A single click is all most attacks need. The median person clicks a phishing link about 21 seconds after a message arrives, and links remain the most common delivery method for scams. [1] The good news is that a link almost always reveals its true destination if you know how to look — before you commit to clicking.
1. Preview the real destination
The text of a link and where it actually goes are two different things. “www.yourbank.com” can point anywhere.
- On a computer: hover your mouse over the link (don’t click) and look at the bottom-left of the browser or email window — the true address appears there.
- On a phone: press and hold the link until a preview pops up showing the full URL. Read it before you let go.
If the previewed address doesn’t match the company it claims to be from, stop.
2. Read the address the right way
Find the part just before the first single slash — the real domain is the last word before that slash:
login.microsoft.com/account— really Microsoft.microsoft.com.account-verify.ru/login— not Microsoft; the real domain isaccount-verify.ru.
Watch for look-alikes: a zero for an “o,” an “rn” that reads as “m,” or an extra word bolted on (apple-support-id.com).
3. Expand shortened links
Shorteners like bit.ly or t.co hide the destination completely — convenient for sharing, perfect for hiding a scam. Don’t tap a shortened link from a source you don’t trust. If you must check one, a link-expander or URL-scanner service can reveal the true target without you visiting it.
4. Don’t trust the padlock as proof
HTTPS (the padlock) only means the connection is encrypted — not that the site is honest. Around 80% of phishing sites now use HTTPS, precisely because people were taught to look for it. [2] Treat it as the bare minimum, never as a green light.
5. Be extra careful with links in messages
Links inside emails and texts deserve more suspicion than ones you find yourself, because the message can manufacture urgency and impersonate a brand. If a link claims to be from your bank, courier, or employer, the safest move is to ignore it and reach the organisation independently — type their address or open their app. This one habit defeats most phishing.
6. When you can’t tell, scan it
Some links are genuinely hard to judge — a clean-looking domain registered yesterday has no bad reputation yet, so it won’t appear on any blocklist. This is where automated checking earns its place. Rather than gambling on a click, let a tool analyse the destination — its structure, behaviour and domain age — and tell you whether it’s safe.
SafeToOpen does this at the two moments links arrive: its Browser Security inspects a page as it loads and blocks it if it’s malicious — even a brand-new one — and its Email Security checks the links (and QR codes) inside a message before you ever click.
Check links automatically, before they bite
SafeToOpen inspects links as they load in your browser and verifies links inside email — blocking the malicious ones in real time.
How Browser Security works →The takeaway
Preview every link’s true destination, read the real domain, expand shortened links, ignore the padlock-as-proof, and treat links in messages with extra caution. For the ones you genuinely can’t judge — including brand-new pages no blocklist knows yet — let real-time scanning make the call instead of your thumb.