trust-security

Is This Link Safe? How to Check Before You Click (2026 Guide)

Worried a link is sketchy? Here's how to check if a link is safe using free URL scanners, link expanders, and 9 red flags that give phishing away.

Team U2L 19 min read

To check if a link is safe, paste it into a URL scanner like Google Safe Browsing or VirusTotal before clicking. The scanner checks the destination against malware and phishing databases in seconds. For shortened URLs, use a link expander first to see where the link actually goes. If the link came from a stranger, an urgent message, or a misspelled sender address, treat it as unsafe by default.

Table of Contents

You got a text from "Amazon" about a delivery problem. Or an email from "your bank" about a flagged charge. Or a DM that says "this you?" with a link. Before you tap, you want to know one thing: is this link safe? This guide walks you through exactly how to check, in under thirty seconds, without exposing your device.

We'll cover the manual checks anyone can do, the free URL scanners that catch what your eyes miss, how to safely peek inside a shortened link before clicking, what to do if you've already opened something sketchy, and how a modern URL shortener like U2L AI runs safety checks at the moment a short link is created so dangerous links never get the chance to spread. (Disclosure: U2L AI is our product, so we'll be specific about what we do and how we do it.)

A link safety check is the process of verifying whether a URL leads to a legitimate destination or a malicious one (phishing, malware, scam) before you actually visit it. The fastest way to check is to paste the URL into a free scanner like Google Safe Browsing or VirusTotal, which compares the link against constantly updated threat databases and reports any flags in seconds.

The thirty-second version: paste the URL into transparencyreport.google.com/safe-browsing/search. If Google flags it, don't click. If Google says nothing, paste it into virustotal.com for a second opinion across 70+ engines. If both come back clean and the sender context makes sense, the link is probably safe.

Probably is the operative word. Brand-new phishing domains (less than 24 hours old) often slip past scanners because no one has reported them yet. So even after a clean scan, look at the actual domain, the sender, and the message context before you commit to clicking.

For a deeper backgrounder on how URL shorteners work and why they sometimes get abused, see our explainer on URL shortening.

These are the patterns that show up over and over in phishing campaigns, romance scams, and malware drops. If you see two or more, treat the link as hostile.

1. The sender is rushing you. "Verify now or lose access in 24 hours." "Your package will be returned if you don't confirm." Urgency exists to bypass your critical thinking. Real companies almost never give you a hard deadline measured in hours. The Federal Trade Commission's consumer alerts page repeats this advice every quarter because it keeps working on people.

2. The display name and the actual address don't match. An email that says "Apple Support" but the actual sender is noreply@apple-secure-account.xyz is a hard no. Hover over (desktop) or long-press (mobile) the sender to see the real address.

3. The domain is almost right. amaz0n.com, paypa1.com, g00gle.com, linkedln.com. Look at every character. Phishing kits register thousands of look-alike domains specifically to fool a glance. If you're reading a domain and your eyes need to slow down, you're probably looking at a typo-squat.

4. The URL uses a shortener you don't recognize in a corporate-looking message. A "your bank" email that asks you to click bit.ly/xR9k3a is suspicious. Real banks rarely shorten URLs in transactional emails. Personal messages from friends using u2l.ai/coffee are fine. Context matters.

5. The link is on top of an image. A clickable banner with no visible URL is a classic trick. The text says "Click to claim your reward" but the underlying link goes somewhere ugly. Always hover or long-press to reveal the actual destination before tapping.

6. There's no HTTPS. A login page or checkout that loads on http:// (no padlock, no s) in 2026 is either old, broken, or hostile. Every legitimate site has had HTTPS for years. No HTTPS, no trust.

7. The grammar is off in subtle ways. A misplaced comma is fine. "Kindly revert your details urgently" is not how a real bank writes. Phishing kits are often translated from another language and the seams show.

8. You weren't expecting it. A DHL "delivery problem" message when you have no package en route. A Netflix "billing failure" when your subscription is current. Unsolicited contact from an account you haven't engaged with is the single strongest signal in the list.

9. The action requested is to enter credentials, install something, or send money. Real password resets you initiated yourself are fine. A link telling you to "re-verify your password" out of nowhere is not. Treat any link that ends with "give me your login or your money" as hostile until you can prove otherwise.

