Before You Click: How to Check If a Link Is Safe
- Sydney Clarke
- May 26
- 9 min read
Key Takeaways
AI-Crafted Attacks: Cybercriminals now use AI to write polished, professional emails that are nearly indistinguishable from legitimate correspondence.
HTTPS ≠ Safe: HTTPS (Hypertext Transfer Protocol Secure) only means the connection is encrypted, not that the site is trustworthy.
Visual Deception: Watch for “Homograph Attacks” and “Typosquatting”, techniques that use near-identical characters or misspellings to trick the eye.
Mobile Risk: Use the “Long-Press” technique to preview links on mobile, as smaller screens make it easier for attackers to hide malicious destinations.
Shortened Links: Use URL expander services for shortened links to reveal the real destination before you arrive.
Nearly 39,000 phishing emails are sent every second, so knowing how to check if a link is safe before clicking it is no longer optional; it’s an essential habit for anyone who uses email, messaging apps, or the web. Clicking just one wrong URL can turn a normal weekday into a months-long recovery effort.
It only takes a second for an attacker to steal login credentials or deploy malware that can spread across an entire network. Many organisations are aware of the risk, yet they lack the layered tools and policies needed to stay protected.
This guide walks through exactly how to tell if a link is safe, whether you’re on a desktop, a phone, or reviewing a link sent to a colleague.
Why Dangerous Links Are Harder to Spot Than Ever
The days of poorly worded emails are largely over. Attackers have replaced clumsy phishing scripts with AI-written, professionally formatted messages that are difficult to distinguish from legitimate correspondence. Spotting a trap is no longer as simple as scanning for typos.
Here is why it’s getting so much harder to know if a link is safe:
AI-Written Phishing Emails Are Now Nearly Undetectable
Attackers are now using Large Language Models (LLMs) to ghostwrite emails that are polished, professional, and eerily personalised. Without the broken English and odd formatting of the past, these AI phishing messages are easy to trust.
URL Shorteners Hide the Real Destination
Services like Bitly or TinyURL are convenient, but they act as a digital mask. These tools hide the actual destination URL entirely, meaning you’re clicking blindly. You won’t know whether you’re headed to a legitimate resource or a trap until the page has already loaded.
This lack of transparency makes it incredibly easy for bad actors to disguise phishing sites or malware downloads behind a professional-looking alias. Consequently, the brief convenience of a shorter link often comes at the high cost of bypassing your own visual security checks.
Why HTTPS Doesn’t Mean a Link Is Safe
There is a widespread and dangerous myth that the padlock icon equals safety. In reality, that lock only means the connection between your browser and the server is encrypted; it says nothing about whether the site is honest. According to the Anti-Phishing Working Group, in 2023, more than 90% of phishing websites displayed a padlock.
Homograph Attacks and Domain Cloning
In a Homograph Attack, threat actors use visually identical characters from different alphabets to clone domains. A Latin “o” and a Cyrillic “о” appear the same to the naked eye, but resolve to two entirely different websites. Beyond character substitution, attackers also clone the full visual design of legitimate pages, replicating logos, layouts, and copy, so that even a correct-looking URL can mask a fraudulent destination.
5 Quick Ways to Check If a Link Is Safe
If you are wondering how to check if a link is safe, these five checks can be completed in under 60 seconds.
The Hover Technique (Desktop)
Before clicking any link on a desktop, hover the mouse cursor over it. A small preview of the actual destination URL will appear in the bottom-left corner of the browser window. If the visible anchor text says “Your Bank” but the hover preview shows a string of random numbers or an unrelated domain, do not click.
Use a Phishing Link Checker Tool
To ensure your readers aren’t left guessing, you can use a phishing link checker, a security tool that inspects the “true” destination of a URL before you visit it. By scanning for hidden redirects and comparing the link against global blacklists, it identifies potential threats like credential theft or malware that aren’t visible to the naked eye.
To stay safe, simply right-click and copy the suspicious link address, then paste it into a phishing link checker. This allows the tool to analyse the destination for malicious patterns, providing a vital layer of verification before you ever risk opening the page.
