S
Site Watcher

How to Check If a Link Is Safe

How to check if a link is safe before clicking: why links can be dangerous, how to inspect URLs, online scanners (Google Safe Browsing, VirusTotal), browser protections, and red flags to watch for.

You get a link in an email, a text message, a social media post, or a group chat. It could be a shared article, a login page, a file download, or a payment link. Before you click, you want to know: is this safe?

The answer is not always obvious. Malicious links are designed to look legitimate. Attackers register domains that resemble real companies, use URL shorteners to hide destinations, and exploit trust in familiar platforms. This guide covers why links can be dangerous, how to evaluate a link before clicking, which tools can scan a URL for you, and what browser-level protections exist.

For website owners concerned about their own site being flagged as unsafe, see the how to check website safety guide and the website security monitoring guide.

Why Links Can Be Dangerous

A link is just a pointer to a web address. Clicking it tells your browser to connect to a server and load whatever is there. The danger comes from what is waiting at the destination.

Phishing Pages

The most common threat. A phishing link takes you to a page designed to look like a login screen for a service you use: your bank, email provider, cloud storage, social media account. The page looks real, but it is controlled by an attacker. When you enter your credentials, they are captured and used to access your actual account.

Phishing pages have become sophisticated. They replicate the real site's design, use similar domain names (like paypa1.com instead of paypal.com), and even include working links to the real site's terms of service and help pages. The URL is often the only giveaway.

Malware Downloads

Some links trigger automatic file downloads. The downloaded file might be a trojan, ransomware, a keylogger, or other malware. On some browsers and operating systems, the download might start automatically. On others, you will be prompted to open or save the file. The danger is greatest if you open the downloaded file without realizing what it is.

Drive-By Exploits

A link can take you to a page that exploits a vulnerability in your browser or one of its plugins. If your browser is not up to date, simply visiting the page can be enough to install malware without any action on your part beyond the initial click. Modern browsers have significantly reduced this attack surface, but it still exists, especially on older or unpatched systems.

Tracking and Data Collection

Some links pass through tracking redirects that collect information about you: your IP address, device type, operating system, browser, and the fact that you clicked the link. This is common in marketing emails (and is usually harmless), but it is also used for targeted advertising, profiling, and surveillance.

Open Redirects

An open redirect is a vulnerability on a trusted website that allows an attacker to craft a URL on the trusted domain that redirects to a malicious destination. The link starts with a URL you trust (like google.com/redirect?url=evil.com), which makes it more likely you will click it and less likely that email filters will block it.

How to Inspect a Link Before Clicking

Read the URL Carefully

The most effective check takes five seconds: look at the URL before you click.

Check the domain. The domain is the part between :// and the next /. Everything else (subdomains, paths, query parameters) can be manipulated. For https://login.bankofamerica.com.evil-site.xyz/auth, the actual domain is evil-site.xyz, not bankofamerica.com. The attacker is using bankofamerica.com as a subdomain of their own domain.

Look for character substitution. Attackers use characters that look similar: rn instead of m, 1 instead of l, 0 instead of o. rnicrosoft.com looks a lot like microsoft.com at a glance. International domain names can use Cyrillic characters that are visually identical to Latin letters.

Check for extra words or hyphens. Domains like paypal-secure-login.com or amazon-order-confirmation.com are almost certainly phishing. Legitimate companies use their primary domain for login pages.

Hover before clicking. In most email clients and browsers, hovering over a link shows the actual URL in the bottom-left corner of the window. The visible text of a link can say anything. What matters is where it actually points.

Check HTTPS

While HTTPS alone does not guarantee a site is safe (attackers can get free SSL certificates too), a link that uses HTTP instead of HTTPS is a warning sign for any page that asks for login credentials or personal information. Legitimate login pages always use HTTPS.

Be Skeptical of Shortened URLs

URL shorteners like bit.ly, t.co, and tinyurl.com hide the actual destination. You cannot tell where the link goes by looking at it. Before clicking a shortened URL:

  • Add a + to the end of Bitly links to see a preview page
  • Use a link scanner (see below) to check the destination
  • Consider whether the context makes sense (a friend sharing a video link is different from a stranger in a group chat sharing a shortened URL)

Online Link Scanners

When visual inspection is not enough, these tools check URLs against threat databases and analyze the destination for malicious content.

Google Safe Browsing

Google maintains one of the largest databases of unsafe websites. You can check any URL directly:

Visit https://transparencyreport.google.com/safe-browsing/search and enter the URL. Google will tell you whether the site has been flagged for hosting malware, phishing, or unwanted software.

Google Safe Browsing data also powers the built-in protection in Chrome, Firefox, and Safari. If a site is flagged in this database, those browsers will warn you before you visit it.

VirusTotal

VirusTotal scans URLs against over 70 security vendor databases simultaneously. Enter a URL and VirusTotal checks it against engines from Google, Kaspersky, Bitdefender, McAfee, Sophos, and dozens more. The result shows how many engines flagged the URL and what they flagged it for.

VirusTotal also shows:

  • The final destination URL (following all redirects)
  • The HTTP response headers
  • Screenshots of the page
  • Files served by the page
  • Related domains and IP addresses

This is the most comprehensive free URL scanner available. If VirusTotal shows zero detections across all engines, the URL is almost certainly safe. If multiple engines flag it, stay away.

URLScan.io

URLScan.io takes a live screenshot of the page, shows the full HTTP transaction (including redirects, scripts, and network requests), and reports on the technologies used. It is more technically oriented than VirusTotal but provides useful visual confirmation: you can see what the page looks like without actually visiting it.

Norton Safe Web

Norton's URL checker evaluates links for malware, phishing, and other threats. It provides a simple safe/warning/dangerous rating. Available at safeweb.norton.com.

Browser-Level Protections

Modern browsers have built-in protections that warn you about dangerous links after you click them but before you interact with the destination.

Google Chrome

Chrome uses Google Safe Browsing to check URLs in real time. When you navigate to a flagged site, Chrome shows a red warning page that says "Deceptive site ahead" or "The site ahead contains malware." You can enable Enhanced Safe Browsing in Chrome settings for real-time URL checking and additional protections.

Firefox

Firefox also uses Google Safe Browsing. It checks downloaded files against known malware signatures in addition to blocking known phishing and malware sites. Firefox's Enhanced Tracking Protection also blocks many tracking redirects by default.

Safari

Safari uses a combination of Apple's own threat data and Google Safe Browsing. It warns about fraudulent websites and blocks known malicious downloads. Safari's Intelligent Tracking Prevention also limits cross-site tracking.

Microsoft Edge

Edge uses Microsoft Defender SmartScreen, which maintains its own database of malicious URLs independent of Google Safe Browsing. SmartScreen also checks downloaded files against a reputation database.

Browser protections are not instant

It takes time for newly created malicious sites to be flagged in threat databases. A brand-new phishing page may not be blocked by your browser for hours or even days after it goes live. This is why manual inspection and link scanners are still important, especially for links from untrusted sources.

Red Flags in the Context of a Link

The URL itself is only part of the picture. The context in which you receive the link matters just as much.

Urgency and Fear

"Your account will be suspended in 24 hours. Click here to verify." Legitimate companies do not threaten account suspension through email links. They send you to their website or app where you can log in normally.

Unexpected Attachments or Links

If you receive a link you did not expect, even from someone you know, be cautious. Their account may have been compromised. If a colleague sends you a link with no explanation or with an uncharacteristic message, verify through another channel before clicking.

Too Good to Be True

Free gift cards, prize winnings, unclaimed packages, and exclusive deals that require you to click a link immediately are almost always scams.

Mismatched Sender and Domain

An email that claims to be from your bank but is sent from notifications@bank-secure-alert.com instead of the bank's actual domain is a clear sign of phishing.

Generic Greetings

Emails that start with "Dear Customer" or "Dear User" instead of your name are often mass phishing campaigns. Legitimate services you have an account with know your name.

What to Do If You Clicked a Suspicious Link

If you already clicked and are worried:

  1. Do not enter any information. Close the tab immediately. If you landed on a login page you did not expect, do not type anything.
  2. Check for downloads. Look in your Downloads folder for any files that were downloaded automatically. Delete them without opening them.
  3. Run a malware scan. Use your antivirus software or Malwarebytes to scan for threats.
  4. Change passwords. If you entered credentials on a suspicious page, change that password immediately. Change it on any other account where you used the same password.
  5. Enable two-factor authentication. If the compromised account supports 2FA and you have not enabled it, do so now.
  6. Monitor your accounts. Watch for unauthorized activity in the following days and weeks.

Building a Link-Checking Habit

Checking links before clicking does not have to be slow or tedious. A practical approach:

  1. Hover first. Always hover over links in emails before clicking. This takes one second and catches most phishing attempts.
  2. Be extra cautious with email links. When an email asks you to log in somewhere, go to the site directly by typing the URL in your browser instead of clicking the link.
  3. Use a link scanner for anything suspicious. Paste the URL into VirusTotal or Google Safe Browsing. This takes 10 seconds and gives you confidence.
  4. Keep your browser updated. Browser security updates patch vulnerabilities and update threat databases. Delaying updates leaves you exposed.
  5. Use an ad blocker. Extensions like uBlock Origin block many malicious ads and tracking redirects before they reach your browser.

The goal is not to be paranoid about every link. Most links are safe. The goal is to pause for a few seconds when something feels off and to have the tools and knowledge to check.

Monitor Your Website's Safety and Reputation

Site Watcher checks your SSL certificates, DNS records, and domain health continuously. Know the moment something changes that could put your site or visitors at risk.

Related Articles