The short version
You often cannot judge a link by how it looks, and phishing counts on exactly that. A handful of habits catch most bad links before they cost you anything. Reveal where a link actually points, read the real domain carefully, and slow down when a message is unexpected or rushed. None of it needs special software, though a phishing URL checker is a useful second opinion after you have run the manual checks.
See where the link really goes
The visible text of a link is only text. It can read paypal.com while pointing somewhere else entirely. Before you click, reveal the true destination.
- On a computer, rest the mouse over the link without clicking. The real address appears in the status bar at the bottom of the browser or email client.
- On a phone, press and hold the link (a long-press) until a preview of the full address pops up, and read it before you let go.
- Watch out for buttons and images that hide the address behind a label like "View invoice". Hover or long-press them the same way.
If the destination that appears does not match the words you clicked or the company the message claims to come from, that mismatch is the warning.
Read the domain from right to left
Once you can see the full address, find the part that names the real owner of the site. That is the registrable domain: the name plus its ending, like paypal.com or hmrc.gov.uk, sitting immediately before the first single slash.
Read it from right to left, because the right-hand end is the piece a scammer cannot fake. Everything to the left of the registrable domain is a subdomain the site owner invents freely, and everything after that first single slash is just a path on the site.
Take https://paypal.com.account-verify.info/login. Reading back from the first single slash, the registrable domain is account-verify.info, not PayPal. The paypal.com at the front is only a subdomain of account-verify.info, placed there to catch a quick glance.
Know the disguises
Attackers reuse a small set of tricks to make a hostile domain look friendly. Once you know the moves, they stand out.
- Look-alike spelling. A single swapped, added, or missing character:
paypa1.comwith the digit one,rnicrosoft.comwith r-n reading as m,secure-gooogle.comwith a spare o. Compare against the name you know, letter by letter. - Extra brand words. The genuine brand pushed into a subdomain or bolted onto a longer name, as in
apple.com.secure-login.coorappleid-verify.com. A brand appearing somewhere in the address does not make it the brand's site. - Punycode and look-alike letters. Non-Latin characters that render like ordinary ones, such as a Cyrillic character standing in for a Latin "a". Browsers usually expose these as an address beginning
xn--. An address that turns intoxn--gibberish when you inspect it deserves suspicion. - Stacked subdomains. A long chain of dots, like
login.secure.account.example-verify.com, that buries the real registrable domain far to the right and hopes you read only the left end. - Shortened links. A
bit.lyort.colink shows none of the above. Expand it first with the shortener's own preview (many respond to a+added to the end) or a link-expander service, or skip it and reach the site yourself.
HTTPS and the padlock are not proof
A padlock icon, or a web address that starts with https, means the connection between you and the site is encrypted. It does not mean the site is honest or the company behind it is real. Phishing pages routinely run over https and show the very same padlock, because a certificate is free and takes minutes to obtain. Treat the padlock as a floor, not a verdict, and never read it as a sign that a page is safe to trust with your password. A missing padlock or a "not secure" warning is a reason to leave; a padlock only encrypts your data on its way to whoever runs the page.
Slow down on unexpected or urgent messages
Most phishing arrives as a message you were not expecting that wants you to act fast. Your account is locked. A parcel needs a small fee. A refund is waiting on you. The urgency supplies the pressure and the link supplies the trap. Legitimate companies do not email or text a link demanding that you confirm a password or payment detail on the spot. When a message pushes you to hurry, that alone is reason to slow down and check the link before doing anything with it.
When in doubt, go there yourself
The safest response to a link you are unsure about is to not use it. Reach the organisation through a route you already trust instead: a bookmark, the address typed by hand, the official app, or a search for the company. If the message might be genuine, contact the company using a phone number or web address you find independently, never the details printed in the suspicious message.
Where an automated checker fits
A phishing URL checker gives you a fast second opinion. Paste a suspicious address and it inspects the destination for structural red flags and checks it against Google Safe Browsing's list of known-bad URLs, all without you having to visit the page. It is handy for expanding a shortener and for confirming a hunch on a link you already doubted.
Know its limits. A checker reads the link and reputation data; it cannot open the page to see what it truly does, and a freshly built phishing site may not be on any blocklist yet. A clean result is reassurance, not a promise of safety, so it backs up the manual checks rather than replacing them. Read on for what is a phishing link, what happens if you click a phishing link, and what to do if you already clicked.