Leverage Google Safe Browsing and VirusTotal
Google maintains a constantly updated database of unsafe web resources. You can verify any URL using the Google Safe Browsing Transparency Report. This platform is great for protecting users from malware, phishing attempts, and unwanted software that could compromise personal data. By cross-referencing sites against this list, you can navigate the internet with an extra layer of security and confidence. Regularly checking suspicious links helps ensure that your digital life remains secure in an increasingly complex online landscape.
Inspect for Typosquatting
Check the domain carefully for subtle misspellings, extra hyphens, or transposed letters. This is a common tactic known as typosquatting, where attackers register names like ‘paypa1.com’ instead of ‘paypal.com’ to deceive hurried or inattentive users.
Verify the Link Text Matches the Destination
Check whether the visible anchor text and the actual destination URL point to the same domain. If a link reads “Secure Login” but the underlying href resolves to an unrelated or unfamiliar domain, treat it as a red flag. This mismatch between link text and destination is one of the most reliable signals of a phishing attempt.
Red Flags in a URL You Should Never Ignore
When you check if a link is safe, scan for the following warning signs:
Non-Brand Domains: If a “Microsoft” alert directs you to log in at an unrecognised domain, it is a scam. Legitimate companies host authentication portals on their primary domain.
IP Addresses Instead of Domain Names: A URL structured as a string of four numbers (e.g. http://192.168.1.1/login) instead of a recognisable brand name is highly suspicious. Reputable businesses use registered Domain Name System (DNS) names.
Excessive Subdomains: Attackers bury the real destination domain under layers of subdomains (e.g. login.verify.update.yourbank.com) to make the URL look official while hiding the actual owner.
Urgent or Fear-Based Language in the URL: Strings like “urgent”, “suspended”, “unauthorized-access”, or “action-required” embedded in the URL are designed to provoke a panic click.
Mismatched Link Text vs. Actual Href: If the visible text of a hyperlink and its underlying destination URL point to different domains, do not click. This is one of the clearest signs of a deliberate phishing attempt.
How to Check a Link on Mobile
Mobile devices have become a prime target for Short Message Service (SMS) phishing, commonly known as smishing. Smaller screens and the habit of quick-tapping make it significantly easier for attackers to hide malicious link destinations. Since hovering is not possible on a touchscreen, here are the recommended steps:
Step 1. Master the Long-Press
Instead of tapping a link immediately, press and hold it. On most smartphones, this triggers a preview window that reveals the full destination URL before you commit to opening it. Make this a default habit for any link that arrives unexpectedly.
Step 2. Never Tap Shortened Links Without Previewing
Text messages are common delivery vehicles for shortened links (bit.ly, t.co, and similar). Before tapping, copy the link and run it through a URL expander service to reveal the real destination. If the expanded URL looks unfamiliar or unrelated to the claimed source, do not proceed.
Step 3. Use Mobile Security Apps
Install a reputable mobile security browser or a trusted security extension. These tools provide real-time URL filtering that blocks malicious sites before they can load on your screen.
Step 4. Stay Alert in Messaging Apps
Apps like WhatsApp, iMessage, and Telegram are high-traffic channels for scammers. Because hovering is not possible in these environments, pausing is the best defence. If a link arrives from an unknown number, or if a contact sends something that feels out of character, verify before tapping.
What to Do If You Already Clicked a Suspicious Link
If you realise you have clicked a dangerous link, every second counts.
Step 1. Enter Nothing
If the page presents a login form, do not enter any credentials. If you already did, change that password immediately on a separate, clean device.
Step 2. Go Offline
Disconnect the device from Wi-Fi and cellular data immediately. This can prevent malware from communicating with an attacker’s server or exfiltrating data from the device.
Step 3. Run a Deep Scan
Use a reputable antivirus or anti-malware tool to scan the entire system. Many modern phishing links carry drive-by downloads that install malware the moment the page loads.
Step 4. Change Passwords for Affected Accounts
Even if you did not enter credentials on the landing page, assume that any accounts accessible from that device may be at risk. Change passwords for email, banking, and any other sensitive accounts as a precaution.
Step 5. Report the Incident
If the incident occurred on a work device, notify the IT or security team immediately after going offline. They can block the link at the firewall level to protect colleagues. For more guidance on the immediate response, see what to do after clicking a phishing link.
How to Protect Your Organisation From Phishing Links
Even the most security-aware employee can have an off day. With how sophisticated these attacks have become, organisations need a layered defence strategy that operates continuously.
Deploy DMARC at Enforcement
The most effective way to stop phishing emails is to prevent spoofed messages from ever reaching an inbox. Implementing Domain-based Message Authentication, Reporting & Conformance (DMARC) at enforcement, specifically a p=reject policy, ensures that any email falsely claiming to come from your domain is automatically blocked before delivery.
Move Beyond One-Off Training
Static, once-a-year security awareness videos rarely produce lasting behaviour change. Ongoing training that covers modern threats, including AI phishing techniques and social engineering tactics, is far more effective at reducing click rates across the organisation.
Run Phishing Simulations
The most reliable way to identify vulnerabilities is to run controlled phishing simulations. Sending safe, “friendly” test links reveals who is clicking without any real-world consequences. The goal is not to catch people out, but to identify who needs additional support before a real attacker does.
Automate URL Filtering
Provide the team with automated URL filtering tools. Domain Name System (DNS)-level filtering and secure web gateways automatically block access to known malicious domains across the entire network, reducing reliance on individual judgment.
Summing Up: How to Know If a Link Is Safe
The most effective safeguard is simple: pause before clicking. On a desktop, hover over any suspicious link to preview the destination. On mobile, long-press to reveal the full URL. When in doubt, run the link through a dedicated phishing link checker before proceeding.
Those extra five seconds are considerably less costly than the disruption of a security breach. For any individual or organisation, building “verify before clicking” into default behaviour is one of the highest-return security habits available.
But also remember that individual links are just the tip of the iceberg. True protection starts with a robust domain. Don’t wait for a suspicious email to arrive; take control of your digital perimeter today.
Use PowerDMARC’s free domain health scanner to instantly analyse your DMARC, SPF, and DKIM records. Uncover hidden vulnerabilities and ensure your organisation’s domain is shielded against impersonation and phishing attacks before they ever reach an inbox.
Frequently Asked Questions
How do I check if a link is safe without clicking it?
On a desktop, hover the mouse cursor over the link and check the destination URL in the bottom-left corner of the browser. On mobile, long-press the link to see a preview. For a more thorough scan, copy the URL and paste it into a dedicated phishing link checker.
Does HTTPS mean a link is safe?
No. The HTTPS (Hypertext Transfer Protocol Secure) padlock confirms only that the connection between your browser and the server is encrypted. It does not verify the identity or intent of the site’s owner. The majority of phishing sites now use HTTPS precisely because many users trust the padlock symbol.
What is a phishing link checker?
A phishing link checker is a security tool that analyses a URL’s reputation in real time. It cross-references the link against databases of known malicious sites, checks for suspicious redirects, and flags patterns associated with phishing campaigns.
Can I check a link on my phone before tapping it?
Yes. Press and hold the link (long-press) on most smartphones to trigger a preview window showing the full destination URL. If the URL looks unfamiliar or unrelated to the source, do not proceed.
What is typosquatting and how do I recognise it?
Typosquatting is the practice of registering domain names that closely resemble trusted brands, relying on minor misspellings or character substitutions to deceive users (for example, “goog1e.com” instead of “google.com”). Always read the full domain name carefully before clicking, and pay particular attention to numbers substituted for letters and extra or missing hyphens.
What should I do if I receive a suspicious link at work?
Do not click the link. Forward the original message to your IT or security team and, if your organisation uses a security awareness platform, report it through the designated reporting button. If you accidentally clicked before realising, follow the post-click steps above and notify your team immediately.
Comments