Is This Link Safe? How to Check Suspicious URLs Before Clicking

· Updated April 28, 2026 · Anuranjan Vikas · 10 min read
phishingurl-safetyscamsguide

To check if a link is safe, paste it into a URL scanner like Kaval, Google Safe Browsing, or VirusTotal before clicking. Red flags include misspelled domains (amaz0n.com), uncommon TLDs (.xyz, .top), subdomain tricks, and URL shorteners hiding the real destination. Never enter credentials on a page you reached through an unsolicited link.

Someone sends you a link. Could be an email from your “bank,” a text about a package delivery, or a WhatsApp forward from your uncle. It looks legit. Maybe. Or maybe it’s a page designed to steal your password the second you type it in.

Phishing is the most common cyber attack in the world. It beats every other category in the FBI’s Internet Crime Report year after year. And it almost always starts the same way: a link that looks like something it’s not.

The good news is most phishing links have tells if you know where to look. And for the ones that don’t, free tools can check them for you in seconds.

Red Flags in URLs

Before clicking anything that arrived unsolicited, look at the URL itself. A lot of phishing falls apart under even basic scrutiny.

Misspelled and Look-Alike Domains

Attackers register domains that pass a quick glance.

  • amaz0n.com — zero instead of the letter O
  • paypa1.com — number 1 instead of the letter L
  • micros0ft-security.com — not from microsoft.com
  • g00gle.com — double zeros for OO

This is called typosquatting. Some attacks go further and use characters from other alphabets that are visually identical to Latin letters (Cyrillic “a” vs. Latin “a”). These are nearly impossible to catch by eye, which is exactly why automated tools exist.

What to do: Read the domain character by character. If it claims to be a known brand, ask yourself: is this exactly the URL I’d expect?

Weird Top-Level Domains

Real companies mostly use .com, .org, .gov, or country-code TLDs (.co.uk, .in, .de). Be cautious with:

  • Uncommon TLDs like .xyz, .top, .buzz, .click, .info — not inherently evil, but disproportionately used in phishing because they’re cheap to register.
  • Free subdomain services like yourbank.weebly.com or login-verification.netlify.app — no legitimate bank hosts login pages on someone else’s platform.

A .xyz domain isn’t automatically bad. But an unsolicited link from secure-update.account-verify.top? Red flag.

Subdomain Tricks

This one fools a lot of people.

https://paypal.com.account-security-update.com/login

Looks like PayPal, right? It’s not. The actual domain is account-security-update.com. Everything before that is just a subdomain designed to trick you.

How to find the real domain: Look for the last domain name before the first single slash (/). In that example:

  • paypal.com is the subdomain (the trick)
  • account-security-update.com is where you’re actually going

When in doubt, ignore everything to the left and focus on the domain right before the TLD.

URL Shorteners

bit.ly, t.co, tinyurl.com — all legitimate services. Also commonly used to hide where a link actually goes. If someone sends you a shortened link and you can’t see the destination, be cautious.

How to preview them:

  • bit.ly: Add + to the end (e.g., bit.ly/abc123+) to see where it goes
  • CheckShortURL.com: Paste any shortened URL to reveal the destination
  • Kaval: Send the shortened URL to Kaval — it follows the full redirect chain and analyzes the final destination

Long Strings of Encoded Garbage

A URL like https://secure-login.com/verify?user=dXNlckBlbWFpbC5jb20=&token=abc123&redirect=aHR0cHM6Ly9ldmlsLmNvbQ== should make you suspicious. Those base64-encoded strings could contain your email address and a redirect to a malicious site.

HTTP Without the S

Not definitive on its own — lots of phishing sites use HTTPS now with free Let’s Encrypt certificates. But a login page served over plain HTTP (no padlock) in 2026? Guaranteed red flag. No legitimate bank or email provider does this.

That said, HTTPS doesn’t mean safe. It means the connection is encrypted. A phishing site with HTTPS still steals your data — just over an encrypted connection.

When you can’t tell by looking, or when you want to be sure, use these.

1. Kaval — AI-Powered URL Safety Scanner

Kaval checks URLs against threat intelligence databases and does real-time analysis of the destination page — domain reputation, known phishing patterns, and signs of credential harvesting.

