← Back to BlogPractical Tips

How to Check If a Link Is Safe Before You Click

How to Check If a Link Is Safe Before You Click

The click is everything. In most phishing attacks, the scam falls apart the moment you don't click. So the single most effective thing you can do is learn to check links before clicking them. Here's how.

Method 1: Hover over the link (on desktop)

Before clicking any hyperlink in an email or on a webpage, hover your mouse cursor over it. Look at the bottom of your browser window — it will show the actual URL the link goes to.

Does it match what you'd expect? Does it go to the organisation's real domain? If the email says it's from CommBank but the link goes to `commbank-secure-update.com`, do not click.

Method 2: Preview the full URL on mobile

On most smartphones, you can press and hold a link to get a preview that shows the full URL before you open it. This is your mobile equivalent of hovering. Check the domain — it should match who sent the message.

Method 3: Use a free link scanner

Several free tools will scan a URL and report whether it's been flagged as malicious:

  • Google Safe Browsing: `https://transparencyreport.google.com/safe-browsing/search`
  • VirusTotal: `https://www.virustotal.com` — paste the URL and it checks it against 70+ security tools
  • URLScan.io: `https://urlscan.io` — gives a detailed visual and technical scan of any URL

Copy the link (right-click > "Copy link address"), paste it into one of these tools, and let it check before you visit.

Method 4: Check the domain carefully

Even if a URL looks right at a glance, read the domain character by character. Scammers use:

  • Lookalike characters (the numeral `1` instead of the letter `l`, `0` instead of `O`)
  • Subtle misspellings (`paypa1.com`, `amaz0n.com.au`)
  • Subdomain tricks (`mybank.evil-site.com` — the actual domain is `evil-site.com`, not `mybank`)
  • Extra words (`nab-bank-secure.com` instead of `nab.com.au`)

Method 5: When in doubt, don't click — go directly

If an email asks you to log in to your bank, your ATO account, or any other service, don't use the link in the email at all. Open a new browser tab and type the address you already know. You'll get to the same place without any risk.

A quick habit that's worth building

Make link-checking a default behaviour, not a special occasion. Treat every unexpected link in your email with healthy suspicion, even from senders you know (their account might be compromised).

Practise spotting dangerous links at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →