The safest rule with an unexpected link is simple: do not click it. But you often still need to know where it leads. Here is how to inspect a suspicious URL without exposing your device or credentials.
Inspect it manually first
- Hover, do not click โ on desktop, hovering shows the real destination in the status bar. On mobile, long-press to preview the URL.
- Read the domain right-to-left โ the true site is the part just before the first single slash. In
login.paypal.com.secure-verify.ru/xyzthe real domain issecure-verify.ru, not PayPal. - Watch for look-alikes โ
rnposing asm, a digit0foro, or extra hyphens and words. - Expand shorteners โ bit.ly and similar hide the destination; never trust a shortened link from an unknown sender.
Let a scanner open it for you
A URL scanner fetches and analyses the link in an isolated environment so you never have to. Our free Is This Link Safe? checker examines the domain age, redirect chain, TLS certificate, hosting, and reputation across 20+ security vendors and 24 blocklists โ and flags typosquatting, dangerous schemes and credential-harvest patterns โ all without you visiting the page.
If you already clicked
Do not enter any credentials. Close the tab, run an anti-malware scan, and if you typed a password anywhere, change it immediately and enable two-factor authentication on that account.