PhishGuard
Sign inSign up free
← All posts
May 13, 2026 · 8 min read

How to tell if a URL is safe — a practical 2026 guide

A no-jargon walkthrough of what makes a URL suspicious, what tools to use, and how to spot phishing in seconds. With real examples and free tools you can use right now.

You got a link in an email, a Slack DM, or a text message. It looks like it might be legit — but something feels off. Before you click, here's how to tell if a URL is safe — without installing anything, without a security degree, and in under 30 seconds.

The 30-second checklist

Look at the URL — really look at it. Phishers count on you skimming. The most common red flags, in order:

  1. The domain doesn't match the brand. "paypa1.com" instead of "paypal.com". "micr0soft-secure.com" instead of "microsoft.com". Read the part right before the first single slash carefully — that's the domain.
  2. Cheap TLD. .tk, .ml, .ga, .cf, .xyz, .top are all overrepresented in phishing campaigns. Legitimate brands almost never use them.
  3. Extra words after the brand name. "paypal-secure-login.com" is not paypal.com. "google-support.tk" is not Google. Phishers count on you stopping reading after the brand name.
  4. Long random-looking subdomains. "paypal.com.verify-account-29384.tk" — the actual domain is the part right before the TLD, not the brand name shoved into a subdomain.
  5. URL shorteners on a security-sensitive message. bit.ly, t.co, tinyurl when the sender is supposedly your bank. Real banks don't shorten their links.
  6. Mismatched display text and actual href. The link says "www.bank.com" but hovering shows a totally different URL underneath.

What's actually safe to do before you click

Three things, in order of effort:

1. Hover (or long-press) before clicking

On desktop, hovering over a link shows the actual destination in the bottom-left of your browser. On mobile, long-press the link to preview where it goes. This is the single highest-value habit you can build — it costs nothing and catches 80% of phishing.

2. Paste it into a URL scanner

Don't visit the URL — paste it into a scanner. A good scanner checks the URL against multiple threat-intel databases and analyzes the page content without you needing to visit it.

Scan a URL with PhishGuard →

PhishGuard cross-references 10+ sources including Google Safe Browsing, VirusTotal (70+ AV engines), URLhaus, lookalike-domain detection, and Claude AI page-content analysis. Free, 5 scans/day, no signup.

3. If it's wrapped or shortened, unwrap it

Some links are obfuscated on purpose. Microsoft Safe Links wraps URLs in their own domain. Proofpoint URL Defense does the same. Shorteners like bit.ly add another redirect. To see the actual destination:

Use the URL Deobfuscator →

Paste the wrapped link, get the final destination, then decide if you want to scan it or trust it.

Why "https + padlock = safe" is wrong

You've probably heard "look for the padlock" or "check for https." That advice is from 2010 and it's now actively harmful. Modern phishing sites use HTTPS too — Let's Encrypt issues free certificates in seconds, and 90%+ of new phishing sites have a valid certificate.

The padlock means the connection between you and the server is encrypted. It says nothing about whether the server is run by phishers. Look at the actual domain instead.

What about emails?

Emails add a second axis — the sender. Even if every URL in an email is clean, the email itself might be a scam. Three things to check:

  • Does the sender's display name match the sender's actual address? "PayPal Security" sending from "support@mailer-32fk.tk" is a giant red flag.
  • Does the email use urgency? "Your account will be suspended in 24 hours" or "final notice" are pressure tactics that exist to make you skip the URL check.
  • Does it ask you to click and then type a password? That combination — click + credentials — is almost always credential harvesting.
Paste a suspicious email →

What if the domain is real but the page looks wrong?

This is the hardest case — a compromised legitimate site. The URL is real (and old, and registered to the real brand) but the page itself has been replaced with a phishing payload. This happens with old, abandoned WordPress sites all the time.

Three things to do:

  1. Check the page age. If google.com or microsoft.com suddenly shows a login page that doesn't match their normal UX, that's worth a pause.
  2. Check if the form posts to the same domain. If you're on company.com and the login form posts to attacker-server.tk, that's a clear hijack.
  3. Run the URL through a content-aware scanner. AI page analysis catches this — Claude can read the page text and notice it doesn't match the domain.

Free tools we actually recommend

There are more URL scanners than there are good ones. Tools we've tested and trust:

  • PhishGuard (you're here) — 10+ sources, transparent, free 5/day, $9/mo Pro with API
  • VirusTotal — Google-owned, 70+ AV engines, free with rate limits
  • URLhaus (abuse.ch) — community-curated malware URL database, free public feed
  • Google Safe Browsing — built into Chrome, Firefox, Safari (you already have it)

Bottom line

Before you click any link from an unexpected source: hover or long-press, read the domain carefully, and paste it into a scanner if anything feels off. The 10 seconds it takes will save you a credential reset (or worse) more times than you'd think.

Paste your suspicious URL now →