None of these red flags are conclusive on their own. Together, they're a profile. One red flag, double check the URL. Two or more, just delete the message.

On desktop, right-click the link and choose "Copy link address." On mobile (iPhone or Android), long-press the link until a menu appears, then tap "Copy" or "Copy link." You now have the URL on your clipboard without your device ever loading the destination. This is the most important step - everything else builds on it.

Step 2: Look at the visible URL for obvious problems

Before you scan, give it a quick eyeball. Is the domain spelled correctly? Is it the brand you expected (amazon.com not amaz0n-deliveries.net)? Does the path look reasonable, or is it a long string of random characters? If something is already off, you don't need to scan. Just delete.

If the URL is from a shortener (bit.ly, t.co, tinyurl.com, u2l.ai, goo.gl), you can't tell the destination from the surface. Paste it into a free link expander like checkshorturl.com or unshorten.it to see where it actually goes. Some shorteners also support a preview by appending a special character to the URL - for example, U2L AI lets you preview a destination by adding + to the end of the short link.

Step 4: Scan the expanded URL with Google Safe Browsing

Paste the (expanded) URL into transparencyreport.google.com/safe-browsing/search. Google checks the destination against its global threat database, which is updated continuously from billions of devices. A clean result means the URL isn't in any known threat list. A flagged result means stop immediately.

Step 5: Run it through VirusTotal for a second opinion

Paste the URL into virustotal.com. VirusTotal aggregates results from 70+ antivirus engines, threat intelligence services, and community-reported flags. A single detection is worth investigating. Multiple detections is a guaranteed skip. This catches things Google's database hasn't picked up yet.

Step 6: For technical users, run it through urlscan.io

If you want to actually see what the page does without visiting it yourself, urlscan.io loads the URL in a sandboxed browser and gives you a full screenshot, network log, and DOM tree. You can see what scripts the page loads, what domains it talks to, and whether it tries to harvest credentials. Overkill for a casual check, essential if you're a security analyst.

Step 7: Check the message context one more time

Even if every scanner came back clean, ask yourself: did I expect this message? Does the sender check out? Does the URL match the context? If yes to all three, click. If no to any of them, the scanners might just be late to the party, and you should sit on it.

These are the free tools that consistently catch the most threats. Use at least two for any link you're unsure about.

Google Safe Browsing Site Status. The official Google tool. Paste the URL, get a verdict. Backed by the same threat database that powers Chrome's red warning screens. Free, fast, no ads, no signup. The first place every link should go.

VirusTotal. Aggregates 70+ antivirus engines plus several threat intelligence services. URLs get scanned by all of them in parallel, and you see which engines flag the site and why. If even one or two reputable engines mark a URL as malicious, treat it as a hard no. Free for personal use.

urlscan.io. Renders the page in a sandboxed browser and gives you the full technical breakdown: screenshot, IPs contacted, JavaScript loaded, certificates used. Best for security pros analyzing a campaign rather than for quick consumer checks, but completely free and very thorough.

NordVPN Link Checker. Quick AI-powered URL safety check. No login. Pasting the link runs it through threat intelligence sources. Cleaner UI than VirusTotal for non-technical users.

Norton Safe Web. Norton's free URL reputation tool. Long history, large database, fast results. Useful as a third opinion when Google and VirusTotal disagree.

PhishTank. A community-curated list of confirmed phishing URLs. Submit any link, see whether it's already been reported, and report new ones. Free and open. Doesn't catch novel threats but catches known phishing campaigns immediately.

Bitdefender Link Checker. Browser extension and web tool. Real-time URL scanning. Useful as always-on protection rather than one-off checks.

A practical workflow: Google Safe Browsing for the first pass, VirusTotal for a second opinion, urlscan.io for a deep look if either of the first two raise a flag. Most consumer-grade threats get caught at step one. The serious ones show up at step two or three.

How to Expand a Shortened URL Without Clicking It

Shortened links are useful, popular, and unfortunately a favorite tool of phishers. You can't tell what a bit.ly/3xR9 link points at by looking. Here's how to peek without committing.

The plus-sign trick. Many shorteners include a built-in preview. Append + to the end of the short URL and visit that instead. For example, bit.ly/yourlink+ shows you Bitly's preview page with the full destination URL and a stats summary, without forwarding you. U2L AI links support the same convention. Not every shortener does, but the big ones do.

