How to Check If a Link Is Safe Before You Click

Clicking an unknown link is one of the most common ways people expose themselves to malware, phishing scams, and data theft. The good news: you don't need to be a cybersecurity expert to check whether a URL is trustworthy. You just need to know what to look for — and which tools do the heavy lifting.

Why Unsafe Links Are So Dangerous 🔗

Malicious links don't always look suspicious. Attackers use URL shorteners, lookalike domains, and legitimate-looking subdomains to disguise dangerous destinations. A link might appear to go to your bank's website but actually route you to a spoofed page designed to steal your login credentials. Others silently trigger drive-by downloads — installing malware the moment the page loads, before you've clicked anything on the site itself.

Understanding how these deceptions work helps you recognize the red flags before any damage is done.

Visual Inspection: What to Check Before Clicking

Before using any tool, a basic visual check catches a surprising number of threats.

Check the full URL, not just the display text. Hyperlinked text can say anything — "Click here to verify your account" — while the actual destination is completely different. Hover over a link (on desktop) to see the real URL in your browser's status bar or tooltip.

Look at the domain name carefully. Attackers register domains that mimic real ones:

• paypa1.com instead of paypal.com
• amazon-support-login.com instead of amazon.com
• secure.bankname.phishingsite.com — where the real domain is phishingsite.com, not bankname

The actual domain is always the part immediately before the first single / and after the last . before that slash. Everything to the left of that is a subdomain, which anyone can set up.

Check for HTTPS — but don't rely on it alone. The padlock icon means the connection is encrypted, not that the site is legitimate. Phishing sites routinely use HTTPS. It's a necessary condition, not a sufficient one.

Be extra cautious with shortened URLs. Services like bit.ly or t.co hide the true destination entirely. Always expand them before clicking.

Tools That Check Links for You

Several free tools analyze URLs against threat databases and behavioral signals before you visit them.

URL Scanners and Reputation Checkers

VirusTotal scans a submitted URL against dozens of antivirus engines and security vendors simultaneously, returning a breakdown of which services flag it as malicious, suspicious, or clean. It's one of the most comprehensive free options available.

Google Safe Browsing powers the warning screens you see in Chrome, Firefox, and Safari when you try to visit a flagged site. You can also check a URL directly through Google's Transparency Report page.

URLScan.io goes further by actually visiting the page in a sandboxed environment and capturing a screenshot, the full list of resources loaded, and any detected redirects. This is especially useful for understanding what a suspicious link actually does.

PhishTank is a community-driven database specifically focused on phishing URLs. If you receive a link that looks like it's impersonating a login page, PhishTank is a targeted resource worth checking.

Built-In Browser and OS Protections

Modern browsers include real-time safe browsing checks that compare URLs against regularly updated lists of known malicious sites. These run automatically, but they're only as current as their last update — novel phishing domains may not be in the database yet.

Some email clients automatically scan links in messages and rewrite them through a security proxy, flagging or blocking suspicious destinations before you can click. Microsoft Defender for Office 365 and Google's link protection in Gmail both work this way for qualifying accounts.

URL Expanders for Shortened Links

Before clicking any shortened URL, paste it into a link expander to reveal the destination. Tools like CheckShortURL or Unshorten.It resolve the redirect chain and show you the final destination URL — which you can then evaluate or run through a scanner.

Some shortened URLs redirect through multiple hops before reaching the final page, so seeing the full chain matters. A link that passes through unexpected or unrelated domains mid-chain is a warning sign.

Factors That Change Your Risk Level

Not everyone faces the same threat landscape, and your actual risk from a given link depends on several variables:

A sophisticated user on a fully patched system with endpoint protection may be well-covered against many common threats. Someone on an unpatched device using the same password across accounts faces compounding risk from the same link.

When Caution Is Especially Warranted 🛡️

Certain scenarios should trigger extra scrutiny regardless of how legitimate a link looks:

• Urgency or fear-based messaging — "Your account will be closed," "Verify immediately"
• Unexpected requests — Password resets, package delivery notifications, or invoice links you didn't initiate
• Links in SMS or messaging apps — These bypass many of the protections built into email clients
• Links shared in comments sections or forums — Minimal vetting, easy to post anonymously

The combination of a plausible-looking URL and a high-pressure message is a common pattern in targeted phishing.

The Layer That No Tool Covers Completely

No scanner catches everything. Zero-day phishing pages — newly registered domains used in targeted campaigns — often aren't in threat databases yet. Behavioral sandboxes help, but a page can behave differently for a known scanner IP than it does for a real visitor.

That's why checking a link well means combining tools with judgment: visual inspection, a reputation scan, an understanding of context, and awareness of your own setup's current state of protection. How much of each layer you need depends on where the link came from, what it's asking you to do, and how exposed your accounts and devices currently are.