How to Check If a Website Is Safe Before You Click

Phishing is still the most common way accounts get compromised. Not sophisticated technical attacks — just fake websites that look real enough for someone to enter their password. Checking a URL before clicking takes 10 seconds and prevents most of this.

Method 1: Inspect the URL Before Clicking

Hover over any link and look at the address shown in the bottom-left of your browser. This is the actual destination. The visible link text ('Click here to reset your password') can say anything — the URL it points to is what matters. Look for: correct domain name (amazon.com not amazon-secure.net), no extra subdomains before the real domain (paypal.update.com is NOT paypal.com), and no suspicious extensions.

Method 2: VirusTotal

virustotal.com lets you paste any URL and check it against dozens of security scanners simultaneously. Takes about 15 seconds. If something is flagged by even one engine, investigate before visiting. Free, no account needed, and more thorough than any single tool.

Method 3: Google Safe Browsing

safebrowsing.google.com/safebrowsing/report_badware — you can check any URL against Google's Safe Browsing database, which covers billions of URLs. This is the same database Chrome, Firefox, and Safari use for their built-in warnings. Direct access to it lets you check URLs you haven't visited yet.

Method 4: WHOIS Lookup

A domain registered two days ago delivering 'you've won a prize' emails is a red flag. WHOIS lookups show when a domain was registered and sometimes who owns it. Very new domains being used to send urgent communications are a strong phishing signal. icann.org/lookup does WHOIS checks for any domain.

What to Do If Something Seems Off

Don't visit the URL. Instead, navigate directly to the service's official website by typing it yourself. If an 'urgent email' claims to be from your bank, open a new tab and go to your bank's website directly. The message will be there if it's legitimate.