Online link expanders. Paste the link into checkshorturl.com, unshorten.it, or where-goes.com. The tool follows the redirect on the server side and shows you the final destination URL. None of the redirected loads ever touch your device. Most expanders also show the full redirect chain, so you can spot multi-hop laundering attempts (a sketchy URL that bounces through three different shorteners is a giant red flag).

Browser developer tools. If you're comfortable with browser dev tools, you can use the Network tab to follow redirects manually. Open dev tools, type the short URL into the address bar, watch the request go out, and read the 301/302 response without letting the destination page load. Overkill for daily use, useful for forensics.

Curl from the command line. curl -I https://shortlink/abc returns the redirect headers without downloading the page. Server-only response. Zero risk to your device. Engineer-friendly but works on every OS that has curl installed (so basically all of them).

The why on shortener safety: shorteners aren't inherently dangerous. The vast majority of shortened links are perfectly safe. Bad actors abuse them because the surface URL hides the destination, but reputable shorteners (Bitly, TinyURL, U2L AI, and others) actively scan destinations and block known bad links. We compared the safety features of the best free URL shorteners to see which ones actually inspect the destination before issuing a short link.

Mobile-Specific Tips for iPhone and Android

Most phishing now arrives by SMS or messaging app, which means the primary battleground is mobile. The desktop tricks don't translate one-for-one. Here's the mobile-specific playbook.

iPhone: long-press to preview. Press and hold any link in Messages, Safari, Mail, or most apps without lifting your finger. A preview card appears showing the URL and often a thumbnail of the page. Read the URL before deciding. Tap "Copy" to grab it for a scanner. Don't tap "Open."

Android: long-press for context menu. Same gesture, different menu. Long-press, see the URL, copy or share to a scanner app. Some browsers (Chrome, Brave) show a small URL preview at the bottom.

Be doubly skeptical of SMS. Phone numbers can be spoofed, "package delivery" texts are the #1 phishing vector in 2026, and SMS doesn't have the same anti-phishing infrastructure as email. A text with a link from a number you don't recognize is far more likely to be hostile than a real notification. The carrier won't filter as much as Gmail does.

Don't trust messaging app previews. WhatsApp, iMessage, Telegram, and others render link previews. The preview shows the destination's OG image and title, which means a malicious page can show a totally innocent-looking preview while pointing at a phishing form. Always check the URL itself, not the preview.

Use a mobile link checker app. Bitdefender's Mobile Security, Norton 360, and similar apps include link safety scanners that work inline with your messaging apps. Tap to scan before opening. Worth it if you get a lot of unfamiliar links.

Set your phone to require Face ID/Touch ID for App Store purchases. If you do click something bad and a fake App Store redirect tries to install something, biometric confirmation is a meaningful speed bump.

Don't panic. Most bad clicks don't result in compromise on their own. The dangerous outcome is what you do after clicking - usually entering credentials or downloading something.

If you only loaded the page: close the tab immediately. Don't tap any buttons, don't enter anything, don't download anything. Your device probably isn't compromised. Clear your browser history and run a malware scan to be safe. On mobile, force-close the browser and clear cache.

If you entered credentials: change that password immediately, from a different device if possible. Use a password manager to generate a new strong one. Then change the password on every other account that used the same one (this is why password reuse is so dangerous). Enable two-factor authentication on the affected account. Check the account's recent activity for unauthorized logins.

If you entered payment info: call your bank, freeze the affected card, and dispute any unfamiliar transactions. Most banks will issue a new card immediately. Watch the account for the next 30 days.

If you downloaded something: delete it without opening. Run a full malware scan with a reputable tool (Malwarebytes is the consumer standard). If you actually opened the download, disconnect from the internet, run an offline scan, and consider a full system restore from a clean backup. For a corporate device, contact IT immediately - don't try to "fix it yourself" on a work laptop.

Report the link. Forward suspicious emails to your provider (Gmail and Outlook both have report buttons) and submit the URL to Google Safe Browsing's report page. PhishTank is another good destination. Reporting is what makes the threat databases work. The fifteen seconds it takes saves the next person who almost clicked.

