How to Check if a Link Is Safe Before Clicking: The Complete 2026 Guide
Every day, billions of links are shared through email, text messages, social media, and chat apps. Most are harmless. But a small fraction lead to phishing pages, malware downloads, fake login screens, or scam sites designed to steal your money, identity, or data. Knowing how to check if a link is safe before you click is one of the most valuable digital skills you can develop in 2026.
This guide covers every reliable method, from free online scanners to manual inspection techniques and behavioral red flags. By the end, you'll be able to evaluate any suspicious URL in under 30 seconds.
What Makes a Link Unsafe?
An unsafe link is any URL that leads to a destination intended to harm the visitor, steal data, or deceive them. Unsafe links generally fall into four categories:
- Phishing links — fake versions of legitimate sites (banks, Microsoft, Amazon, social networks) designed to capture your credentials.
- Malware links — pages that automatically download viruses, ransomware, spyware, or keyloggers.
- Scam links — fake giveaways, investment fraud, romance scams, or fake delivery notifications.
- Tracking and exploit links — URLs that fingerprint your device, exploit browser vulnerabilities, or redirect through malicious ad networks.
A link can look completely normal and still belong to any of these categories. That's why a quick safety check is essential, especially when the link arrives unexpectedly.
10 Reliable Ways to Check if a Link Is Safe
Below are the most effective techniques used by security professionals. You don't need to use all of them — pick two or three based on how suspicious the link looks.
1. Hover Over the Link to Preview the Real URL
On desktop, hover your mouse over a link (without clicking) and look at the bottom-left corner of your browser or email client. The true destination will appear there. On mobile, long-press the link until a preview pops up.
This is the fastest way to catch mismatched links — for example, when the visible text says paypal.com but the actual URL is paypal-secure-login.ru.
2. Inspect the Domain Name Carefully
Read the domain from right to left, starting at the top-level domain (.com, .org, .net). The real domain is the part immediately before the first single slash. Watch out for:
- Lookalike characters:
arnazon.com(r+n) instead ofamazon.com. - Extra words:
secure-microsoft-login.comis not Microsoft. - Subdomain tricks:
apple.com.verify-account.xyzbelongs toverify-account.xyz, not Apple. - Unusual TLDs like .zip, .top, .click, .country, or .review when the brand normally uses .com.
3. Use a Free Online Link Scanner
Paste the URL into a reputable scanner before clicking. These tools check the link against threat intelligence databases and analyze its behavior in a sandbox. Top free options:
- VirusTotal (virustotal.com) — scans the URL against 70+ antivirus engines.
- URLVoid — checks reputation across 30+ blocklists.
- Google Safe Browsing Transparency Report — tells you if Google has flagged the site.
- urlscan.io — loads the page in a sandbox and shows you screenshots and network activity.
- PhishTank — community database of confirmed phishing URLs.
If two or more of these flag a link, do not click it.
4. Expand Shortened Links Before Clicking
Short links (bit.ly, t.co, tinyurl, etc.) hide their final destination. Before clicking an unfamiliar short link, expand it using a URL expander like CheckShortURL, GetLinkInfo, or Unshorten.it. Trustworthy shortening services — including Lunyb — only link to user-submitted destinations and don't scan the page for you, so verifying the long form yourself is always a smart habit.
For a broader comparison of which shortening services are most reliable, see our 2026 buyer's guide to URL shorteners.
5. Check the HTTPS Padlock — But Don't Trust It Alone
HTTPS (the padlock icon) means the connection is encrypted, but it does not mean the site is legitimate. Modern phishing sites almost always have valid SSL certificates because they're free to obtain. Use the padlock as one signal among many, not as proof of safety.
6. Look Up the Domain Age with WHOIS
Most phishing domains are registered just days or weeks before they're used. Use a free WHOIS lookup tool (who.is, whois.domaintools.com) to check when a domain was created. A domain registered three days ago and claiming to be a major bank is almost certainly fake.
