How to Check if a Link is Safe – The 2025 Guide

September 28, 2025 by ScamCheck
how to tell if a link is safecheck link safetyis this link safelink scannerurl safety checkerphishingphishing signsscam linkstyposquattinghomoglyphsunshorten linkverify urlhttpswhoisgoogle safe browsingvirustotalemail securitysmishingmalwaredrive-by downloadbrowser securityonline safetysafe browsingcybersecurity basicsscamcheck

image-1759062721952-364670404

Why Some Links Are Risky

Links are the front door to phishing sites (fake pages that try to steal logins or payment details) and to malware. A single click can:

  • Harvest credentials: Look-alike login pages capture usernames and passwords.
  • Trigger malware/drive-by downloads: Out-of-date browsers or plugins can be exploited.
  • Start fraud flows: Think fake “account recovery,” “package delivery,” or “payment due” pages.

Good news: with a few simple checks, you can catch most of this before you ever click.

Step-by-Step Manual Checks (Beginner-Friendly)

1) Hover (Desktop) or Long-Press (Mobile) to Preview the URL

Move your mouse over the link and look at the status bar or tooltip; on phones, tap-and-hold to preview/copy the URL. If the visible link text says one thing (“Your Bank”) but the preview shows something unrelated (an IP address, a misspelled brand, or a random domain), don’t click. This one habit stops a huge chunk of scams.

Pro tip: In email apps and chat tools, you can often right-click or tap “Copy link” and paste it somewhere safe (like Notes) to inspect it in full.

2) Spot Domain Tricks: Typos, Look-Alikes, and Subdomains

Scam domains often rely on small visual tricks:

  • Typosquatting: yah00.com, rnicrosoft.com (rn ≠ m), micros0ft.com (zero instead of “o”).
  • Extra words: amazon-update-confirmation.net, secure-mybank-login.com.
  • Subdomain confusion: info.examplemail.com is not example.com. The true domain is the part right before the TLD: in store.example.com, example.com is the domain; store is just a subdomain.

Rule of thumb: The brand you trust should sit directly before .com (or its country TLD). If the brand appears earlier in the string (or not at all), pause.

image-1759062224695-921527638 Figure: Visual breakdown of the parts of a URL (protocol, subdomain, domain, TLD, path, query). Referencing the diagram helps you check each part. Typos or odd subdomains in any segment can be a clue.

3) Expand Shortened Links (bit.ly, t.co, tinyurl)

Shorteners hide the destination. Safely expand them first:

  • Many shorteners support a preview trick (e.g., add a + to some bit.ly links).
  • Use a reputable unshorten service (search “unshorten URL”).
  • Once expanded, re-apply all the checks here to the full address.

4) Google the Domain + “Scam” / “Review” / “Phishing”

Search engines are great “crowd radar.” Copy the main domain (e.g., take test.com from login.test.com/page) and search:

  • test.com review
  • test.com scam
  • test.com phishing

If you see reports on security forums, Reddit, or news outlets warning about that domain, treat the link as unsafe. If the brand is real, you’ll usually find an established website and consistent profiles on social platforms.

5) Domain Age, WHOIS, and HTTPS (with Caution)

  • WHOIS/domain age: Newly registered domains are common in scams. A very young domain (days/weeks old) is a red flag, especially for a “big brand.”
  • Privacy-masked WHOIS: Not inherently bad, but adds uncertainty. Combine with other signals.
  • HTTPS ≠ Trust seal: HTTPS (padlock icon) means encryption, not legitimacy. Scammers use free certificates, too. Always confirm the domain name itself, not just the padlock.

Quick check: Click the padlock to see certificate info and confirm it matches the brand and domain you expect.

6) Evaluate On-Page Trust Signals (If You Land There)

If you’ve already opened the page (ideally in a safe/sandboxed way):

  • Contact & company info: Look for a real address, phone, and company details.
  • Policies: Legit sites have privacy/terms/refund policies.
  • Writing quality: Lots of typos, machine-translated text, or generic greetings are common on scam pages.
  • Urgent tone: “Act now,” countdown clocks, threats of account closure, gift card or crypto demands—all classic pressure tactics.
  • Inconsistent brand: Old logos, mismatched color schemes, or low-res graphics are clues.

One red flag might be harmless; many together are a strong “leave now.”

7) Sanity-Check with Multi-Engine Scanners

Paste suspicious URLs into multi-engine tools for a quick second opinion:

  • Google Safe Browsing (Transparency Report): Check whether Google flags the site.
  • VirusTotal: Aggregates many security engines; multiple hits indicate real danger.
  • URL analysis sandboxes: Services that “visit” the page in isolation and show you what loads there.

These tools aren’t perfect (new threats may not be listed yet), but they’re extremely helpful—especially when they do raise alerts.

8) Basic Device Hygiene (It Matters!)

  • Update OS & browsers: Patches close the holes attackers try to use.
  • Use reputable blockers: Ad/tracker blocking and anti-phishing extensions can stop many malicious scripts and pop-ups.
  • Enable MFA: If a password leaks, MFA often blocks account takeovers.
  • Backups: Ransomware and account lockouts sting less when you can restore quickly.

Red-Flag Reference

  • Misspelled or altered URL (micros0ft.com, extra words)

    • Why it’s risky: Look-alikes lead to fake login pages or malware.
    • What to do next: Re-type the official domain manually or navigate via a saved bookmark.

  • Suspicious subdomain (secure-login.mybank.com vs mybank.com)

    • Why it’s risky: Attackers mimic structure; the true domain may be elsewhere.
    • What to do next: Identify the core domain (the part right before the TLD). If it’s not the brand, leave.