We built U2L AI's link layer with the assumption that some percentage of links submitted to a URL shortener will be abusive. So every link runs through several safety checks in parallel the moment it's created, not after someone reports it.

Here's what happens when you create a short link on U2L AI's URL shortener: the destination URL is checked against Google Safe Browsing's threat database, scanned by an AI moderation model for phishing patterns and scam language, validated against a curated blocklist of known abusive slugs, and rate-limited per account to prevent bulk abuse. All of this runs in parallel and completes before the short link is issued. If the destination is flagged, the link is rejected at creation time. No "we'll review it later," no chance to spread first.

For end users this means short links generated through U2L AI are meaningfully less likely to lead anywhere dangerous than a link from a shortener that doesn't run pre-creation checks. It's not a guarantee - no security tool is - but it's the difference between a tool that screens its output and one that doesn't.

We also publish the principles behind our link safety approach on the features page. The short version: safety has to happen before the link goes live, not after. Post-incident response is a damage-control strategy, not a security strategy. Other safety-conscious shorteners cover similar ground - we discussed the safety story across the major platforms in our Bitly alternatives roundup and the Google URL shortener replacement guide.

For end users, that pre-creation gate is invisible until you try to shorten a phishing URL through us and the request is refused. Which, honestly, is exactly what you want from a tool you trust to handle a link before it reaches your audience.

Frequently Asked Questions

Paste the URL into Google Safe Browsing's site status checker at transparencyreport.google.com/safe-browsing/search. If Google flags it, don't click. For a second opinion, run the same URL through VirusTotal at virustotal.com, which aggregates results from 70+ antivirus engines. If both come back clean, also look at the sender, the domain spelling, and whether you expected the message before tapping.

Usually no, if you only load the page and don't interact. Most damage happens when you enter credentials, download a file, or grant a permission on the destination page. That said, modern browser exploits sometimes target zero-day vulnerabilities that can compromise a device on page load alone, so it's still worth checking links before opening them.

Use a link expander like checkshorturl.com or unshorten.it to see the actual destination without visiting it. Many shorteners also support previewing by appending a + to the short URL (e.g., bit.ly/abc+). Once you know the destination, scan it with Google Safe Browsing or VirusTotal before clicking.

Can a URL contain a virus?

The URL itself can't contain malware - it's just text. But the page the URL leads to can serve malicious code, attempt browser exploits, or trick you into downloading something harmful. That's why scanning the destination matters more than scanning the link text.

What does HTTPS mean and is HTTP always unsafe?

HTTPS means the connection between your browser and the website is encrypted, so an attacker on the same network can't read your traffic. HTTP without the "S" sends data in plain text. In 2026, any login page, checkout, or form on HTTP is a red flag - virtually all legitimate sites have switched to HTTPS. HTTPS alone doesn't mean the destination is trustworthy though; phishing sites use HTTPS too.

Close the tab without interacting. If you entered a password, change it immediately and turn on two-factor authentication on that account and any account using the same password. If you entered payment information, call your bank and freeze the card. If you downloaded a file, delete it without opening and run a full malware scan. Then report the link to Google Safe Browsing's phishing report page.

The major scanners (Google Safe Browsing, VirusTotal, urlscan.io, PhishTank, NordVPN) are run by reputable security companies and are safe to use. Stick to well-known scanners with HTTPS and an established reputation. Be cautious of "free link checker" tools you've never heard of - some inject ads or harvest the URLs you submit.

Do URL shorteners scan destinations for safety?

The good ones do. U2L AI runs Google Safe Browsing checks plus AI moderation in parallel before issuing any short link. Bitly and TinyURL also screen destinations. Other less-careful shorteners don't, which is why some shortened links lead to abusive destinations. Sticking with reputable shorteners (and using a destination scanner regardless) is the safest path.

The short version: paste any link into Google Safe Browsing first, run it through VirusTotal for confirmation, and never enter credentials or payment info on a page you reached from an unsolicited message. The thirty seconds it takes to check is always cheaper than the recovery if you don't.

Want links you create to be safe by default for everyone you share them with? Create your free account on U2L AI - every link you shorten passes safety screening before it goes live, so the people on the other end of your messages get the same protection you'd give yourself.

Ready to try U2L AI?

Free forever plan. No credit card required.