How to Check if a Link Is Safe Before Clicking: 2026 Guide

Every day, billions of links are shared through email, chat apps, social media, and search results — and a small but dangerous fraction of them lead to phishing pages, malware downloads, or fraudulent stores. Knowing how to check if a link is safe before you click takes about 15 seconds, and it can save you from drained bank accounts, hijacked email logins, and ransomware infections. This guide walks through the exact checks security professionals use, the free tools available to anyone, and the warning signs you should never ignore.

Why Checking Links Before Clicking Matters

A malicious link is the single most common entry point for cyberattacks against individuals. According to multiple industry threat reports, more than 90% of successful breaches begin with a phishing message — and the payload is almost always a URL. The link might impersonate your bank, a delivery service, a tax authority, or even a coworker on LinkedIn.

What makes 2026 different from a few years ago is the rise of AI-generated phishing pages that look pixel-perfect, short-lived domains that disappear before blocklists catch them, and link shorteners being abused to disguise destinations. The defensive habit you need is simple: never click a link blindly, even from someone you trust.

The 60-Second Link Safety Check

A link safety check is a quick process of inspecting a URL's destination, reputation, and behavior before opening it in a browser. Here is the fastest reliable workflow:

Hover, don't click. On desktop, hover your cursor over the link and read the actual destination in your browser's status bar (bottom-left corner). On mobile, long-press the link to preview the URL.
Read the domain carefully. Look at the part right before the first single slash. paypal.com.security-check.ru is NOT PayPal — the real domain is security-check.ru.
Run it through a URL scanner. Paste the link into a free reputation checker like VirusTotal, URLVoid, or Google Safe Browsing.
Check the link preview if it's shortened. Expand shortened links with a preview tool before opening them.
Look for red flags. Misspellings, urgent language in the surrounding message, mismatched display text, and unusual top-level domains all increase risk.

Do these five steps and you'll catch the vast majority of malicious links before they ever load.

How to Read a URL Like a Security Analyst

Understanding URL structure is the foundation of every other check. A URL has several parts, and attackers exploit the parts most people don't read.

The Anatomy of a URL

Consider this example: https://login.example-bank.com/account?id=123

Protocol: https:// — encrypted connection (good, but not proof of safety)
Subdomain: login — anyone can create any subdomain
Root domain: example-bank.com — this is the part that actually matters
Path: /account — the page on that domain
Parameters: ?id=123 — data passed to the page

Common Tricks Attackers Use

Lookalike characters: rnicrosoft.com (r+n looks like m) or paypaI.com (capital I instead of lowercase l).
Subdomain spoofing: apple.com.verify-id.net — the real domain is verify-id.net.
Punycode attacks: Unicode characters that render as Latin letters, like аpple.com using a Cyrillic 'а'.
Misleading display text: The blue underlined text says "www.your-bank.com" but the actual href points somewhere else entirely.
Suspicious TLDs: While not automatically bad, brand-new or rarely-used top-level domains (.zip, .mov, .top, .xyz) appear in phishing campaigns at much higher rates.

Free Tools to Check if a Link Is Safe

You don't need to install anything. These web-based scanners check a URL's reputation across multiple threat databases in seconds.

Tool	What It Checks	Best For	Cost
VirusTotal	70+ antivirus engines, domain reputation, file analysis	Comprehensive scan	Free
Google Safe Browsing	Google's malware and phishing database	Quick reputation check	Free
URLVoid	30+ blocklist services, domain age, location	Suspicious domains	Free
urlscan.io	Live page render, network requests, screenshots	Seeing the site safely	Free
PhishTank	Community-verified phishing URLs	Known phishing checks	Free
Sucuri SiteCheck	Malware, blocklist status, outdated software	Website health	Free

How to Use VirusTotal (Recommended First Step)

Go to virustotal.com.
Click the "URL" tab.
Paste the suspicious link and press Enter.
Wait a few seconds for the scan to complete.
Review the results: green checkmarks mean the engines didn't detect anything, red flags mean at least one vendor classifies the URL as malicious.

Important: if even 1–2 reputable engines flag the URL, treat it as suspicious. False positives exist, but the cost of being wrong is far higher than the cost of skipping the link.

How to Check Shortened Links Safely

Short URLs (like bit.ly, t.co, or branded short links) hide the destination by design, which is great for clean sharing but also a favorite tool of scammers. Before clicking a shortened link, expand it first.

Link Expanders You Can Use

CheckShortURL.com — paste a short link and see the destination, page title, and a screenshot.
Unshorten.it — reveals the long URL and includes a reputation score.
ExpandURL.net — shows the full redirect chain (some malicious links pass through 4–5 hops).

Many reputable shortening platforms — including Lunyb — scan destination URLs against threat databases at creation time and block known malware or phishing pages from being shortened in the first place. That said, no shortener catches 100% of threats, so you should always expand and inspect before clicking, regardless of which service generated the short link. For a wider comparison of trustworthy services, see our 2026 URL shortener buyer's guide.

Red Flags That Should Stop You From Clicking

Even without running a scanner, certain signals reliably predict that a link is dangerous. Train your eye to spot these instantly.

