How to Check if a URL Is Safe
Not sure whether a link is trustworthy? The safest way to answer “is this URL safe?” is to check it before you visit — without ever loading the page. Opening a shady link even once can be enough to land on a phishing page or trigger a download, and you don’t always get a chance to back out. This guide shows you how to check if a URL is safe with a free URL checker, what a safety check actually looks at, and how to read a suspicious link yourself.
Check if a URL is safe now
Paste any link and get an instant Safe / Suspicious / Malicious verdict. Free, unlimited, no signup.
How to check if a URL is safe (free, no signup)
Verifying a link takes a few seconds and no account:
- Copy the link — don’t click it. Right-click and choose “Copy link address”, or long-press on mobile. Copying is safe; clicking is what puts you at risk.
- Open the URL checker (or paste it on the URLScans homepage).
- Paste the URL and check it.
- Read the verdict. You’ll get a clear Safe, Suspicious, or Malicious result, the score, and the exact reasons behind it.
That’s the whole process — a free URL check that runs against real threat intelligence instead of you gambling on a click.
What a URL safety check looks at
A good URL safety checker does far more than a single blocklist lookup. When you check a link with URLScans, it evaluates the destination across several independent signals:
- Google Safe Browsing — Google’s database of known malware, phishing, and unwanted-software URLs.
- PhishTank — a community-verified database of reported phishing pages.
- Threat-intelligence feeds of known-malicious domains, refreshed daily.
- Domain age & WHOIS — a domain registered days ago is far more likely to be a scam than one that has existed for years.
- SSL / HTTPS — whether the site serves a valid certificate over HTTPS (note: a padlock alone does not prove a site is legitimate).
- Typosquatting & look-alike domains — homoglyph and misspelled hostnames that impersonate a brand you trust.
- Redirect chains — it follows shorteners and hops to the real destination and checks that, so a link can’t hide where it actually sends you. You can also trace them yourself with the redirect checker.
Because these signals are weighed together, a URL safety check catches risks that any single lookup would miss — and it explains why a link was flagged.
How to read a URL yourself
You can spot a lot before you ever run a check. The trick is knowing which part of a URL actually matters — scammers count on you glancing at the wrong piece.
- Find the real domain. It’s the part just before the first single slash. In
https://paypal.com.secure-login.xyz/verify, the real domain issecure-login.xyz— not PayPal. - Watch for brand names in subdomains. Anything before the real domain is just a label the attacker chose.
paypal.login.example.comisexample.com, not PayPal. - Look for look-alike characters.
paypa1.com(a digit “1”),rnicrosoft.com(“rn” posing as “m”), or accented letters that mimic the real name. - Be wary of cheap or brand-new TLDs. Plenty of scams live on
.top,.xyz,.zip, or a domain registered this week. - Distrust an
@in the URL. Inhttps://[email protected]/login, everything before the@is ignored — you actually go toevil.site. - Expand shorteners. A
bit.lyort.colink hides its destination. Reveal it with the short URL expander, and confirm a look-alike with the typosquatting detector.
Red flags that a URL is not safe
Even a valid-looking link deserves a check when it comes with any of these:
- Urgency or reward bait — “your account will be suspended”, “you’ve won”, “act within 24 hours”.
- A credential or login prompt — an unexpected page asking for your password, banking, or payment details.
- An unexpected download — a link that immediately tries to save an
.exe,.apk,.scr, or password-protected.zip. - A mismatched domain — the link text says one brand but the real domain (before the first single slash) says something else entirely.
See any of these? Don’t click — check the URL first.
Check a URL on mobile
Most risky links now arrive on a phone — in an email, an SMS, a chat message, or behind a QR code — where the full address is easy to miss. Instead of tapping, long-press the link and choose Copy, then paste it into the URL checker in your mobile browser. It works exactly the same as on desktop, so you can verify a “delivery problem” text or a QR code on a flyer before it ever opens.
Frequently asked questions
How do I check if a URL is safe?
Copy the full link without clicking it, then paste it into a URL checker. URLScans checks the URL against Google Safe Browsing, PhishTank, threat-intelligence feeds, and dozens of signals (domain age, SSL, typosquatting, redirect chains) and returns an instant Safe / Suspicious / Malicious verdict at urlscans.com/url-checker — you never have to visit the page yourself.
Is there a free URL checker?
Yes. URLScans is a free URL checker with no signup and no daily limit. Paste any link at urlscans.com/url-checker and you get an instant verdict with the score and the exact reasons behind it. A free API key (1,000 checks/month, no credit card) is also available at urlscans.com/register.
Can I check a URL without clicking it?
Yes — that is the whole point. You only paste the link; you never load the page. The checker evaluates the URL against threat intelligence and structural signals, so you find out whether it is safe before you are ever exposed to a malicious page or drive-by download.
How do I check if a website is safe on my phone?
Long-press the link in your email, SMS, or chat app and choose Copy, then open urlscans.com/url-checker in your mobile browser and paste it. The checker works the same on mobile as on desktop, so you can verify a link from a text or QR code before you tap it.
What makes a URL unsafe?
A URL is risky when it hides its real destination (shorteners, redirect chains), imitates a trusted brand with a look-alike or subdomain trick, sits on a brand-new or cheap domain, prompts you to log in or download something unexpected, or uses urgency and reward bait. A URL safety checker weighs all of these together instead of relying on one signal.
Check any URL before you visit
Verify any link for phishing, malware, and scams — free and unlimited, no account required.
Check a URL now