How to use it:

  1. Visit kaval.chat or open the Kaval WhatsApp bot
  2. Paste the suspicious URL or forward the message containing it
  3. Get a safety verdict with details on what was found

The WhatsApp angle is handy here. Get a suspicious link in a message? Forward it to Kaval’s bot without having to copy-paste URLs between apps. Kaval also follows redirect chains, so shortened URLs and multi-hop redirects get fully resolved before analysis.

It also does fact-checking and deepfake detection, so if a suspicious message has a link and a dubious claim or image, you can verify everything in one place.

2. Google Safe Browsing

Google Safe Browsing is the service behind the warning screens you see in Chrome, Firefox, and Safari when you’re about to visit a dangerous site.

How to use it:

  1. Go to the Google Safe Browsing site status page
  2. Enter the URL
  3. See Google’s assessment

Massive scale — billions of URLs checked daily, protecting over 5 billion devices. The catch: it primarily flags sites that have already been reported. Brand-new phishing sites might not be in the database yet.

3. VirusTotal

VirusTotal scans URLs against over 70 antivirus engines and URL blocklists simultaneously. If any of them have flagged the URL, you’ll know.

How to use it:

  1. Go to virustotal.com and click the “URL” tab
  2. Paste the URL and search
  3. Review results from dozens of security vendors

VirusTotal also surfaces useful context: domain registration date, hosting provider, SSL certificate details. A domain registered yesterday asking for your bank credentials? You don’t need 70 vendors to tell you that’s bad.

4. URLVoid

URLVoid checks domains against multiple blocklist engines and gives you a reputation report — domain age, server location, blacklist status.

How to use it:

  1. Go to urlvoid.com
  2. Enter the domain
  3. Review the report

Quick and straightforward for domain reputation checks.

Layer Your Checks

A phishing site too new for Google Safe Browsing might be flagged by VirusTotal’s vendor network. A site that passes automated scans might still get caught by Kaval’s AI analysis. Using multiple tools gives you much higher confidence.

Common Phishing Tactics

Understanding the playbook helps you recognize attacks even when the URL looks clean.

Fake Login Pages

The classic. A page that looks identical to Gmail, Facebook, or your bank — but it’s on a different domain. You enter your credentials, they go straight to the attacker.

How to protect yourself:

  • Check the URL bar before entering any credentials. The domain must exactly match the real service.
  • Use a password manager. It autofills based on exact domain match — it won’t offer your Gmail password on gmai1.com. That’s a free, built-in phishing detector.
  • Enable two-factor authentication so a stolen password alone isn’t enough.

Urgency and Fear

Phishing messages almost always try to rush you:

  • “Your account will be suspended in 24 hours”
  • “Unusual login activity detected — verify now”
  • “Your package couldn’t be delivered — update your address”
  • “Your payment method failed — update to avoid interruption”

The formula: threat of loss + time pressure + a link to “fix” it. Real companies almost never threaten immediate account suspension via email, and they definitely don’t ask you to verify your password through an email link.

What to do: Don’t click the link. Open a new tab, type the service’s URL yourself, and log in normally. If there’s a real problem, you’ll see it there.

Impersonation

Attackers pretend to be people and organizations you trust:

  • Your bank. “Suspicious transaction detected.”
  • Government agencies. “Tax refund pending — verify your identity.” (Tax agencies don’t initiate contact via email.)
  • Tech companies. “Your iCloud storage is full” or “Microsoft 365 expired.”
  • Delivery services. “Your DHL/FedEx/Amazon package needs address confirmation.”
  • Your company’s IT department. “Password expires in 24 hours — click here to renew.”

Check the sender’s actual email address — not the display name. “From: Apple Support” coming from no-reply@apple-id-verification.xyz is not from Apple.

QR Code Phishing (Quishing)

Newer tactic. Malicious URLs hidden in QR codes. You can’t read the destination by looking at the code, and QR codes bypass email link filters. They show up in emails, on flyers, even stuck over legitimate QR codes on parking meters and restaurant tables.

What to do: Your phone’s built-in QR scanner (both iOS and Android) shows the URL before opening it. Look at it before tapping. If it seems off, check it with Kaval first. For payment-specific examples, read the QR code scams and UPI safety guide.

Speed matters here.

