Security
How to Read a Suspicious Link Before You Click
July 11, 2026 · 8 min read
The fastest way to check a link is to ignore how it looks and find one thing: the real domain. Most phishing works because people read the friendly words in a link — paypal, apple, the name of their bank — and skip the part that actually decides where they end up.
A web address has a specific structure, and only one piece of it tells you who owns the destination. Learn to spot that piece, the registrable domain, and read it from right to left, and you will catch the large majority of fake links in a couple of seconds — no tools required.
This guide breaks down the anatomy of a URL, the handful of tricks attackers reuse over and over (lookalike domains, the @ hack, punycode, and shorteners that hide the target), and a safe, no-click way to inspect anything you are unsure about.
Start here: the 30-second check
Before you learn the theory, here is the whole method in practice. When a link arrives — in email, a text, a DM, a QR code — run these steps in your head before you touch it.
None of this requires software. It is a habit, and once you have read the domain right to left a few times, it becomes automatic.
- Do not trust the text you see. In an email, the words "www.yourbank.com" can be a link that actually points somewhere else entirely.
- Find the real destination. Hover on a computer, long-press on a phone, or copy the link and paste it into a notes field — anything but clicking.
- Read the domain right to left. Find the ending (.com, .org, .ru), take the word just before it, and that pair is who owns the site.
- Ask if that owner makes sense. Should a message about your Netflix account really lead to netflix-billing-secure.com?
- When unsure, do not click. Type the site's address yourself, or use a bookmark. Never enter a password on a page you reached from a link you distrust.
Anatomy of a URL: which part actually matters
A URL looks like one long string, but it is really several fields joined together, and they are not equally trustworthy. Take a normal address like https://mail.google.com/u/0/inbox?tab=all — here is what each piece is doing.
The single field that tells you who controls the site is the registrable domain (here, google.com). Everything else can be dressed up to look reassuring, so train your eye to jump straight to that one part.
| Part | Example | What it tells you |
|---|---|---|
| Scheme | https:// | That the connection is encrypted — nothing about honesty |
| Subdomain | Anything the owner wants; attacker-controlled on a fake site, so ignore it for trust | |
| Registrable domain | google.com | Who actually owns the site — the part that matters |
| Path | /u/0/inbox | A page on that site; easy to fill with reassuring words like /secure or /login |
| Query | ?tab=all | Parameters; can carry tracking or a hidden redirect target |
The one rule that catches most fakes: read right to left
Domains are read from right to left, even though we write them left to right. The ending (the top-level domain, like .com or .org) comes first in importance, and the label immediately to its left is the owner's name. Together they form the registrable domain — the only part a legitimate brand can control and a phisher cannot borrow.
Everything to the left of that pair is a subdomain, and a site owner can set subdomains to absolutely anything. This is the trick behind most convincing fakes. Compare these two:
In login.amazon.com the ending is .com and the label before it is amazon, so the owner is amazon.com — real. In amazon.account-verify.com the ending is .com and the label before it is account-verify, so the owner is account-verify.com — a stranger who simply parked the word amazon in front. Same logic exposes paypal.com.secure-login.ru, whose true owner is secure-login.ru.
One caveat: some country endings use two labels. For .co.uk, .com.au and similar, the owner is a pair like bbc.co.uk rather than just co.uk. This is defined by the Public Suffix List, but in everyday reading you rarely go wrong by finding the brand name sitting immediately left of the final dotted suffix.
The tricks attackers reuse
Phishers are not endlessly creative — they recycle a small set of tactics. Once you recognize the shapes, they are hard to miss.
Lookalike and typo domains swap characters that resemble each other: paypa1.com uses a number 1 for the l, rnicrosoft.com uses r-n to fake an m, and amazoon.com just adds a letter. Wrong-TLD fakes keep the real name but change the ending, like apple.com becoming apple-support.co or a bare apple.net.
The @ trick abuses a real rule of URLs: anything between the scheme and an @ sign is treated as login info and ignored by the browser. So https://www.paypal.com@evil.example quietly visits evil.example — the paypal.com part is pure decoration. If a link that is not an email address contains an @, read what comes right after it.
Punycode (an IDN homograph attack) uses non-Latin letters that look identical to Latin ones — a Cyrillic а instead of a Latin a. The address can read аpple.com yet resolve to a completely different registration, shown as xn--pple-43d.com. If a familiar name suddenly displays with xn-- or subtly odd characters, that is your warning.
