Skip to main content
All articles
Phishing

How to check a phishing link safely (without clicking it)

A step-by-step link checker guide: how to inspect a suspicious URL, expand shortlinks, verify SSL and reputation — all without ever loading the page in your browser.

July 17, 2026 8 min readBy Scam Lookup

You got a link in an email, SMS, DM, or QR code and something feels off. Do not click it. Modern phishing pages load in real time, capture credentials on keystroke, and can fingerprint your device the moment you visit — even if you never submit the form. Here is how to inspect a suspicious link end-to-end without ever opening it in your browser.

1. Read the URL before anything else

Copy the link (long-press on mobile, right-click → Copy link on desktop) and paste it into a plain text field — not the browser address bar. Now you can actually see it. Look at the domain, not the path. The domain is the last two labels before the first single slash: in https://login.paypal.com.secure-verify.co/login, the real domain is secure-verify.co, not paypal.com.

  • Watch for lookalike characters: rn instead of m, 0 instead of o, l instead of I.
  • Punycode (xn--) domains are almost always phishing when they impersonate a brand.
  • Long subdomains stuffed with brand names (paypal-login-secure-account.example.tld) are a red flag.
  • Free TLDs like .tk, .top, .zip, and .mov are heavily abused — treat them with extra suspicion.

2. Expand shortened links first

bit.ly, t.co, tinyurl, buff.ly, ow.ly, goo.gl and QR codes all hide the real destination. Never trust a shortlink at face value. Use a URL expander (we have a free one at /tools/url-expander) to follow the redirect chain server-side and see every hop, including the final URL, without loading any of them in your browser.

3. Run the domain through a trust scanner

Paste the final domain (not the full URL) into Scam Lookup. In about 3 seconds you get: domain age, SSL certificate history, DNS setup, security headers, email authentication, and a transparency check for privacy/contact/terms pages. Real businesses have real infrastructure. A domain registered 4 days ago with no MX record, no privacy policy, and a Let's Encrypt cert issued yesterday is almost certainly a phishing kit.

4. Check the SSL certificate history

A green padlock means the connection is encrypted, not that the site is legitimate. Every phishing kit today ships with valid HTTPS. What matters is the certificate transparency log — how long the cert has existed, how many previous certs the domain has had, and who issued them. A brand-new Let's Encrypt cert on a brand-new domain is the fingerprint of a disposable phishing site.

5. If you must preview the page, do it sandboxed

Never open a suspect link in your normal browser, logged into your accounts, on the network you bank from. If you truly need to see the page, use a service like urlscan.io or browserling that loads the URL in a disposable virtual browser and returns a screenshot — you see the page without your device ever touching it.

6. Report it once you have confirmed

  1. Report the URL to Google Safe Browsing (safebrowsing.google.com/safebrowsing/report_phish).
  2. Report to the impersonated brand — most have a dedicated phishing@brand.com inbox.
  3. If it arrived via email, use your mail client's built-in report-phishing button so the sender is added to global spam lists.
  4. Warn whoever forwarded it to you — they were likely phished first.

The 30-second checklist

  • Read the real domain, not the display text.
  • Expand any shortlink or QR code before trusting the destination.
  • Scan the domain — age, SSL history, DNS, transparency.
  • Never preview a suspicious page in your real browser.
  • Report it after you have confirmed.

Frequently asked questions

Is it dangerous to just click a phishing link without entering anything?

Yes, in some cases. Simply loading the page can leak your IP address, browser fingerprint, and referrer, and can trigger drive-by download attempts or browser exploits on unpatched devices. On mobile, tapping a link can also open native app deep-links you did not expect. The safest option is to inspect the URL without ever loading it.

Does HTTPS mean a link is safe?

No. HTTPS only means the connection is encrypted between your device and the server. Every modern phishing kit uses a valid HTTPS certificate — free ones from Let's Encrypt or ZeroSSL are issued in seconds. HTTPS proves nothing about who owns the site or whether it is trustworthy.

How can I safely see where a bit.ly or t.co link goes?

Use a URL expander that follows the redirect server-side and returns the final destination as text. Scam Lookup offers a free one at /tools/url-expander. Never expand shortlinks by pasting them into your address bar — that loads the destination in your browser.

What is the single biggest giveaway of a phishing site?

Domain age. Almost every phishing domain is less than 30 days old, and often less than 24 hours old. Legitimate brands run domains that are years or decades old with a long certificate transparency history. If a checkout page or login page is on a brand-new domain, treat it as phishing until proven otherwise.

I already clicked the link — what should I do?

If you only loaded the page: close the tab, clear that site's data, and run a malware scan. If you entered a password: change that password immediately everywhere it is reused, and enable phishing-resistant MFA (passkeys or a hardware key). If you entered payment info: freeze the card and notify the bank. If it was work credentials: notify your IT or security team within the hour — the attacker is already using them.

Are QR codes riskier than normal links?

Yes — because you cannot read a QR code with your eyes. Attackers exploit this by putting QR codes on posters, PDFs, and emails that scan to phishing URLs. Enterprise mail filters do not scan QR codes. Always use a QR scanner (like the one at /tools/qr-code-scanner) that shows you the decoded URL before opening it, not one that opens the link automatically.

#phishing#link checker#url safety#shortlinks#how-to
Share