Spot a Dangerous Link Before You Click: 9 Checks That Work

Every day, attackers send billions of links through email, SMS, Slack, Discord, LinkedIn DMs, and fake ads. One careless click can hand over credentials, install malware, or trigger a drive-by download. The good news: most malicious links give themselves away if you know what to look at before clicking.

Here are the practical checks I run on any link that feels even slightly off — from a quick 5-second glance to a full sandbox inspection.

1. Read the URL Like a Domain, Not a Sentence

The single most useful skill is parsing a URL correctly. Attackers exploit the fact that most people skim left to right and stop at the first familiar word.

Take this URL:

https://paypal.com.secure-login-verify.ru/account

The real domain is secure-login-verify.ru, not paypal.com. The actual domain always sits immediately to the left of the first single slash, and it's the last two labels before that slash (plus the TLD).

Common URL tricks to recognise

• Subdomain spoofing: google.com.attacker.xyz
• Typosquatting: paypa1.com, arnazon.com, microsft.com
• Homograph attacks: Cyrillic characters that look like Latin ones (аpple.com with a Cyrillic "а")
• Suspicious TLDs: .zip, .mov, .top, .xyz, .tk are heavily abused (legitimate sites use them too, but treat with extra caution)
• IP addresses instead of domains: http://185.220.101.45/login — almost never legitimate for consumer services

2. Hover Before You Click

On desktop, hover over any link without clicking. The real destination appears in the bottom-left corner of your browser or in your email client's status bar. If the visible text says "bank.com" but the hover shows "bit.ly/xyz123", that's a mismatch worth investigating.

On mobile, long-press the link (don't tap) to preview the full URL in both iOS and Android.

3. Expand Shortened URLs Before Visiting

Shorteners like bit.ly, t.co, tinyurl, goo.gl, and is.gd hide the destination by design. Attackers love them. Before clicking any shortened link, expand it.

You can use AXOX Hub's Link Safety Scanner or a Redirect Checker to see the full redirect chain. A legitimate marketing link usually goes bit.ly → company.com. A malicious one often chains through 3–5 hops across unrelated domains before landing on a credential harvester.

4. Inspect the Full Redirect Chain

Even non-shortened links can redirect. A common phishing tactic is to use a compromised but reputable domain as the first hop, then bounce through tracking parameters to the actual payload.

Look for these red flags in a redirect chain:

• More than two or three hops
• Redirects that cross country TLDs (.com → .ru → .cn)
• Final destination on a freshly registered domain
• HTTP (not HTTPS) anywhere in the chain
• Open redirects on legitimate domains being abused (e.g. google.com/url?q=evil.com)

5. Check Domain Age and WHOIS Data

Phishing domains are typically registered days or weeks before the campaign launches. A WHOIS lookup tells you when a domain was registered.

Heuristics that should make you cautious:

• Domain registered in the last 30 days
• Privacy-protected WHOIS on a domain pretending to be a major brand
• Registrar known for abuse (Namecheap, Namesilo, and Freenom historically appear often in abuse reports — though they also host legitimate sites)

6. Verify TLS Certificate Details

HTTPS alone doesn't mean safe — phishing sites have used Let's Encrypt certificates for years. But certificate details still reveal a lot.

What to check

• Common Name / SAN: Does it match the domain you expect?
• Issuer: Is it a recognised CA?
• Validity period: Certificates issued hours ago on a domain claiming to be a major bank are suspicious
• EV certificates: Banks and payment processors often use Extended Validation — though browsers no longer display the green bar prominently

7. Run It Through a Reputation Engine

Several services aggregate threat intelligence and tell you if a URL has been flagged:

1. Google Safe Browsing — already built into Chrome, Firefox, and Safari
2. VirusTotal — scans the URL with 70+ engines simultaneously
3. URLVoid / URLhaus — community-maintained blocklists
4. AXOX Hub's Link Safety Scanner — combines redirect analysis, domain reputation, and signature checks in one pass

No single engine catches everything. If two or more independent services flag a URL, treat it as malicious.

8. Open It in an Isolated Environment First

If you have to visit a suspicious link to verify something (security researchers, sysadmins investigating reported phishing), never use your main browser.

Options ranked from easiest to most isolated:

• Incognito/private window with no extensions (minimal protection, but no session cookies leak)
• A separate browser profile with no logins
• Browserling, urlscan.io, or Hybrid Analysis — render the page on someone else's machine and show you screenshots
• A disposable VM (a snapshot of Windows or Linux you can roll back)

urlscan.io is especially useful because it captures screenshots, DOM snapshots, network requests, and any JavaScript loaded — all without you executing anything locally.

9. Watch for Behavioural Red Flags on the Page

If you do end up on a page, these signals should make you close the tab immediately:

• An instant login prompt for a service you didn't initiate
• Browser notifications, location, or microphone permission requests on first visit
• Fake "virus detected" pop-ups
• Captchas that ask you to press Win+R or paste clipboard content (a known social-engineering attack called ClickFix)
• Auto-downloads triggered without interaction
• Pages that block right-click or DevTools

A Quick Workflow for Suspicious Links

1. Hover and read the actual domain
2. If shortened or redirected, expand the full chain
3. Check domain age via WHOIS
4. Run it through a reputation scanner
5. If still uncertain, render it in urlscan.io or a sandbox
6. Only then decide whether to visit in your real browser

The whole process takes under a minute once you've done it a few times — and it's cheaper than recovering from a compromised account.

Got a link you're not sure about right now? Paste it into the AXOX Hub Link Safety Scanner to inspect redirects, domain reputation, and threat signals in one click — no signup, completely free.