7. Search for the Link or Domain on Google
Copy the domain (not the full URL with parameters) and search it in quotes: "suspicious-domain.com". Look for:
- Reports on Reddit, Trustpilot, or scam-tracking sites.
- Mentions on phishing databases.
- Whether the official brand actually owns or acknowledges that domain.
8. Use Browser Built-In Safety Warnings
Chrome, Edge, Firefox, Safari, and Brave all include Safe Browsing or SmartScreen protection. Make sure these features are enabled in your browser settings. If you click a link and your browser shows a red warning page, close it immediately — do not bypass the warning.
9. Enable Encrypted, Filtering DNS
Switching your device or router to a privacy-focused DNS resolver like Cloudflare 1.1.1.1 for Families, NextDNS, Quad9, or AdGuard DNS adds a silent layer of protection. These services block known malicious and phishing domains at the network level, so dangerous links simply won't load — even if you accidentally click them.
10. Open Suspicious Links in a Sandbox or Disposable Browser
If you absolutely must visit a questionable link, do it inside an isolated environment: a guest browser profile, an incognito window with no extensions, a virtual machine, or a service like Browserling or urlscan.io that loads the page remotely. This prevents any payload from touching your real system.
Quick Comparison: Free Link Safety Tools
| Tool | Best For | Speed | Cost |
|---|---|---|---|
| VirusTotal | Multi-engine malware check | ~10 seconds | Free |
| urlscan.io | Sandbox screenshot & behavior | ~30 seconds | Free |
| Google Safe Browsing | Confirming known-bad URLs | Instant | Free |
| URLVoid | Reputation blocklists | ~5 seconds | Free |
| WHOIS lookup | Domain age verification | ~5 seconds | Free |
| CheckShortURL | Expanding short links | Instant | Free |
| PhishTank | Confirmed phishing database | Instant | Free |
Warning Signs of a Dangerous Link
Even without tools, certain red flags should make you pause. A link is more likely to be malicious if it shows several of these patterns:
- Urgency or fear: "Your account will be deleted in 24 hours, click here!"
- Unexpected attachments or invoices from someone you don't normally do business with.
- Misspellings in the domain, the surrounding message, or the sender's name.
- Generic greetings like "Dear customer" from a service that normally uses your name.
- Mismatched display text and URL ("Click here to log in to PayPal" pointing to a random domain).
- Requests for credentials, OTP codes, or payment info via a link in an unsolicited message.
- Excessive subdomains or very long URLs full of random characters.
- Recently registered domains claiming to represent established brands.
- Promises that are too good to be true: free iPhones, unclaimed inheritance, guaranteed crypto returns.
How to Check Links on Mobile Devices
Mobile users are more vulnerable because previewing URLs is harder and screens are smaller. Use these techniques on iOS and Android:
- Long-press the link instead of tapping. A preview menu will show the full URL and let you copy it.
- Copy the link and paste it into a scanner like VirusTotal in your browser.
- Use a browser with built-in protection — Safari, Chrome, Brave, and Firefox all include phishing warnings on mobile.
- Enable filtering DNS system-wide via your phone's DNS settings or a profile from NextDNS / Cloudflare.
- Never log in via a link received in SMS or chat — always open the official app or type the domain manually.
How to Check Links Inside Emails
Email is the #1 delivery method for phishing. Before clicking any link in an email:
- Verify the sender's full email address, not just the display name.
support@arnazon-billing.cois not Amazon. - Hover over every link to compare visible text vs. real URL.
- Check the email headers if you're technical — look for SPF, DKIM, and DMARC pass results.
- Never click "unsubscribe" in spam — it can confirm your address is active or load tracking pixels.
- When in doubt, go to the source: open a new browser tab and type the company's domain manually.
What to Do If You Already Clicked a Suspicious Link
If you've already clicked, don't panic — act fast:
- Close the tab immediately and disconnect from the internet if anything started downloading.
- Do not enter any credentials if a login page appeared.
- Run a full antivirus scan using your built-in tool (Microsoft Defender, XProtect) or a reputable scanner like Malwarebytes.