Red Flags in the URL Itself

Long strings of random characters in the domain (e.g., secure-update-x9q3z.com)
The brand name appears as a subdomain rather than the root domain
Numbers substituted for letters (0 for o, 1 for l)
Hyphens stacked unnaturally (apple-id-verify-account.com)
IP addresses instead of domain names (http://192.0.2.45/login)
Missing HTTPS on a login page
Country-code TLDs unrelated to the supposed sender

Red Flags in the Surrounding Message

Urgency: "Your account will be closed in 24 hours."
Unexpected attachments or invoices from companies you've never used.
Grammar and spelling errors in messages claiming to be from major brands.
Generic greetings like "Dear Customer" from a service that knows your name.
Requests for credentials, codes, or payment via a link.
Sender address mismatch: display name says "Amazon" but the email comes from a random Gmail or unrelated domain.

How to Check a Link on Mobile Devices

Mobile makes link inspection harder because there's no hover and screens hide long URLs. Here's how to stay safe on phones and tablets.

On iPhone and iPad

Press and hold the link without releasing.
A preview card appears showing the full URL and a page preview.
Read the domain carefully before tapping "Open."
If anything looks off, tap outside the preview to cancel.

On Android

Long-press the link.
Choose "Preview page" (Chrome) or "Copy link address."
If you copied the link, paste it into VirusTotal or a link expander rather than your address bar.

For an extra layer, enable Google Safe Browsing in Chrome (Settings → Privacy and security → Safe Browsing → Enhanced protection). It checks links in real time against Google's threat intelligence.

Browser and System Settings That Help

Beyond manual checks, your browser and operating system have built-in protections that you should make sure are turned on.

Safe Browsing / SmartScreen: Chrome's Safe Browsing and Edge's SmartScreen both block known malicious sites automatically. Enable the strictest setting.
DNS-level filtering: Free encrypted DNS services like Cloudflare's 1.1.1.1 for Families or NextDNS block malware and phishing domains before your browser even loads them.
Browser extensions: Reputable tools like Bitdefender TrafficLight or Malwarebytes Browser Guard flag dangerous links in search results and on social media.
Keep software updated: Many drive-by attacks rely on outdated browsers. Turn on automatic updates.
Use a password manager: Password managers won't autofill on lookalike domains, giving you an instant warning that you're not on the real site.

What to Do If You Already Clicked a Suspicious Link

If you realize you clicked something dangerous, don't panic — quick action limits damage.

Close the tab immediately. Don't enter any information.
Disconnect from the internet if you suspect a download started (turn off Wi-Fi or unplug ethernet).
Run a full antivirus scan using Windows Defender, Malwarebytes, or your installed security tool.
Change passwords for any account whose credentials you may have entered, starting with email and banking.
Enable two-factor authentication on every important account if you haven't already.
Watch your financial accounts for unusual activity over the next 30 days.
Report the link to Google Safe Browsing, the impersonated brand, and your email provider so others are protected.

Building a Habit: The 5-Second Rule

Security tools only work if you use them. The best protection isn't any single scanner — it's a habit. Before any click, pause for five seconds and ask:

Was I expecting this message?
Does the visible URL match what it claims to be?
Is the sender pressuring me to act fast?
Would clicking expose a password, payment, or download?

If any answer makes you hesitate, run the link through VirusTotal or expand it with a preview tool. The five-second pause is the cheapest, most effective security control available to anyone.

Frequently Asked Questions

Is a link with HTTPS always safe?

No. HTTPS only means the connection to the site is encrypted — it does not mean the site itself is legitimate. Most phishing sites today use HTTPS because free certificates are easy to obtain. Always check the domain name itself, not just the padlock icon.

Can I get a virus just by hovering over a link?

No. Hovering simply displays the URL — no code executes. You need to actually click (or in rare cases, just load a page with a vulnerable browser) for malicious code to run. Hovering is one of the safest inspection steps you can take.

What's the safest way to open a link I'm unsure about?

Use urlscan.io to load the page in a sandboxed environment and view a screenshot. This shows you what the site looks like without exposing your device to any scripts or downloads. For a stronger isolation, open the link inside a disposable virtual machine or a browser sandbox tool.

Are all shortened links dangerous?

Not at all. Shortened links are widely used by legitimate brands, marketers, and creators for clean sharing and analytics. The risk is that the destination is hidden. Reputable services scan destinations against malware databases at creation. The right habit is to expand any short link from an unknown source before clicking — see our Rebrandly review and shortener comparison for trustworthy options.

How can I tell if an email link is from a real company?

Don't rely on the email itself — it can be spoofed. Instead, ignore the link entirely and visit the company's website directly by typing the address into your browser, or use the official mobile app. If there's a real notification on your account, you'll see it there. This single habit defeats nearly every phishing attempt.

Final word: checking links is a 60-second skill that pays back for the rest of your digital life. Bookmark VirusTotal, enable Safe Browsing, and build the habit of pausing before you click. The vast majority of online threats can't reach you if the link never opens.