facebook-pixel

How to Check if a Link Is Safe Before Clicking: The Complete 2026 Guide

L
Lunyb Security Team
··10 min read

Every day, billions of links are shared across email, social media, and messaging apps — and a shocking percentage of them lead somewhere they shouldn't. Phishing attacks now account for more than 36% of all data breaches, and a single misplaced click can compromise your passwords, drain your bank account, or install ransomware on your device. Learning how to check if a link is safe before clicking has become one of the most essential digital literacy skills of the modern era.

This guide walks you through practical, expert-backed methods to verify any URL — from quick visual checks anyone can do in seconds to advanced tools used by cybersecurity professionals. Whether you're evaluating a suspicious email link, a shortened URL from a stranger, or an unfamiliar advertisement, you'll leave with a repeatable process to protect yourself.

Why Checking Links Before Clicking Matters

A malicious link is any URL designed to harm the visitor — whether by stealing credentials, delivering malware, executing scripts, or tricking the user into a scam. Because modern attacks are increasingly sophisticated, even tech-savvy users fall victim to well-crafted phishing pages that look identical to legitimate sites.

The stakes are high:

  • Financial loss: Fake banking and payment pages harvest login details in seconds.
  • Identity theft: Personal data collected through fraudulent forms fuels long-term identity crime.
  • Malware infection: Drive-by downloads can silently install spyware, keyloggers, or ransomware.
  • Account takeover: One compromised password often cascades into email, social, and workplace accounts.

The good news? Nearly every dangerous link leaves clues. You just need to know where to look.

Quick Visual Checks You Can Do in 5 Seconds

Before you reach for any tool, train your eyes to spot common red flags. A quick visual scan catches the majority of low-effort phishing attempts.

1. Hover Before You Click

On desktop, hovering your mouse over any hyperlink reveals the true destination in the bottom-left corner of your browser or email client. If the visible text says "paypal.com" but the hover preview shows "paypa1-secure-login.xyz," that's an immediate deal-breaker.

On mobile, press and hold the link (don't tap) to see a preview URL in most apps.

2. Examine the Domain Carefully

Attackers rely on look-alike domains. Watch for:

  • Character substitution: "rn" instead of "m" (arnazon.com), "0" instead of "o", or Cyrillic letters that look Latin.
  • Extra subdomains: "apple.com.secure-login.info" — the real domain is "secure-login.info," not Apple.
  • Unusual TLDs: A bank sending links to .zip, .top, .xyz, or .click is highly suspicious.
  • Hyphenated variations: "my-bank-login.com" when the real site is "mybank.com".

3. Check for HTTPS — but Don't Trust It Blindly

HTTPS (the padlock icon) only means the connection is encrypted, not that the site is trustworthy. Over 80% of phishing sites now use HTTPS. Treat it as a minimum requirement, not a guarantee.

How to Check if a Link Is Safe Using Free Online Tools

When visual checks aren't enough, dedicated URL scanners analyze links against massive threat databases and sandbox environments. Here's how to use them.

Step-by-Step: Scanning a Link Safely

  1. Copy the link without clicking. Right-click (desktop) or long-press (mobile) and choose "Copy link address."
  2. Paste it into a scanner. Use one of the trusted tools listed below.
  3. Review the report. Look for detections from multiple engines, not just one.
  4. Check the final destination. Some scanners reveal redirect chains — critical for shortened URLs.
  5. Decide based on evidence. If two or more reputable engines flag it, don't visit.

Recommended URL Safety Scanners

Tool Best For Cost Key Feature
VirusTotal Comprehensive scanning Free Checks the URL against 70+ antivirus engines
Google Safe Browsing Quick verification Free Same database Chrome and Firefox use
URLScan.io Deep technical analysis Free Screenshots and behavior in a sandbox
PhishTank Confirmed phishing lookup Free Community-verified phishing database
Sucuri SiteCheck Malware and blacklist checks Free Detects injected scripts and defacement

How to Handle Shortened Links Safely

Shortened URLs (bit.ly, t.co, tinyurl, and similar) hide the real destination behind a compact redirect. This is convenient for legitimate sharing but also exploited by scammers to disguise malicious sites.

Expanding a Short Link Before You Click

Use a link expander to reveal the full destination without visiting it:

  1. CheckShortURL.com — expands the URL and shows page metadata.
  2. Unshorten.It — reveals the full chain of redirects.
  3. URLScan.io — follows redirects and screenshots the endpoint safely.

Reputable shortener services also add safety layers on their end. For example, Lunyb screens destinations at the moment of link creation and can block harmful URLs before they're ever shared. That said, no shortener is perfect — always expand unknown links yourself when the source is untrusted. If you're comparing services, our 2026 URL shortener buyer's guide breaks down which providers take safety seriously.

Warning Signs Specific to Short Links

  • Sent from an unknown sender with no context
  • Paired with urgent language ("Act now," "Your account will be closed")
  • Posted in comments or DMs offering "free" prizes or crypto
  • Redirects through multiple domains before landing

Advanced Techniques for Verifying a Link

If you handle links professionally — as an IT admin, marketer, or journalist — go beyond the basics with these techniques.

Inspecting the WHOIS Record

A domain's WHOIS record reveals when it was registered. Phishing domains are often less than 30 days old. Use whois.domaintools.com or who.is to check registration age. A "bank" domain registered last week is virtually always fraudulent.

Checking SSL Certificate Details

Click the padlock in your browser (on a link you've already opened safely) and inspect the certificate. Legitimate businesses use Organization Validation (OV) or Extended Validation (EV) certificates that name the actual company. A free auto-issued certificate on a "bank" page is a red flag.

