I got a text last month that looked exactly like an AusPost delivery notification, "Your parcel is waiting, confirm your address here." The link looked almost right. Almost. I hovered over it and the domain was auspost-delivery-update.top, which is about as legitimate as a three-dollar coin. If I'd been in a rush, I might have tapped it without thinking. That's what scammers count on.
Malicious links are the number one way cybercriminals steal passwords, install malware, and drain bank accounts. In this guide, I'll show you exactly how to tell if a link is safe, what red flags to look for, and how to scan any URL for free in seconds.
6 Ways to Check If a Link Is Safe
You don't need to be a cybersecurity expert to stay safe. Here are six practical methods anyone can use, ordered from quickest to most thorough.
1. Hover Over the Link (Don't Click)
On a computer, hover your mouse over any link and look at the bottom-left corner of your browser. You'll see the actual URL the link goes to. This is the simplest way to catch links that say one thing but go somewhere else entirely. For example, a link that displays "www.paypal.com" but actually goes to "paypal-secure-login.xyz" is a clear phishing attempt.
On a phone, press and hold the link (don't tap) to preview the URL without opening it.
2. Look at the Domain Name Carefully
Scammers register domains that look almost identical to real ones. Watch for character substitutions like "amaz0n.com" (zero instead of O), "paypa1.com" (one instead of L), or "g00gle.com." Also watch for extra words like "apple-id-verify.com" or "chase-secure-login.tk", legitimate companies use their main domain, not hyphenated variations.
Pay special attention to the domain ending. Unusual extensions like .xyz, .top, .tk, .buzz, .info, and .club are frequently used by scammers because they're cheap and have minimal registration requirements.
3. Check for HTTPS
Look for "https://" at the beginning of the URL and a padlock icon in the browser's address bar. While HTTPS alone doesn't guarantee a site is legitimate (scammers use it too), a site without HTTPS that asks for personal information is a definite red flag. Legitimate banks, shops, and services always use HTTPS.
4. Use a URL Scanner
The most reliable method is to scan the URL with a dedicated security tool. Paste the link into a URL scanner like ScanTotal, which checks it against Google Safe Browsing's database of known malware, phishing, and social engineering sites. This is the same database that protects Chrome, Firefox, and Safari users worldwide.
This is especially important for shortened URLs (bit.ly, tinyurl, t.co) where you can't see the real destination just by looking at them. This is what frustrates me most about the current state of the internet, URL shorteners are handed out like lollies yet they completely hide where a link actually goes, and most people have been conditioned to click them without a second thought because they're everywhere on social media and in marketing emails.
5. Check Where You Got the Link
Context matters enormously. A link from a friend in a normal conversation is different from a link in an unsolicited email claiming your account has been compromised. Be extra cautious with links from unknown senders or emails/texts you weren't expecting, links shared in public comments or forums, links in pop-up ads or banner advertisements, and links in messages that create a sense of urgency.
6. Look for Redirect Chains
Some malicious links use multiple redirects to hide the final destination. If you click a link and notice the URL rapidly changing through several different domains before landing on a page, that's suspicious. Legitimate websites don't typically redirect you through three or four unrelated domains before showing content.
What Makes a Link Dangerous?
Understanding what malicious links actually do helps you appreciate why checking them matters. Malicious links typically lead to one of these outcomes.
Phishing pages are fake login pages designed to look exactly like real websites. You enter your username and password thinking you're logging into your bank or email, but you're actually handing your credentials directly to a criminal. These pages can be incredibly convincing, copying every detail of the real site.
Malware downloads happen when clicking a link triggers an automatic file download. The file might be disguised as a PDF, document, or software update, but it contains malicious code that can steal your data, encrypt your files for ransom, or give attackers remote access to your device.
Scam websites trick you into entering payment information for products that don't exist, our guide on spotting fake shopping sites covers these in detail, fake services, or fraudulent investment schemes. These are particularly common in social media ads and unsolicited emails offering deals that seem too good to be true.
Real Examples of Dangerous Links
Here are common patterns found in malicious URLs. Learning to recognise these will help you spot threats instantly.
http://192.168.1.100/paypal/login.php
https://chase-secure-alert.tk/account
http://bit.ly/3xF8kQ2 (hiding real destination)
https://login-apple-id.info/verify
https://www.paypal.com/activity
https://www.chase.com/personal/banking
https://appleid.apple.com
Notice the difference: legitimate URLs use the company's real domain, have proper HTTPS, and don't include random words or unusual domain endings.
What to Do If You Clicked a Bad Link
If you've already clicked a suspicious link, don't panic but act quickly. Close the browser tab or app immediately. Don't enter any information on the page. Run a security scan on your device. Change passwords for any accounts you may have logged into through the link, starting with your email and bank accounts. Enable two-factor authentication everywhere you can. Monitor your bank statements and credit report for the next few weeks for any unusual activity.
If you entered payment information on a suspicious site, contact your bank immediately to freeze your card and dispute any unauthorised charges.
Shortened URLs: An Extra Layer of Risk
URL shorteners like bit.ly, tinyurl.com, t.co, and ow.ly are useful for sharing long links, but they also hide the real destination completely. Scammers love them because a link like "bit.ly/3xAbCdE" could lead anywhere, a legitimate website or a phishing page.
Before clicking any shortened URL from an untrusted source, paste it into a URL scanner to reveal and check the real destination. This takes seconds and can save you from a serious security incident.
What It Really Comes Down To
Every dodgy link I've scanned through our tool reinforces the same lesson: the two-second pause before clicking is the single most underrated security habit on the internet. You don't need expensive software or a cybersecurity degree, just hover, look at the actual URL, and if anything feels off, scan it. I've personally caught fake CommBank login pages, bogus ATO refund links, and at least a dozen fake parcel delivery scams this way. None of them got me.
Trust your gut. Scan first.