Skip to main content
Relaymetry

How to tell if a link is safe before you click

You cannot always tell a safe link from a dangerous one by looks, but a few checks catch most phishing. Hover over the link, or long-press it on a phone, to reveal where it really goes, then read the registrable domain, the part just before the first single slash, from right to left. A padlock or https only means the connection is encrypted, not that the site is trustworthy, and phishing pages use https too. When a message is unexpected or rushes you, reach the site yourself from a bookmark or a search instead of clicking.

The short version

You often cannot judge a link by how it looks, and phishing counts on exactly that. A handful of habits catch most bad links before they cost you anything. Reveal where a link actually points, read the real domain carefully, and slow down when a message is unexpected or rushed. None of it needs special software, though a phishing URL checker is a useful second opinion after you have run the manual checks.

The visible text of a link is only text. It can read paypal.com while pointing somewhere else entirely. Before you click, reveal the true destination.

  • On a computer, rest the mouse over the link without clicking. The real address appears in the status bar at the bottom of the browser or email client.
  • On a phone, press and hold the link (a long-press) until a preview of the full address pops up, and read it before you let go.
  • Watch out for buttons and images that hide the address behind a label like "View invoice". Hover or long-press them the same way.

If the destination that appears does not match the words you clicked or the company the message claims to come from, that mismatch is the warning.

Read the domain from right to left

Once you can see the full address, find the part that names the real owner of the site. That is the registrable domain: the name plus its ending, like paypal.com or hmrc.gov.uk, sitting immediately before the first single slash.

Read it from right to left, because the right-hand end is the piece a scammer cannot fake. Everything to the left of the registrable domain is a subdomain the site owner invents freely, and everything after that first single slash is just a path on the site.

Take https://paypal.com.account-verify.info/login. Reading back from the first single slash, the registrable domain is account-verify.info, not PayPal. The paypal.com at the front is only a subdomain of account-verify.info, placed there to catch a quick glance.

Know the disguises

Attackers reuse a small set of tricks to make a hostile domain look friendly. Once you know the moves, they stand out.

  • Look-alike spelling. A single swapped, added, or missing character: paypa1.com with the digit one, rnicrosoft.com with r-n reading as m, secure-gooogle.com with a spare o. Compare against the name you know, letter by letter.
  • Extra brand words. The genuine brand pushed into a subdomain or bolted onto a longer name, as in apple.com.secure-login.co or appleid-verify.com. A brand appearing somewhere in the address does not make it the brand's site.
  • Punycode and look-alike letters. Non-Latin characters that render like ordinary ones, such as a Cyrillic character standing in for a Latin "a". Browsers usually expose these as an address beginning xn--. An address that turns into xn-- gibberish when you inspect it deserves suspicion.
  • Stacked subdomains. A long chain of dots, like login.secure.account.example-verify.com, that buries the real registrable domain far to the right and hopes you read only the left end.
  • Shortened links. A bit.ly or t.co link shows none of the above. Expand it first with the shortener's own preview (many respond to a + added to the end) or a link-expander service, or skip it and reach the site yourself.

HTTPS and the padlock are not proof

A padlock icon, or a web address that starts with https, means the connection between you and the site is encrypted. It does not mean the site is honest or the company behind it is real. Phishing pages routinely run over https and show the very same padlock, because a certificate is free and takes minutes to obtain. Treat the padlock as a floor, not a verdict, and never read it as a sign that a page is safe to trust with your password. A missing padlock or a "not secure" warning is a reason to leave; a padlock only encrypts your data on its way to whoever runs the page.

Slow down on unexpected or urgent messages

Most phishing arrives as a message you were not expecting that wants you to act fast. Your account is locked. A parcel needs a small fee. A refund is waiting on you. The urgency supplies the pressure and the link supplies the trap. Legitimate companies do not email or text a link demanding that you confirm a password or payment detail on the spot. When a message pushes you to hurry, that alone is reason to slow down and check the link before doing anything with it.

When in doubt, go there yourself

The safest response to a link you are unsure about is to not use it. Reach the organisation through a route you already trust instead: a bookmark, the address typed by hand, the official app, or a search for the company. If the message might be genuine, contact the company using a phone number or web address you find independently, never the details printed in the suspicious message.

Where an automated checker fits

A phishing URL checker gives you a fast second opinion. Paste a suspicious address and it inspects the destination for structural red flags and checks it against Google Safe Browsing's list of known-bad URLs, all without you having to visit the page. It is handy for expanding a shortener and for confirming a hunch on a link you already doubted.

Know its limits. A checker reads the link and reputation data; it cannot open the page to see what it truly does, and a freshly built phishing site may not be on any blocklist yet. A clean result is reassurance, not a promise of safety, so it backs up the manual checks rather than replacing them. Read on for what is a phishing link, what happens if you click a phishing link, and what to do if you already clicked.

Frequently asked questions

How can I tell if this link is safe?

Reveal where the link really points before you click: hover over it on a computer, or press and hold it on a phone, and read the address that appears. Find the registrable domain, the name plus its ending just before the first single slash, and read it from right to left to confirm it is the site you expect. If the message was unexpected or pushes you to hurry, reach the site yourself from a bookmark or a search instead.

Does the padlock or HTTPS mean a website is safe?

No. A padlock or an https address means the connection to the site is encrypted, not that the site is honest or the company is real. Phishing pages routinely use https and show the same padlock, because a certificate is free and quick to obtain. Treat the padlock as a floor, then still judge the domain itself before you trust the page with a password or payment.

How do I find the real website a link goes to?

The real site is the registrable domain: the name and its ending (like paypal.com or hmrc.gov.uk) sitting immediately before the first single slash. Read the address from right to left. Anything to the left of that domain is a subdomain the owner chooses freely, and anything after the first single slash is only a path. In https://paypal.com.account-verify.info/login the real site is account-verify.info, not PayPal.

Are shortened links like bit.ly safe to click?

A shortened link hides its destination, so you cannot check the real domain by reading it. Expand it first using the shortener's own preview (many respond to a "+" added to the end) or a link-expander service, then apply the same checks to the address it reveals. If you cannot preview it and the message is unexpected, do not click it.

Can a link checker tell me for certain a link is safe?

No tool can promise a link is safe. A phishing URL checker inspects the address for structural red flags and checks it against known-bad lists such as Google Safe Browsing, which is a useful second opinion. It cannot open the page to see what it truly does, and a brand-new phishing site may not be listed yet. A clean result means no obvious red flags, not a guarantee, so keep doing the manual checks too.

Other phishing & link-safety guides

References

Browse all guides →