  • Shortened link

    • Why it’s risky: Hides the destination; easy to redirect to a bad site.
    • What to do next: Unshorten first; then apply all checks to the expanded address.

  • No HTTPS (or only a lock icon as “proof”)

    • Why it’s risky: No encryption, or a lock icon misused as a trust badge.
    • What to do next: Look for https:// and verify the domain/cert details; when in doubt, don’t proceed.

  • Urgent, threatening language

    • Why it’s risky: Pressure leads to mistakes; phishers push you to act fast.
    • What to do next: Stop, breathe, and verify directly via the official site/app—never the provided link.

  • Poor grammar/odd formatting

    • Why it’s risky: Many scams reuse sloppy templates or machine translations.
    • What to do next: Close the page; find the official site via search or a known bookmark.

  • Unusual sender/source

    • Why it’s risky: Bank notices from free email accounts = giant red flag.
    • What to do next: Contact the organization using a phone number or URL you already trust.

Safe Ways to Test a Suspicious Link

  • Use a sandbox: A secondary device, a virtual machine, or a browser profile with no saved logins.
  • Never log in: Don’t enter passwords, recovery codes, or payment info on unknown sites.
  • One-time throwaway: If you must, use a separate email/identity that’s not tied to anything valuable.
  • Screenshots help: Capture the page (no personal info) if you plan to report it to IT or authorities.

When to Flat-Out Avoid Clicking

Skip links that prompt you to:

  • “Confirm your bank details” or “reset your password” unsolicited.
  • Pay urgent fines, taxes, or fees via gift cards or crypto.
  • Approve MFA codes you didn’t request.
  • Claim surprise prizes/refunds you weren’t expecting.

When unsure, navigate to the official site by typing it in or using your saved bookmark—do not use the link in the message.

Fastest Path (Free): Scan with ScamCheck
Paste the link or message into ScamCheck for a quick, plain-English result. You’ll see a risk score and category, a simple explanation, and highlighted red flags. It combines multiple checks into one step and can also capture a safe screenshot/analysis view.
Pricing: Free with unlimited scans (score, category, explanation, analysis, screenshots) + 2 Safe Open launches per day.
Nice to know: A browser extension is coming soon to make hover-verdicts and Safe Open even faster.
Try it: ScamCheck

Examples (Fabricated but Realistic)

  • http://secure-mybank-login.com/verifySuspicious: extra words + HTTP only.
  • https://info.examplemail.com/account-securityTricky subdomain: not the brand’s main domain.
  • https://www.amazon-update-confirmation.netSpoof domain: real brand word + unrelated TLD.

Use these to practice: identify the true domain, spot odd wording, and decide if you’d proceed.

FAQs

Is a padlock (HTTPS) proof a link is safe?
No. HTTPS encrypts the connection but doesn’t verify the intent of the site. Phishing pages can use HTTPS. Always confirm the domain and content, not just the padlock.

Can I tell if a URL is safe just by looking?
Sometimes—typos, odd subdomains, and strange paths stand out. But visual checks miss things. Use the steps here plus scanners when in doubt.

What if I already clicked?
Disconnect from the internet if the page starts doing anything suspicious. Run a full antivirus scan, change important passwords, and enable MFA. Monitor your accounts and consider reporting the incident (see below).

Are link scanners 100% reliable?
No tool is perfect—new scams may not be listed yet. But multiple warnings from reputable engines are a strong stop sign.

How do I unshorten on mobile?
Long-press to preview/copy the link, then paste into a note or a trusted unshorten tool to see the destination before visiting.

Should I use WHOIS/domain age checks?
Yes—as part of a bundle of checks. A very new domain or anonymous registration increases risk but isn’t proof by itself.

How can I help others stay safe?
Teach the hover/long-press habit, share this checklist, and report phish. The more people who know, the fewer who get caught.

Glossary (Quick Definitions)

  • URL: A web address (e.g., https://example.com/path?x=1).
  • Domain/Subdomain: example.com is the domain; shop.example.com is a subdomain.
  • TLD: The ending like .com, .org, .ca.
  • HTTPS: Encrypted connection (https://). Great for privacy; not a proof of legitimacy.
  • SSL/TLS certificate: The “padlock” mechanism. Confirms encryption and the claimed domain.
  • Phishing: Impersonation to trick you into sharing credentials or paying money.
  • Malware: Malicious software (viruses, trojans, spyware).
  • Drive-by download: Malware that installs just by visiting a booby-trapped page on an unpatched system.
  • Typosquatting: Registering look-alike domains (e.g., gooogle.com).
  • WHOIS: Public record with domain registration details (owner/creation date).
  • Safe Browsing (Google): A list of known dangerous sites used by Chrome and others.
  • VirusTotal: Multi-scanner that checks links/files across many engines.
  • MFA: Extra login step (code/app key) that blocks most account takeovers.

Next Steps & Reporting

  • Build the habit: Hover/long-press and sanity-check every unfamiliar link.
  • Use tools: Run questionable URLs through a scanner or ScamCheck.
  • Report phishing: Forward suspicious emails to your provider’s abuse address or report to consumer protection agencies (e.g., the FTC in the U.S.).
  • Help others: Share these steps with friends/family; awareness prevents harm.

Also Check Out

External References (Authoritative)

Compliance note: Never share real credentials in screenshots or with “verification” forms. If you suspect phishing, report it to your email provider/IT and local consumer protection authority.