How to Check if a Link is Safe Before Clicking

Clicking a malicious link can install malware, steal your credentials, or drain your bank account — often within seconds. In 2025, 91% of cyberattacks began with a phishing email containing a deceptive link, according to cybersecurity firm Proofpoint. Knowing how to evaluate a link before clicking is one of the most valuable digital skills you can develop.

The Anatomy of a URL

Before you can evaluate link safety, you need to understand URL structure. Consider this URL:

https://accounts.google.com/signin/v2/challenge/password?service=mail

Breaking it down:

Protocol: https:// — the "s" means the connection is encrypted. However, scam sites also use HTTPS, so this alone does not prove safety.
Subdomain: accounts. — a prefix before the main domain.
Domain: google.com — this is the most important part. It identifies who owns the website.
Path: /signin/v2/challenge/password — the specific page on the site.
Parameters: ?service=mail — additional data passed to the page.

The critical skill is identifying the actual domain. The domain is the last two parts before the first single slash. Scammers exploit this by creating deceptive URLs like:

google.com.login-verify.com — The actual domain is login-verify.com, not google.com. Everything before it is a subdomain.
secure-paypal.com — The domain is secure-paypal.com, not paypal.com.
amazon.co.uk.order-tracking-5841.com — The domain is order-tracking-5841.com.

Think it might be a scam?

Paste it here for a free, instant verdict.

Free · No signup required · Cmd+Enter to scan

Quick Visual Checks (30 Seconds)

Before using any tool, train yourself to perform these instant evaluations:

1. Find the Real Domain

Read the URL from right to left. The real domain is immediately before the first path slash. Everything to the left of the domain (separated by dots) is a subdomain and can be anything the domain owner chooses.

2. Check for Homograph Attacks

Scammers use characters that look identical to ASCII letters but are from different alphabets:

аpple.com — The "а" is Cyrillic, not Latin. This is a completely different domain from apple.com.
gooɡle.com — The "ɡ" is a Latin small letter script G, not a standard G.

Modern browsers display the raw punycode (e.g., xn--pple-43d.com) for suspicious internationalized domains, but this protection is not universal.

3. Look for Excess Hyphens and Numbers

Legitimate company domains rarely contain hyphens or random numbers. amazon-order-verify-3847.com is not Amazon.

4. Check the TLD (Top-Level Domain)

While many scams use .com, be extra cautious with unusual TLDs like .xyz, .top, .click, .buzz, .info, or country-code TLDs from countries unrelated to the sender (e.g., a "Bank of America" link on a .ru domain).

Using Link Checking Tools

IsThisAScam

Paste any suspicious link into IsThisAScam.to. The tool checks the URL against phishing databases, analyzes the domain age and registration details, evaluates the page content, and provides a clear safety verdict. It handles shortened URLs (bit.ly, tinyurl) by resolving them to the final destination.

Google Safe Browsing

Visit Google's Transparency Report and enter the URL. Google's Safe Browsing database is one of the most comprehensive, covering billions of URLs.

VirusTotal

VirusTotal.com scans URLs against 70+ security engines simultaneously. If multiple engines flag a URL, it is almost certainly malicious.

URLVoid

URLVoid.com checks domain reputation across multiple blacklist databases and provides WHOIS information.

How to Safely Preview a Link

On Desktop

Hover your mouse over the link without clicking. Your browser displays the destination URL in the bottom-left corner. Compare this to the displayed text — if they do not match, the link is deceptive.

On Mobile

Long-press (tap and hold) the link. A preview menu appears showing the full URL. On iOS, this works in Safari, Mail, and Messages. On Android, Chrome and most browsers support this.

With URL Shorteners

If a link uses bit.ly, tinyurl, or another shortener, you cannot see the destination by hovering. Use an unshortening service:

Add a "+" to the end of a bit.ly link (e.g., bit.ly/abc123+) to see the destination without visiting it.
Use unshorten.me to expand any shortened URL.
Paste the shortened URL into IsThisAScam, which automatically resolves and evaluates the final destination.

Deceptive Link Techniques to Know

Display Text Mismatch

In HTML emails, the visible text and the actual link can be completely different. An email might display "https://www.paypal.com/account" but the actual link goes to paypal-login.scamsite.com. Always hover or long-press to see the real URL.

QR Codes

QR codes are essentially invisible links. Before scanning a QR code in public, consider whether the context makes sense. QR codes on parking meters, restaurant tables, or flyers can be covered with malicious sticker overlays. Use your phone's built-in QR scanner, which previews the URL before opening it.

Open Redirects

Some scammers exploit legitimate websites' redirect features. A URL like google.com/url?q=malicious-site.com starts on google.com but redirects to the malicious site. The initial google.com domain provides false trust.

Data URIs and JavaScript

Some phishing links use data URIs (data:text/html,...) or javascript: protocol to execute code directly rather than navigating to a website. Never click links that start with data: or javascript:.

Building Safe Browsing Habits

When in doubt, navigate directly. If an email says there is an issue with your Amazon account, type amazon.com into your browser rather than clicking the email link.
Bookmark your important sites. Use bookmarks for banking, email, and shopping sites. This eliminates the need to click links in emails.
Use a password manager. Password managers auto-fill credentials only on the correct domain. If you visit a phishing site that looks like PayPal but is not on paypal.com, your password manager will not offer to fill in your credentials — an automatic red flag.
Keep your browser updated. Modern browsers include built-in phishing protection that warns you about known malicious sites.
Enable Safe Browsing. In Chrome: Settings → Privacy and Security → Security → Enhanced Protection. In Firefox: Settings → Privacy & Security → Phishing Protection.

