How to Check if a Link Is Safe Before Clicking: The Complete 2026 Guide
Every day, billions of links pass through inboxes, chat apps, and social feeds—and a frighteningly large share of them lead somewhere users didn't expect. Phishing attacks now account for over 36% of all data breaches, and a single misplaced click can hand over your passwords, install ransomware, or empty a bank account in minutes.
The good news: checking whether a link is safe takes seconds once you know how. This guide covers every reliable method—from quick visual inspection to free scanning tools and browser features—so you can click with confidence.
What Makes a Link Unsafe?
An unsafe link is any URL that leads to a destination designed to harm the visitor or deceive them into giving up sensitive information. Unsafe links typically fall into four categories:
- Phishing pages — fake login screens that steal credentials.
- Malware downloads — pages that drop trojans, ransomware, or spyware onto your device.
- Scam sites — fraudulent stores, fake giveaways, or investment cons.
- Drive-by exploits — pages that attack browser vulnerabilities just by loading.
Attackers disguise these destinations using lookalike domains, shortened URLs, misleading anchor text, and homograph characters that mimic legitimate brands. Knowing how to verify a link's true destination is the single most important skill in personal cybersecurity.
Quick Visual Checks: Spot Red Flags in Seconds
Before reaching for any tool, train your eye to catch obvious warning signs. Most malicious links betray themselves to a careful reader.
1. Hover Before You Click
On desktop, hover your mouse over any hyperlink without clicking. The real destination URL appears in the bottom-left corner of your browser or in a small tooltip. If the displayed text says "paypal.com" but the hover preview shows "paypa1-security.ru", that's a phishing link. On mobile, press and hold the link to reveal a preview menu.
2. Inspect the Domain Carefully
Read the domain from right to left. The real domain is the part immediately before the top-level domain (.com, .net, .org). For example, in secure-login.paypal.com.verify-account.io, the actual domain is verify-account.io—not PayPal. Attackers stuff trusted brand names into subdomains to fool you.
3. Watch for Lookalike Characters
Common tricks include:
- The number "0" replacing the letter "o" (g00gle.com)
- The letter "l" replacing "i" (microsoftl.com)
- Cyrillic letters that look identical to Latin ones (аpple.com — the "a" is Cyrillic)
- Extra hyphens or words (amazon-secure-checkout.com)
4. Check for HTTPS—But Don't Trust It Alone
A padlock icon and "https://" mean the connection is encrypted, not that the site is legitimate. Over 80% of phishing sites now use free SSL certificates. HTTPS only confirms the traffic is encrypted between you and the server—it says nothing about who owns that server.
How to Check a Shortened Link (bit.ly, t.co, etc.)
Shortened URLs hide their real destination, which makes them both useful and dangerous. Fortunately, you can preview where any short link leads before clicking.
Method 1: Add a "+" or Preview Flag
Some shorteners support built-in preview:
- Bitly: add a "+" to the end (e.g.,
bit.ly/abc123+) - TinyURL: add "preview." before the domain (e.g.,
preview.tinyurl.com/abc)
Method 2: Use an Unshortener Service
Free tools like CheckShortURL.com, Unshorten.it, and Unshorten.me expand any short URL and often provide a safety rating from multiple security vendors at the same time.
Method 3: Choose Transparent Shorteners
When you create your own short links, use a service that values transparency. Lunyb, for instance, offers clean, trackable short URLs without injecting ads or hidden redirects—so recipients always reach the destination you intended. If you're comparing options, our 2026 buyer's guide to the best URL shorteners breaks down what to look for.
Free Online Link Scanners You Can Trust
When in doubt, run the URL through a dedicated scanner. These tools analyze the link against massive databases of known threats and, in many cases, detonate the page in a sandbox to see what it actually does.
| Scanner | Best For | What It Checks | Cost |
|---|---|---|---|
| VirusTotal | General-purpose scanning | 70+ antivirus engines and URL blocklists | Free |
| Google Safe Browsing | Phishing & malware lookup | Google's threat database | Free |
| URLVoid | Domain reputation | 30+ reputation engines, WHOIS data | Free |
| urlscan.io | Deep technical analysis | Renders page in sandbox, shows redirects, scripts, screenshots | Free |
| PhishTank | Crowd-verified phishing | Community-reported phishing URLs | Free |
| Sucuri SiteCheck | Website malware | Injected scripts, defacements, blocklist status | Free |
How to Use a Scanner Step-by-Step
- Copy the suspicious link without clicking it (right-click → Copy Link Address).
- Open virustotal.com or another scanner from the table above.
- Paste the URL into the search field and press Enter.
- Review the results. On VirusTotal, look for any vendor flagging the link as "malicious" or "phishing."
- If you want to see how the page behaves, run it through urlscan.io, which renders a screenshot and lists every resource the page loads.
Built-In Browser Protections
Modern browsers include surprisingly effective link-safety features—if you keep them enabled.
Google Chrome & Edge
Enable Enhanced Safe Browsing under Privacy & Security settings. This sends URLs to Google in real time to catch newly discovered phishing sites that haven't yet hit public blocklists.
Firefox
Mozilla's built-in protection against deceptive content is on by default. Verify it under Settings → Privacy & Security → Deceptive Content and Dangerous Software Protection.
Safari
Safari uses Google Safe Browsing data on iOS and macOS. Make sure "Fraudulent Website Warning" is enabled in Safari preferences.
How to Investigate a Link More Deeply
If a link still feels suspicious after basic checks, dig into the domain's history.
1. Run a WHOIS Lookup
Use whois.domaintools.com or who.is to see when the domain was registered. Domains created within the last 30 days are statistically far more likely to be malicious—legitimate brands rarely operate from week-old domains.
2. Search the Domain on Google
Type the domain into Google with quotes: "example-domain.com". If almost no one mentions it, or if the only results are scam reports, walk away.
3. Check the Wayback Machine
Visit web.archive.org and paste the URL. A legitimate business usually has a history of snapshots stretching back years. A blank archive on a domain claiming to be a major bank is a giant red flag.
4. Look at SSL Certificate Details
Click the padlock icon in your browser's address bar and inspect the certificate. Free certificates from Let's Encrypt are fine, but a bank or retailer should have an Organization Validation (OV) or Extended Validation (EV) certificate naming the company.
Common Phishing Tactics to Recognize
Even the best tools miss zero-day phishing pages. Pattern recognition fills the gap.
Urgency and Fear
"Your account will be suspended in 24 hours." "Unusual sign-in detected—verify now." Real companies rarely demand instant action through a link in an email.
Mismatched Sender and Link
An email claiming to be from your bank but linking to a Google Docs page, a Telegram channel, or a random IP address is almost always a scam.
Too-Good-to-Be-True Offers
Free iPhones, surprise refunds, crypto giveaways from celebrities—these prey on excitement to bypass rational checks.
Attachments Disguised as Links
A "shared document" link that downloads a .zip, .exe, .scr, or .iso file instead of opening a preview is almost certainly malware.
A 30-Second Safety Routine for Every Link
Make this checklist automatic. It costs nothing and prevents the vast majority of attacks:
- Hover over the link and read the real destination.
- Read the domain right-to-left to find the true owner.
- Look for misspellings, extra words, or odd characters.
- If unsure, copy the URL (don't click) and paste it into VirusTotal or urlscan.io.
- When the source is unexpected (a text from "your bank," a DM from a stranger), assume it's hostile until proven otherwise.
What to Do If You Already Clicked a Bad Link
Mistakes happen. Acting quickly limits the damage.
- Disconnect from the internet immediately to stop data exfiltration or further downloads.
- Run a full antivirus scan with Windows Defender, Malwarebytes, or your installed security suite.
- Change passwords from a different, clean device—starting with email, banking, and any account you may have entered credentials into.
- Enable two-factor authentication on every critical account if you haven't already.
- Monitor your bank and credit card statements for the next several weeks and consider a credit freeze.
- Report the phishing link to Google Safe Browsing, the targeted brand, and the Anti-Phishing Working Group (reportphishing@apwg.org).
Tools and Habits Worth Adopting
Long-term safety comes from layered defenses, not a single magic tool:
- A reputable password manager that auto-fills only on the exact correct domain (it will refuse to fill on a fake site).
- Encrypted DNS services like Cloudflare 1.1.1.1 or Quad9 that block known malicious domains at the network level.
- Browser ad/script blockers like uBlock Origin to reduce drive-by exposure.
- Email filtering with a provider that flags suspicious links before they reach your inbox.
- Transparent URL shorteners. If you share links professionally, pick a shortener that doesn't compromise recipient trust—see our honest review of Lunyb or our Rebrandly review for 2026 for comparisons.
Frequently Asked Questions
Can I get hacked just by clicking a link?
In most cases, clicking alone won't compromise an up-to-date device—you typically have to enter credentials or download a file. However, drive-by exploits targeting unpatched browsers do exist, so keep your browser and OS updated and avoid clicking unknown links altogether.
Are shortened links always dangerous?
No. Shortened links are simply redirects—they're as safe as the destination they point to. The risk is that you can't see the destination at a glance. Use a preview tool or a transparent shortener to verify the endpoint before clicking.
Does HTTPS mean a link is safe?
No. HTTPS only means the connection is encrypted. The majority of phishing sites today use HTTPS with free SSL certificates. Always verify the domain, not just the padlock.
What's the fastest way to check a single link?
Copy the URL and paste it into VirusTotal.com. Within seconds, you'll see verdicts from 70+ security engines. For deeper analysis—like seeing what the page actually loads—use urlscan.io.
How do I check a link safely on my phone?
Press and hold the link to preview the full URL without opening it. If it still looks suspicious, copy it and paste it into a scanner like VirusTotal in your mobile browser. Never open unknown links directly from SMS or unsolicited messages.
Final Thoughts
Knowing how to check if a link is safe is no longer a niche IT skill—it's a basic life skill in 2026. The combination of a 30-second visual check, a quick scanner lookup when in doubt, and well-configured browser protections will neutralize the overwhelming majority of phishing attempts you'll encounter.
The attackers are counting on speed and emotion. Slow down for ten seconds, verify the destination, and you'll keep your accounts, your money, and your data exactly where they belong.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
What Is a URL Shortener and Why Use One? Complete 2026 Guide
A URL shortener turns long, messy web addresses into clean, short links that are easier to share, track, and remember. This guide explains how URL shorteners work, their key benefits, and how to choose the right one for your needs.
How to Use UTM Parameters with Short Links: Complete 2026 Guide
UTM parameters tell analytics platforms where your traffic comes from, but they create long, ugly URLs. This guide shows how to combine UTM tagging with short links to get clean, branded URLs and full campaign attribution — with examples, best practices, and common mistakes to avoid.
How to Delete Yourself from People Search Sites: Complete 2026 Guide
People search sites expose your home address, phone number, and personal details to anyone with a few dollars. This step-by-step 2026 guide shows you exactly how to delete yourself from major data brokers like Whitepages, Spokeo, and BeenVerified—and how to keep your information off them for good.
How to Create a Link in Bio Page in 2026: Complete Step-by-Step Guide
A link in bio page lets you share multiple destinations through one URL, perfect for social media profiles that allow only a single link. This complete 2026 guide walks you through planning, building, designing, and optimizing your own link in bio page from scratch.