visual check leaves doubt, run the URL through a scanner. These services analyze the link against threat intelligence databases and, in some cases, actually visit the page in a sandbox.

Tool	What It Does	Best For	Cost
VirusTotal	Scans the URL against 70+ security engines	Quick consensus check	Free
URLScan.io	Loads the page in a sandbox and shows screenshots, redirects, and resources	Deep behavioral analysis	Free
Google Safe Browsing	Checks against Google's threat list	Phishing and malware lookup	Free
PhishTank	Community-verified phishing database	Confirming known phishing	Free
Sucuri SiteCheck	Scans for malware and blacklist status	Checking websites you own or visit	Free
IPQualityScore	Risk score, domain age, suspicious indicators	Fast all-in-one verdict	Free tier

The 3-Tool Workflow

For any link you're unsure about, run this quick sequence:

Paste it into VirusTotal for a multi-engine reputation check.
Run it through URLScan.io to see a screenshot and the page's actual behavior.
Cross-check with Google Safe Browsing for Google's verdict.

If all three come back clean and the URL looks legitimate, you can click with reasonable confidence. If any one flags it, treat it as hostile.

Red Flags That Signal a Dangerous Link

Beyond the URL itself, the context around a link tells you a lot. Watch for these warning signs:

Urgency and threats: "Your account will be closed in 24 hours."
Unexpected attachments or login prompts from senders you didn't expect to hear from.
Mismatched display text and underlying URL: the link says paypal.com but points elsewhere.
Generic greetings like "Dear Customer" from companies that know your name.
Strange punctuation or @ symbols in URLs (the part before an @ can be ignored by browsers).
Excessive subdomains: login.account.security.update.example.com.
Requests to disable security warnings or install certificates.
Prize, refund, or delivery notifications you didn't initiate.

Checking Links on Mobile Devices

Mobile is where most risky clicks happen because previewing URLs is harder. Use these techniques:

iOS

Long-press a link in Safari, Mail, or Messages to see the full URL and a page preview.
Enable Fraudulent Website Warning in Settings → Safari.
Use Mail's built-in sender verification badges where available.

Android

Long-press to preview the URL in Chrome and most messaging apps.
Keep Google Play Protect and Safe Browsing turned on.
Install a reputable mobile security app for real-time link scanning.

Email-Specific Link Checks

Email remains the #1 delivery method for malicious links. Add these layers:

Verify the sender's full address, not just the display name. Apple Support <support@apple-billing-help.co> is not Apple.
Check SPF, DKIM, and DMARC by viewing the email headers in Gmail ("Show original") or Outlook.
Never click login or password-reset links from email. Instead, type the company's address directly into your browser.
Report suspicious emails to your provider — this trains spam filters and helps others.

QR Code Safety: A Growing Threat

QR codes are essentially visual links, and "quishing" (QR phishing) has exploded. Attackers stick fake QR codes over real ones in restaurants, parking meters, and posters.

Before scanning, ask: does this QR code look tampered with or pasted over? After scanning, your phone should show a preview of the URL — read it carefully before tapping "Open." If the URL looks suspicious, cancel and visit the site manually.

Building Safer Link Habits Long-Term

Tools help, but habits protect you when tools aren't available.

Use a password manager. It auto-fills credentials only on the real domain, so a phishing site won't trigger autofill — a built-in alarm.
Enable two-factor authentication everywhere. Even if a link steals your password, 2FA blocks most takeovers.
Keep your browser updated. Modern browsers block known phishing and malware sites automatically.
Use encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) with a filtering resolver like Cloudflare 1.1.1.1 for Families, Quad9, or NextDNS to block malicious domains at the network level.
Treat unsolicited links as guilty until proven innocent.

For Site Owners and Marketers: Send Trustworthy Links

If you share links professionally, your audience's safety is your responsibility too. Branded short domains, custom slugs, and link previews dramatically increase click-through trust. Platforms like Lunyb and others reviewed in our URL shortener comparison offer destination scanning and analytics so recipients can verify links before clicking.

For a deeper look at branded link providers, see our Rebrandly 2026 review.

Quick Reference: The Link Safety Checklist

Read the real domain (right before the first single slash).
Look for typosquatting and suspicious TLDs.
Hover or long-press to see the actual URL.
Expand any shortened links with a free expander.
Run uncertain links through VirusTotal and URLScan.io.
Check the context: who sent it, why, and is it expected?
If anything feels off, don't click — type the address manually.

Frequently Asked Questions

Is it dangerous just to click a link, even if I don't enter anything?

In most cases, simply visiting a malicious page won't infect a fully updated device — modern browsers sandbox content well. However, drive-by exploits targeting unpatched browsers or plugins do exist, and the page can immediately start tracking you, fingerprinting your device, or attempting social engineering. Treat unknown links as potentially harmful regardless.

How can I check if a link is safe without clicking it?

Copy the URL (right-click → Copy link on desktop, long-press → Copy on mobile) and paste it into a scanner like VirusTotal or URLScan.io. These tools analyze the link without you ever visiting it. For shortened URLs, use an expander first to reveal the real destination.

Does HTTPS mean a link is safe?

No. HTTPS only encrypts the connection between your browser and the site — it does not verify the site's intent. The vast majority of phishing pages now use HTTPS because free SSL certificates are easy to obtain. Always combine the padlock check with domain inspection and reputation scanning.

What should I do if I already clicked a suspicious link?

Don't panic, but act quickly: close the page, disconnect from the network if anything downloaded, run a full antivirus scan, change passwords for any accounts you may have entered credentials into (starting with email), enable two-factor authentication, and monitor financial accounts for unusual activity. If it was a work device, notify your IT or security team immediately.

Are link previews in messaging apps trustworthy?

Link previews show the page's title, description, and image — but those are controlled by whoever owns the destination. A scammer can craft a preview that looks identical to a legitimate brand. Use previews as a hint, not proof. Always verify the actual domain before clicking.

Are URL shorteners themselves dangerous?

Shorteners aren't inherently dangerous — they're a tool, like any other. Reputable services scan destinations and block malicious links automatically. Risk comes from anonymous or low-quality shorteners that allow anything. When you receive a shortened link, expand it first; when you send one, choose a provider known for safety and transparency.