Sandboxing Suspicious Links

Services like URLScan.io, Any.Run, and Hybrid Analysis load the page inside a virtual environment and record what happens — network requests, downloads, script execution — without risking your device. This is the gold standard when you must see what a link does.

Using DNS-Level Filtering

Encrypted DNS services with built-in threat blocking (like Cloudflare 1.1.1.2, Quad9, or NextDNS) refuse to resolve known malicious domains system-wide. This adds a passive safety net for every device on your network.

Red Flags Checklist: When to Never Click

Even if a link looks technically valid, context matters. Refuse to click when you see any of these warning patterns:

Sender Red Flags

  • Email from a public domain (gmail.com) claiming to be a corporation
  • Sender address with subtle misspellings (support@amaz0n-help.com)
  • Unsolicited message from a "colleague" asking you to review a document
  • Message from a legitimate contact whose account may be compromised (tone or content feels off)

Message Content Red Flags

  • Urgency or threats ("Your account will be suspended in 24 hours")
  • Unexpected attachments or invoices
  • Requests for credentials, MFA codes, or payment info
  • Generic greetings ("Dear Customer") from services that know your name
  • Grammar and spelling inconsistencies

Destination Red Flags

  • Page asks you to "re-verify" your password immediately
  • Login form on a non-branded domain
  • Prompts to install a browser extension or download a file
  • Fake CAPTCHAs that ask you to press Windows+R and paste commands

Building Safe Clicking Habits

Tools help, but consistent habits are what keep you safe long-term. Adopt these five practices.

1. Verify Through a Second Channel

If your "bank" emails you, don't click. Open a new tab, type the URL yourself, and log in. If it's important, the notice will be waiting inside your account.

2. Use a Password Manager

Password managers auto-fill credentials only on the exact domain they were saved for. If your manager refuses to autofill, that's a strong signal the site is fake — even if it looks identical.

3. Enable Multi-Factor Authentication (MFA)

Even if a phishing site captures your password, MFA (especially hardware keys or app-based codes) blocks the attacker from actually logging in. Never share MFA codes with anyone via link, phone, or chat.

4. Keep Software Updated

Browsers, operating systems, and antivirus software patch newly discovered vulnerabilities constantly. An outdated browser is a magnet for drive-by attacks.

5. Use Browsers with Built-in Protection

Chrome, Firefox, Edge, and Brave all include Safe Browsing lists that warn or block known malicious URLs. Keep these features enabled.

What to Do If You Already Clicked a Suspicious Link

Panic doesn't help — quick, methodical action does. Follow this recovery checklist.

  1. Disconnect from the internet. Turn off Wi-Fi or unplug the ethernet cable to halt any active download or data exfiltration.
  2. Do not enter any credentials. If you already did, treat those passwords as compromised.
  3. Run a full malware scan. Use your primary antivirus plus a second-opinion scanner like Malwarebytes.
  4. Change affected passwords immediately. Start with email, bank, and any account sharing the compromised password.
  5. Enable or reset MFA on the affected accounts.
  6. Monitor financial statements for the next 30–60 days.
  7. Report the link. Submit it to Google Safe Browsing, PhishTank, and the impersonated brand's abuse team.

Choosing Trustworthy Link Sharing Tools

If you frequently share URLs yourself, choose a shortener that treats safety as a first-class feature — including malware scanning, abuse detection, and transparent link previews. Providers like Lunyb offer safety-first shortening with click analytics, while enterprise options such as Rebrandly focus on branded domains (see our Rebrandly review for a full breakdown). Whichever tool you pick, make sure it offers link expansion previews and clear reporting mechanisms so your recipients can trust what they click.

Frequently Asked Questions

Is it enough to just look at the padlock icon in the address bar?

No. The padlock (HTTPS) only confirms that data between your browser and the site is encrypted. It does not verify the site's identity or intentions. The vast majority of phishing pages now use HTTPS certificates, so treat the padlock as a baseline expectation rather than proof of legitimacy.

How can I check a link on my phone without opening it?

On both iOS and Android, press and hold the link (do not tap). A preview will appear showing the full destination URL and options to copy it. Copy the link and paste it into a scanner like VirusTotal or URLScan.io through your mobile browser to analyze it safely.

Are shortened links always dangerous?

No. Reputable shorteners like Bitly, Lunyb, and Rebrandly are used for legitimate marketing, analytics, and readability. The risk comes from not knowing where a short link leads. Use an expander service or a scanner that follows redirects before clicking any short URL from an untrusted source.

What is the safest way to preview an unknown link?

Use a sandbox-based scanner such as URLScan.io or Any.Run. These services load the page inside an isolated virtual environment and provide screenshots, network traffic logs, and behavior reports — giving you a full picture of what the link does without exposing your device.

Can antivirus software block malicious links automatically?

Modern security suites include web protection modules that block known malicious URLs at the browser or network level. However, brand-new phishing sites can go undetected for hours or days before being blacklisted. Combine antivirus with cautious habits, DNS-level filtering, and manual verification for the strongest defense.

Final Thoughts

Learning how to check if a link is safe before clicking isn't paranoia — it's basic digital hygiene in 2026. The techniques in this guide, from a five-second hover check to sandboxed scanning, take minutes to master but can save you from catastrophic consequences. Build the habit of pausing before every unfamiliar click, use trusted tools when in doubt, and share what you've learned with less tech-savvy friends and family. In a world where one click can change everything, a moment of verification is the cheapest insurance you'll ever buy.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles