How to check if a link is safe to click

Essential tips for recognizing and avoiding unsafe hyperlinks to protect your data from phishing scams. Learn how to verify link safety effectively.

  • Manage systems and machines
  • On the internet you’ll barely find a page without hyperlinks – or links, for short. Without them, we wouldn’t be able to move from one page to another. But sometimes it’s difficult to know exactly where they’re taking us. 

    Understandably enough, this can present a problem for data security and identity theft. The question is: How can we find out if a link is safe to click on or not?

    While there are no hard and fast rules, in this article we will share some useful tips for checking whether a link is safe or not, as well as some key features of phishing attempts.

    Steps to take when checking link safety

    We hear it all the time: Scammers are getting more sophisticated. But fortunately, with a few simple precautionary steps you can protect yourself from most of the security risks associated with unsafe links. 

    1. Check the domain name carefully

    If in any doubt, you should always look at the domain name in the link. 

    A modified spelling of a domain name is usually a clear sign of a scamming attempt. For example, phishers may use something like ‘http://www.1egitimatebank.com’ instead of ‘http://www.legitimatebank.com’.

    Did you spot the difference? If you didn’t, the first one uses the number ‘1’ instead of the letter ‘l’. Another common trick is to replace the letter ‘O’ with a zero.  

    Both of these tricks are easy to miss if you don’t look carefully and – let’s face it – sometimes it’s hard to find the time to do that.

    2. Get in the habit of hovering

    Before clicking on a link, get in the practice of first hovering over the link with your mouse cursor. This will show you the actual address that the link represents.

    Also, if you’re in doubt about a link, find the organization’s URL address with a search engine instead of the link provided in the email. 

    3. Https is always better than http

    Another good way to check link safety is to make sure a site which asks you to enter financial details uses ‘https’ and not ‘http’.

    Secure sites like online banking or e-commerce sites will always use the more secure form of ‘http’ known as ‘https’. This makes sure that your data is sent encrypted across the internet to the website.

    In this case, ‘https://’ will be displayed in the URL address field of the browser with a security padlock icon next to the address. If you double-click on the padlock icon, you should see the website’s security certificate.

    4. Stay cautious

    The fact that a site uses https:// and displays the padlock icon doesn’t by itself mean that it’s genuine. While much more unlikely, it’s still possible to be a fake. 

    If the security certificate isn’t displayed, you receive a message saying the URL address of the site does not match the certificate, or that the certificate is not to be trusted. In this case, it is most likely a fake with someone waiting to get hold of your credentials.

    So even for a https site, you should still double-check the website address in your browser’s URL address field. If the address looks odd, then don’t go any further until you’ve verified it with the company or organization.

    How to check if a shortened link is safe

    Are you one of the roughly 556 million X users? If so, you will have noticed people often use shortened links – to save space, obviously. In this case, hovering over the link to check its security status doesn’t work.

    But there’s a workaround. For shortened links, you can use the 'preview’ function. Just enter the shortened bit.ly URL in your browser with a ‘+’ at the end, and it will report back information about the site that the shortened link leads to.

    Another trick is to copy and paste the address of the website to which the shortened link points into getlinkinfo.com and see what the result is.

    Who creates malicious links?

    The creators of malicious links are called phishers and mostly try to disguise themselves as known financial service websites – banks, credit card companies and the like. 

    According to Symantec, almost three quarters of all phishing attacks are related to websites of financial organizations.

    Another popular target are the websites of parcel delivery services and well-known e-commerce names. The goal is to steal your financial or other information and your money.

    Phishing links can be found on website pages. However, they’re most often contained in emails sent out by their creators. And the problem is getting worse as the number and sophistication of online phishing scams increases.

    How to recognize phishing attempts and links

    Phishing mails are a mass product, so there’s some things that most of them have in common. If you keep these tips in mind, you’ll be in a good position to ward off scammers. 

    Tip #1: Check how the person addresses you

    One sign of scams is that their senders tend to use impersonal forms of address –things like 'Dear Customer’ or 'Dear User’ – instead of your actual name.

    Alternatively, they may address you by your email name – whatever comes before the @ sign in your email address. Which, as you can imagine, can often look pretty weird! 

    Tip #2: Check the email sender header

    The trick here is to look at the full email address, and not only the short one usually shown by your email app. That’s just a shortened version of the sender’s full information.

    To display the full email sender information header in your email app or browser window, click on the button or option that says 'Display full header’ or similar. This will then give you the full information about the sender.

    Tip #3: Beware of requests to ‘verify’ your details

    Phishers are always trying to get people to 'verify’ their details. But when was the last time you received an email from your bank, asking you to verify your account because of an urgent safety issue? Probably never, right?

    Or maybe you’ve received an email from a supposed parcel service about an order you know nothing about, asking you to confirm some bit of information?

    This is also a common phishing ploy to access your personal bank account, and you should not respond or disclose critical information. If you’re not sure, check the official website or call them. Don’t accept the email’s claims without verifying it first.

    Alternatively, if you doubt the authenticity of the request, you should go to the website (not by clicking a link in the email) and perform the requested action there. If it’s a real request, you should be able to find and perform the action there. 

    Tip #4: Phishers love warnings, threats and deadlines 

    Phishers like to threaten, intimidate, or – taking a different approach – tell you about something you’ll miss out on if you don’t act right now. If you don’t take the requested action, they say, your account will get blocked or closed, you’ll be fined or even face legal action. 

    Tip #5: Use online services to inform yourself

    Other useful tools to check a link for safety are the APWG website or PhishTank.com for the current list of known phishing attacks.

    PhishTank is a free information community site where anyone can send, verify, track and share phishing data. Reporting attacks to these organizations will help protect others from being defrauded by phishers.

    What to do if you’ve clicked on a possible phishing link

    Firstly, don’t panic. If you’ve been tricked by a phishing link and already shared login details or other sensitive data, you should go to the real website right away and change your passwords and login details.

    Also contact the organization in question and inform them about the incident. You should forward any suspicious looking email you receive to the company or organization it claims to be from. You can usually obtain the correct email address from the organization’s genuine website.

    You should also report the phishing attack to an organization that checks and tracks phishing attempts such as the Anti-Phishing Working Group or PhishTank.com


    With more and more phishing scams, we need to pay close attention to hyperlink security. Always check URLs for slight changes like numbers substituted for letters. Hover over links to check their destinations before clicking. Look for 'https' in the URL and a padlock icon but remember that these alone do not guarantee legitimacy. Go ahead and verify the site's security certificate as well.

    Phishing emails often use generic greetings and create urgency to prompt immediate action. Check the sender’s full email address. Be skeptical of requests to verify account details or to respond to urgent alerts. Always access sites through your browser, not through email links. If you do click on a suspect link, change your password right away. Then, tell the relevant organizations. This will help reduce any potential damage.

    If you keep these tips in mind, you'll be in a good position to evade most phishing attempts. Good luck!

    Boost your company's security with our comprehensive eBook

    Discover expert strategies and best practices to protect your business from cyber threats.