- Change passwords for any account whose credentials you may have entered — start with email and banking.
- Enable two-factor authentication on all critical accounts if you haven't already.
- Monitor financial statements for the next 30–60 days.
- Report the link to Google Safe Browsing, PhishTank, and the impersonated brand so others are protected.
Building Safer Link Habits Long-Term
Tools help, but habits protect you 24/7. Adopt these practices:
- Treat every unexpected link as guilty until proven innocent.
- Bookmark the sites you use for banking, email, and shopping — and only access them through bookmarks.
- Use a password manager so credentials only auto-fill on the real domain. If autofill doesn't trigger, the site is probably fake.
- Keep your browser and OS updated — most exploit links rely on outdated software.
- When you share links with others, use a reputable shortener so recipients can trust the source. Branded short links from services like Rebrandly or Lunyb make it easier for recipients to recognize that a link is genuinely from you.
Frequently Asked Questions
Is a link safe just because it uses HTTPS?
No. HTTPS only encrypts the connection between your browser and the server — it does not verify that the site is legitimate. The vast majority of modern phishing sites use HTTPS because SSL certificates are free. Always combine the padlock check with a domain inspection and, ideally, a scanner like VirusTotal.
What's the fastest way to check if a link is safe?
The fastest reliable check is to hover over the link to see the true URL, then paste it into VirusTotal or Google Safe Browsing. Both take under 15 seconds and catch the majority of known-bad URLs. For shortened links, expand them first with CheckShortURL before scanning.
Are shortened links like bit.ly or lunyb.com dangerous?
Short links are not dangerous by themselves — they're just redirects. The risk is that they hide the final destination, so a bad actor could shorten a malicious URL. Reputable shorteners enforce abuse policies and remove malicious links when reported. Before clicking an unfamiliar short link, expand it with a URL expander or paste it into urlscan.io.
Can I get hacked just by clicking a link without entering anything?
It's rare but possible. "Drive-by" attacks exploit unpatched browser or plugin vulnerabilities to install malware the moment a page loads. Keeping your browser, operating system, and extensions fully updated prevents almost all of these. Using filtering DNS adds another safety net by blocking known malicious domains before they ever load.
How can I tell if an email link is really from my bank?
Banks almost never send unsolicited links asking you to log in, verify identity, or update payment details. If you receive one, do not click. Instead, open a new browser tab, type your bank's domain manually (or use a bookmark), and check your messages inside the official portal or app. If something legitimate is happening, it will be waiting for you there.
Final Thoughts
Learning how to check if a link is safe is no longer optional — it's a basic literacy skill for anyone who uses the internet. The good news is that the techniques in this guide take seconds to apply and dramatically reduce your exposure to phishing, malware, and online fraud. Hover before you click, scan when in doubt, and trust your instincts when something feels off. Combined with strong passwords, two-factor authentication, and a safety-first browser setup, these habits will keep you ahead of nearly every common online threat in 2026 and beyond.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Shorten a URL: The Complete 2026 Guide
Learn how to shorten a URL in seconds with this complete 2026 guide. We cover free tools, custom aliases, branded domains, QR codes, analytics, and security best practices to help you share links like a pro.
How to Check if Your Password Was Leaked in a Data Breach (2026 Guide)
Worried your credentials are floating around the dark web? Learn how to check if your password was leaked in a data breach using safe, free tools, and discover exactly what to do next to secure your accounts.
How to Block Trackers on Your Phone: The 2026 Complete Guide
Phone trackers quietly harvest your location, habits, and identity across every app you use. This step-by-step guide shows you exactly how to block them on iOS and Android using built-in settings, encrypted DNS, and trusted free tools — in under 30 minutes.
How to Hide Photos with an Encrypted Photo Vault: Complete 2026 Guide
An encrypted photo vault protects your sensitive images with cryptographic security that survives lost devices and cloud breaches. This guide explains how to choose a vault app, hide photos correctly, and back up your encrypted library without breaking your privacy.