Phishing Link Checker
Someone sent you a link? Paste it here and find out if it's safe to click — a free scan for phishing, malware, and scam flags.
How to spot a phishing link before you click
Phishing links succeed by looking one glance away from legitimate. These are the six tricks behind most of them — if the link in front of you matches any of these patterns, scan it first.
The domain is almost right
paypa1.com
A digit for a letter, a doubled character, rn instead of m. Typosquatters count on you skimming — read the domain character by character.
The real domain hides at the end
paypal.com.secure-check.xyz
Only the domain just before the first slash identifies the owner. Here that's secure-check.xyz — everything in front is stage dressing.
The link is shortened
bit.ly/3xK9…
Shorteners hide the destination completely. Fine in a newsletter you trust; a red flag in an unexpected text about a package or a toll.
The message wants panic, not thought
“Your account will be closed in 24 hours”
Urgency is the engine of every phish. Deadlines, threats, and jackpot prizes all serve one purpose: making you click before you check.
The text and the URL disagree
“Visit chase.com” → hover shows another site
Link text is just text. Hover on desktop or press and hold on mobile to reveal the real destination before you commit a click.
A login page you didn't navigate to
Email → “Sign in to continue”
Credential harvesting needs you to type your password on their page. When an email leads to a login form, close it and sign in from your bookmark instead.
What the scan checks
The checker evaluates the link the way mailbox providers and security filters do — against reputation data, not appearances.
Phishing & malware blocklists
The URL and its domain are checked against major threat-intelligence databases that track live phishing campaigns and malware hosts.
Domain reputation signals
The domain behind the link is scored on its history — spam associations, abuse reports, and how mailbox providers and filters treat it.
The true destination
Shorteners and redirect chains are resolved so the verdict applies to the page you'd actually land on, not the wrapper you were shown.
A verdict you can act on
Instead of a wall of raw data, you get a clear read: flagged as dangerous, suspicious, or clean — before the link is ever opened.
Clicked a phishing link? Do this now
A click alone is rarely a catastrophe. Work through these four steps calmly, in order.
Stop and enter nothing
Close the page. Clicking is rarely the damage — typing your password or card number is. If you entered nothing, you're most likely fine.
Change any password you typed
Do it from a device you trust, starting with the affected account and anywhere that password is reused. Turn on two-factor authentication while you're there.
Scan the device
If you downloaded a file or the site tried to install something, run a full antivirus scan before you keep working.
Warn and watch
Report the message to your IT team or mail provider, and keep an eye on bank statements and login alerts over the following weeks.
Want the full walkthrough? What to do if you clicked on a phishing link covers each step in detail, and What is phishing? explains how these attacks work.
Checking your own links instead? If you're a sender auditing how spam filters see the URLs in your emails and pages, run a URL reputation check on your domain.
Check URL reputation →Phishing link safety knowledge base
The tricks scammers use to make a malicious link look safe — and the terms you'll see in scan results.
- phishingPhishing
- A social-engineering attack where a scammer poses as a brand or person you trust — your bank, Microsoft, a coworker — to trick you into clicking a link, opening an attachment, or handing over credentials and payment details. Email is the most common channel, but the same lure works over SMS, chat apps, and social media.
- spear-phishingSpear phishing
- Phishing aimed at one specific person or company instead of a mass audience. The message references real names, projects, or invoices to feel legitimate, which makes the link inside far more likely to be clicked. High-value targets like finance teams and executives (whaling) see the most of it.
- smishingSmishing
- Phishing delivered by SMS or messaging apps — fake delivery notices, toll fees, or bank alerts with a short link. Phone screens hide most of the URL and shorteners hide the rest, so smishing links deserve a scan before you tap, not after.
- typosquattingTyposquatting
- Registering a domain that is one keystroke away from a real one — paypa1.com, arnazon.com, gooogle.com — and waiting for misreads and mistypes. Typosquatted domains host login pages that look pixel-identical to the real site, which is why the domain spelling matters more than the page design.
- lookalike-domainLookalike domain
- Any domain crafted to pass for a brand’s real one: swapped characters (homoglyphs like rn for m), extra words (paypal-security.com), or the brand used as a subdomain of a domain the attacker owns (paypal.com.verify-account.xyz). The only part that identifies the real owner is the registered domain right before the final dot — everything left of it is decoration.
- punycodePunycode / IDN spoofing
- Internationalized domain names let Unicode characters appear in URLs, and some — like the Cyrillic а — are indistinguishable from Latin letters on screen. Browsers encode these domains as punycode (xn--…), so аpple.com can hide behind what renders as apple.com. Scanners compare the encoded form, which is immune to the visual trick.
- url-shortenerURL shortener
- Services like bit.ly or tinyurl.com that wrap a long URL in a short redirect. Legitimate and common in marketing, but they hide the destination completely, so phishing campaigns use them to slip malicious domains past both people and filters. A link checker follows the redirect and evaluates where you would actually land.
- open-redirectOpen redirect
- A flaw on a legitimate website that lets a URL bounce visitors to any external address, e.g. trusted-site.com/redirect?url=evil.site. Attackers love these because the visible link starts with a domain you trust while the landing page is theirs. Scanning the final destination, not the first hop, is what catches it.
- credential-harvestingCredential harvesting
- The goal of most phishing links: a fake login page that collects the username, password, and sometimes the MFA code you type, then often forwards you to the real site so nothing seems wrong. Clicking the link rarely does damage by itself — the harvest happens when you submit the form.
- drive-by-downloadDrive-by download
- Malware that installs from simply loading a malicious page, usually by exploiting an outdated browser or plugin. Rare on patched devices but the reason a suspicious link is safer scanned than opened, and why keeping your browser current is real protection rather than busywork.
- blocklistBlocklist / blacklist
- Curated databases of URLs, domains, and IPs observed hosting phishing, malware, or spam — the backbone of link-reputation scanning. Browsers, mail providers, and security tools consult them before letting traffic through. A hit on a major blocklist is a strong danger signal; a clean result is reassuring but not a guarantee, since brand-new phishing sites take time to get listed.