Shorteners (bit.ly, tinyurl, t.co) hide the destination entirely — you cannot judge a domain you cannot see, so expand it first. And do not lean on the padlock: HTTPS only means the connection is encrypted, and because certificates are free now, the large majority of phishing pages show a padlock too.
| Trick | Looks like | Actually goes to |
|---|---|---|
| Subdomain spoof | paypal.com.secure-login.ru | secure-login.ru |
| @ redirect | www.google.com@evil.example | evil.example |
| Typosquat | paypa1.com / rnicrosoft.com | a different registered domain |
| Wrong TLD | apple-support.co | not apple.com |
| Punycode | аpple.com (Cyrillic a) | xn--pple-43d.com |
| Shortener | bit.ly/3xR2k9 | hidden until you expand it |
| Raw IP address | http://34.201.10.4/login | an unnamed server, not a brand |
How to inspect a link without clicking it
When the domain is hidden or you simply want certainty, you can examine a link safely — no visit required. The golden rule underneath all of this: link text is not the link. In an HTML email, the clickable words can say one thing while the underlying address points somewhere else, so always verify the real destination, not the label.
These methods work on any device:
- Hover (desktop): rest your cursor on the link and read the true address in the status bar at the bottom of the window.
- Long-press (mobile): press and hold the link — a preview pops up showing where it leads, without opening it.
- Copy and paste: copy the link address and drop it into a notes app or plain text field so you can read the whole thing calmly.
- Expand shorteners: run a shortened or messy link through an expander that follows the redirects and shows the final domain. Adding a + to the end of many Bitly links also opens an info page with the real URL.
- Scan reputation: services like Google Safe Browsing, VirusTotal or urlscan.io can flag known-bad links and even show a screenshot without you visiting. Useful, but they miss brand-new phishing, so a clean result is reassurance, not proof.
Read the message, not just the link
A suspicious link almost never arrives alone — it comes wrapped in a message, and the wrapping is often more revealing than the URL. Phishing relies on emotion, usually urgency or fear, to make you skip the checks above.
Slow down when you see these signals, and treat the link as guilty until proven innocent:
- Urgency or threat: "Your account will be suspended in 24 hours," "Unusual sign-in detected, verify now."
- It was unexpected: a delivery you did not order, a refund you did not request, an invoice you do not recognize.
- Sender and link do not match: the email claims to be your bank but the link owner is some unrelated domain.
- It asks for secrets: passwords, card numbers, or one-time codes. Legitimate companies do not ask you to confirm a login or OTP through a link.
- Generic greeting and off details: "Dear Customer," odd grammar, or a brand logo that is slightly wrong.
If you already clicked or entered your details
Everyone slips eventually — the point is to limit the damage. If you entered credentials or personal information on a page you now suspect, act in minutes, not hours.
Work through this quickly and in order:
- Change the password on the real site — type the address yourself — and change it anywhere you reused the same one.
- Turn on two-factor authentication so a stolen password alone is not enough.
- If card or bank details were involved, call your bank, watch for charges, and freeze the card if needed.
- Revoke active sessions and any connected apps in your account's security settings.
- Run a malware scan if you downloaded or opened anything from the link.
- Report it — to your IT or security team, the impersonated company, or a national phishing-report address — so others are protected.
Frequently Asked Questions
No. HTTPS and the padlock icon only mean the connection to the site is encrypted, not that the site is honest. Because certificates are free now, the large majority of phishing pages show a padlock too. Treat https as the bare minimum and judge safety by the domain and the context of the message, not by the lock.
On a phone, long-press the link to preview the destination. On a computer, hover and read the status bar, or copy the link and paste it into a plain text field. To fully unwrap a shortened link, use a link expander that follows the redirects and shows the final address; adding a + to the end of many Bitly links also opens an info page with the real URL.
In a web address, anything between the scheme and an @ sign is treated as login information and ignored by the browser. So https://www.paypal.com@evil.example actually visits evil.example — the reassuring paypal.com part is just decoration. If you see an @ in a link that is not an email address, stop and read whatever comes right after it, because that is where you really go.
Domain names can include non-Latin characters, and some look identical to Latin letters — a Cyrillic а versus a Latin a, for example. An attacker registers a lookalike, so аpple.com appears normal but is really a different domain, shown as xn--pple-43d.com. Many browsers now display that xn-- form for mixed-script names; if a familiar brand suddenly renders with xn-- or subtly odd characters, do not trust it.
Read the host from right to left. Find the ending (.com, .org, .ru), then the word immediately before it — together they are the registrable domain that identifies the owner. In login.amazon.com the owner is amazon.com; in amazon.account-verify.com the owner is account-verify.com, a stranger. Everything left of that pair is a subdomain the owner can set to anything, so amazon.com.evil.net belongs to evil.net. Country endings like .co.uk use two labels (bbc.co.uk).
Act fast. If you entered a password, change it immediately on the real site by typing the address yourself, and change it anywhere you reused it. Turn on two-factor authentication. If card or bank details were involved, call your bank and watch for charges. Revoke active sessions and connected apps, run a malware scan if you downloaded anything, and report the message. Attackers move quickly, so minutes matter.
Related Tools
Paste a shortener or messy URL and see the real destination, redirects, and owning domain spelled out.
check a QR code before you open itDecode a QR code to reveal its hidden link so you can read the domain before your phone opens it.
create a strong password if you were caught outGenerate a long, unique password in seconds when you need to reset one after a close call.