You Entered Credentials

  1. Change the password now — on the affected account, from a different device if possible.
  2. Turn on two-factor authentication if it wasn’t already on.
  3. Check for unauthorized activity — unfamiliar logins, changed settings, messages you didn’t send.
  4. Change the password everywhere you reused it. (This is why password reuse is so dangerous — one phished credential becomes a full breach.) Consider running an email breach check to see if your credentials were already out there.
  5. Watch financial accounts if you entered payment info.

You Didn’t Enter Anything

  1. Close the tab. Don’t interact with the page.
  2. Clear browser cache and cookies for that site.
  3. Run an antivirus scan. Some phishing sites try drive-by downloads. Modern browsers block most of these, but check anyway.
  4. Look at your downloads folder for anything that appeared automatically.

You Downloaded a File

  1. Don’t open it. Delete it from your downloads folder.
  2. Run a full antivirus scan. You can also upload the file to VirusTotal for multi-engine analysis.
  3. Change critical passwords from a different device. If it was malware, it may have already grabbed your saved browser credentials.

If the download was an Android APK sent through WhatsApp, SMS, or a courier/KYC page, follow the fake APK scam cleanup guide.

Report It

Reporting helps protect others:

Long-Term Protection

Habits and tools, working together.

Use a Password Manager

A password manager does three things that directly fight phishing:

  • Won’t autofill on fake domains. If you’re on paypa1.com, it won’t suggest your PayPal credentials. Automatic phishing detection, no effort required.
  • Generates unique passwords. One phished credential doesn’t cascade to other accounts.
  • Simplifies everything. One master password instead of trying to remember dozens.

Enable Two-Factor Authentication

Even if someone phishes your password, 2FA blocks them from logging in. Hardware security keys (YubiKey) are the strongest option — they verify the domain cryptographically and won’t authenticate on a fake site.

Keep Everything Updated

Browser security updates patch the vulnerabilities that phishing sites exploit. Turn on automatic updates for your browser, OS, and security software. This isn’t optional.

Use DNS-Level Protection

Cloudflare’s 1.1.1.1 for Families and Quad9 (9.9.9.9) block connections to known malicious domains before they even load. Even if you click a bad link, the connection gets stopped at the DNS level.

Setup is simple — change your device’s DNS settings to use these resolvers instead of your ISP’s default.

Build the Habit

If a message asks you to click a link and do something with an account, don’t use the link. Navigate to the site directly. Type the URL yourself or use a bookmark. This one habit defeats the majority of phishing attacks.

And when you get a link you’re not sure about, take five seconds to check it with Kaval or any of the tools above. Five seconds now vs. weeks of cleanup later.

FAQ

Usually low risk. Modern browsers have solid sandboxing and security protections. But it’s not zero risk — some pages try to exploit browser vulnerabilities or trigger downloads. If you accidentally opened one, close the tab, clear your cache, and run an antivirus scan. The real danger is interacting with the page: entering credentials, downloading files, or granting permissions.

How can I tell if an email is really from my bank?

Banks don’t ask you to verify your password or PIN via email. They don’t threaten to close your account unless you click a link within 24 hours. Check the sender’s full email address (not the display name) — legitimate bank emails come from their official domain, not from look-alikes or free email services. If anything feels off, don’t use any link or number from the email. Call the number on the back of your card instead, or go to your bank’s site directly. You can also paste the link into Kaval for a safety check.

I keep getting phishing emails. What do I do?

Your email address is probably on spam lists from a past data breach. Check with a breach scanning tool to confirm. To reduce the volume: mark phishing as spam in your email client (trains the filter), never click “unsubscribe” on obvious phishing (confirms your address is active and the link might be malicious itself), use email aliases for online signups to keep your main address cleaner, and enable your provider’s advanced filtering. Gmail catches most phishing before it hits your inbox. If you’re being persistently targeted, a security-focused provider like ProtonMail might be worth considering.

Every phishing attack starts with a link and a moment where you decide to trust it. Breaking that — pausing for five seconds to check before clicking — beats almost every other security measure you could adopt.

Next time you get a link that seems off, don’t click and hope. Paste it into kaval.chat or forward the message to the Kaval WhatsApp bot. Takes seconds. Could save you weeks.