A link is the easiest way for a scammer to reach you. One tap can open a page that steals your login, asks for card details, or quietly downloads malware. The good news is that you can check where a link actually goes before you click it.
This guide shows you how to preview a link, read the real destination, and spot the tricks that make a bad link look safe. You can also paste the destination into our free check to see if it is flagged, all without loading the page.
Paste an address for a free safety check: encryption, malware and phishing, domain age and more.
The single most useful habit is to look at the real destination before you click. On a computer, hover your mouse over the link without clicking and the true web address appears, usually in the bottom corner of the browser or email window. On a phone, press and hold the link for a moment and a preview of the address pops up so you can read it and then cancel.
The visible text of a link means nothing. A link can say www.yourbank.com while actually pointing somewhere else entirely. Trust the address you preview, not the words you were shown.
The part that tells you who really owns a link is the domain, and the safest way to read it is right to left. Find the last two parts before the first single slash. In secure.paypal.com the owner is paypal.com. In paypal.brand-security.example.com the owner is example.com, and the familiar name has just been added as a prefix to reassure you.
Watch for lookalike and typosquat tricks: a number swapped for a letter such as paypa1.com, an extra word like paypal-support.com, or an unusual ending. If the real owner is not the company you expected, do not click.
Shorteners hide the real destination behind a short code. If you cannot see where a link leads and did not expect it, treat it with caution.
Letters swapped for numbers, extra hyphens, or a trusted name used as a prefix. They rely on you reading quickly.
Urgent texts or emails about a delivery, refund or account problem, pushing you to click before you think.
The words in a link can show one address while the link points to another. Always preview the real target.
No message is so urgent that you cannot take a moment to check. Banks, couriers and payment services do not need you to click a link in a hurry, and a real account issue will still be there when you log in the normal way. If a link makes you feel rushed, that pressure is itself a warning sign.
When you are unsure, go to the source directly. Type the web address yourself or open the official app, rather than trusting a link someone sent you.
On a computer, hover your mouse over the link and read the real web address that appears at the bottom of the window. On a phone, press and hold the link to see a preview. To go further, copy the destination domain and paste it into our free safety check, which tells you if it is flagged without loading the page.
Not necessarily. A shortener hides the true destination behind a short code, which is convenient but also useful to scammers. Shortened links are common and often fine, but if you did not expect the message or cannot see where the link leads, treat it with caution and check the destination before clicking.
Read the domain right to left and find the real owner, which is the last two parts before the first single slash. Watch for letters swapped for numbers, extra words or hyphens, and trusted names used only as a prefix. If the owner is not the company you expected, the link is likely fake.
Do not enter any details on the page and close it. If you typed a password or card number, change that password straight away and contact your bank if payment details were involved. Run a security scan on your device, and keep an eye on the affected accounts for anything unusual.
Links in messages you expected, from senders you trust, are usually fine once you have previewed the destination. The risk is with unexpected messages, especially ones creating urgency. When in doubt, ignore the link and reach the company through their official app or a web address you type yourself.
Free, anonymous, and no signup. Know before you buy.