Received something suspicious? Check it now for free →

The Anatomy of a URL

Before you can evaluate link safety, you need to understand URL structure. Consider this URL:

https://accounts.google.com/signin/v2/challenge/password?service=mail

Breaking it down:

Protocol: https:// — the "s" means the connection is encrypted. However, scam sites also use HTTPS, so this alone does not prove safety.
Subdomain: accounts. — a prefix before the main domain.
Domain: google.com — this is the most important part. It identifies who owns the website.
Path: /signin/v2/challenge/password — the specific page on the site.
Parameters: ?service=mail — additional data passed to the page.

The critical skill is identifying the actual domain. The domain is the last two parts before the first single slash. Scammers exploit this by creating deceptive URLs like:

google.com.login-verify.com — The actual domain is login-verify.com, not google.com. Everything before it is a subdomain.
secure-paypal.com — The domain is secure-paypal.com, not paypal.com.
amazon.co.uk.order-tracking-5841.com — The domain is order-tracking-5841.com.

Think it might be a scam?

Paste it here for a free, instant verdict.

Free · No signup required · Cmd+Enter to scan

Quick Visual Checks (30 Seconds)

Before using any tool, train yourself to perform these instant evaluations:

1. Find the Real Domain

2. Check for Homograph Attacks

Scammers use characters that look identical to ASCII letters but are from different alphabets:

аpple.com — The "а" is Cyrillic, not Latin. This is a completely different domain from apple.com.
gooɡle.com — The "ɡ" is a Latin small letter script G, not a standard G.

Modern browsers display the raw punycode (e.g., xn--pple-43d.com) for suspicious internationalized domains, but this protection is not universal.

3. Look for Excess Hyphens and Numbers

Legitimate company domains rarely contain hyphens or random numbers. amazon-order-verify-3847.com is not Amazon.

4. Check the TLD (Top-Level Domain)

Using Link Checking Tools

IsThisAScam

Google Safe Browsing

Visit Google's Transparency Report and enter the URL. Google's Safe Browsing database is one of the most comprehensive, covering billions of URLs.

VirusTotal

VirusTotal.com scans URLs against 70+ security engines simultaneously. If multiple engines flag a URL, it is almost certainly malicious.

URLVoid

URLVoid.com checks domain reputation across multiple blacklist databases and provides WHOIS information.

How to Safely Preview a Link

On Desktop

On Mobile

Long-press (tap and hold) the link. A preview menu appears showing the full URL. On iOS, this works in Safari, Mail, and Messages. On Android, Chrome and most browsers support this.

With URL Shorteners

If a link uses bit.ly, tinyurl, or another shortener, you cannot see the destination by hovering. Use an unshortening service:

Add a "+" to the end of a bit.ly link (e.g., bit.ly/abc123+) to see the destination without visiting it.
Use unshorten.me to expand any shortened URL.
Paste the shortened URL into IsThisAScam, which automatically resolves and evaluates the final destination.

Deceptive Link Techniques to Know

Display Text Mismatch

QR Codes

Open Redirects

Data URIs and JavaScript

Building Safe Browsing Habits

When in doubt, navigate directly. If an email says there is an issue with your Amazon account, type amazon.com into your browser rather than clicking the email link.
Bookmark your important sites. Use bookmarks for banking, email, and shopping sites. This eliminates the need to click links in emails.
Use a password manager. Password managers auto-fill credentials only on the correct domain. If you visit a phishing site that looks like PayPal but is not on paypal.com, your password manager will not offer to fill in your credentials — an automatic red flag.
Keep your browser updated. Modern browsers include built-in phishing protection that warns you about known malicious sites.
Enable Safe Browsing. In Chrome: Settings → Privacy and Security → Security → Enhanced Protection. In Firefox: Settings → Privacy & Security → Phishing Protection.

Received something suspicious? Check it now for free →

How to Check if a Link is Safe Before Clicking

The Anatomy of a URL

Quick Visual Checks (30 Seconds)

1. Find the Real Domain

2. Check for Homograph Attacks

3. Look for Excess Hyphens and Numbers

4. Check the TLD (Top-Level Domain)

Using Link Checking Tools

IsThisAScam

Google Safe Browsing

VirusTotal

URLVoid

How to Safely Preview a Link

On Desktop

On Mobile

With URL Shorteners

Deceptive Link Techniques to Know

Display Text Mismatch

QR Codes

Open Redirects

Data URIs and JavaScript

Building Safe Browsing Habits

How to Check URL Safety: Free Tools and Methods

How to Check if a Link is Safe Before Clicking

The Anatomy of a URL

Quick Visual Checks (30 Seconds)

1. Find the Real Domain

2. Check for Homograph Attacks

3. Look for Excess Hyphens and Numbers

4. Check the TLD (Top-Level Domain)

Using Link Checking Tools

IsThisAScam

Google Safe Browsing

VirusTotal

URLVoid

How to Safely Preview a Link

On Desktop

On Mobile

With URL Shorteners

Deceptive Link Techniques to Know

Display Text Mismatch

QR Codes

Open Redirects

Data URIs and JavaScript

Building Safe Browsing Habits

How to Check URL Safety: Free Tools and Methods