Stop And Think Before You Click That Link.

Every day, on every device, you are presented with links. In emails, in text messages, in social media posts, in search results, in documents, in chat applications. Clicking links is so fundamental to how the internet works that most people do it reflexively — without hesitation, without inspection, without a moment’s thought about where the link actually goes.

That reflex is one of the most exploited vulnerabilities in digital security. Not because the technology is sophisticated. Because the habit is automatic.

Phishing attacks — fraudulent links designed to steal credentials, install malware, or redirect you to fake websites — were responsible for over 80 percent of reported security incidents worldwide in 2025. The majority of those attacks succeeded not because the victim lacked security software, but because they clicked without looking. The solution is not complicated. It is a habit. And like all habits, it can be built.

Malicious links have evolved significantly. The days when a fraudulent URL was obviously wrong — misspelled, poorly formatted, visibly suspicious — are largely over. Modern phishing links are carefully constructed to look legitimate at a casual glance. Understanding the common techniques attackers use is the first step to seeing through them.

Typosquatting. The attacker registers a domain that is one character different from the legitimate one. paypa1.com instead of paypal.com. arnazon.com instead of amazon.com. rn is often used to mimic m at a glance. These domains look identical to the real thing at normal reading speed and require deliberate attention to catch.

Subdomain spoofing. A legitimate-looking subdomain is placed in front of a malicious domain. The link reads paypal.com.secure-login.net — your eye lands on paypal.com and registers it as familiar. But the actual domain — the part that matters — is secure-login.net, which has nothing to do with PayPal. The real domain is always the last segment before the first single slash.

URL shorteners. Services like bit.ly, tinyurl.com, and hundreds of similar tools compress long URLs into short, opaque links. This is legitimate and useful in many contexts. It is also a standard tool for concealing the true destination of a malicious link. A shortened link reveals nothing about where it goes until after you have clicked it.

HTTPS does not mean safe. The padlock icon in your browser and the https prefix indicate that the connection between your browser and the website is encrypted. They say nothing about whether the website itself is legitimate or malicious. Phishing sites routinely use HTTPS. A padlock on a fake banking site means your credentials will be securely transmitted to the attacker. It is not a safety indicator.

Redirect chains. A link may go through multiple redirects before landing on its final destination — each intermediate step passing through a legitimate-looking domain to obscure the true endpoint. The URL you see when you hover over the link may not be the URL where you actually end up.

The tools and techniques for verifying a link before clicking it are free, fast, and require no technical expertise. Here is a layered approach — use as many of these as the situation warrants.

Hover before you click. On desktop, hovering your cursor over a link without clicking reveals the destination URL in the bottom left corner of your browser. Read it carefully. Look at the actual domain — not the display text, not the subdomain, but the core domain immediately before the first slash. Does it match where you expect to go? If not, do not click.

Expand shortened URLs. Before clicking any shortened link, paste it into a URL expander. Free tools like unshorten.it, expandurl.net, and CheckShortURL reveal the full destination of any shortened link before you visit it. This takes ten seconds and eliminates one of the most common methods of concealing malicious destinations.

Use a link checker. Free link scanning tools allow you to paste any URL and check it against threat intelligence databases before visiting. Reliable options include Google Safe Browsing at transparencyreport.google.com, VirusTotal at virustotal.com, URLVoid at urlvoid.com, and Norton Safe Web at safeweb.norton.com. These services cross-reference the URL against known phishing databases, malware blacklists, and reputation systems. Most return a result in seconds.

Navigate directly rather than clicking. When a link purports to be from your bank, your email provider, a government agency, or any service where your credentials or financial information are involved — do not click the link at all. Open a new browser tab, type the organization’s web address directly, and navigate to the relevant section from there. If the email or message was legitimate, you will find what it referenced. If it was not, you have avoided the trap entirely.

Check the domain registration. Tools like whois.domaintools.com allow you to look up when a domain was registered. Legitimate organizations have domains that have existed for years. A domain registered within the last few days or weeks — even if it looks convincing — is a strong indicator of a phishing operation. Attackers regularly register new domains for specific campaigns and abandon them quickly.

On mobile, press and hold. On smartphones, pressing and holding a link rather than tapping it opens a preview menu that shows the destination URL before you visit it. This is the mobile equivalent of hovering on desktop and should be standard practice for any link that arrives unsolicited.

QR codes present a specific challenge because they are inherently opaque — the URL they contain is not visible until after the code is scanned. This makes them an increasingly popular vector for what is now called quishing — QR code phishing.

Most modern smartphone cameras display a URL preview before opening it when you scan a QR code. Read that preview carefully before proceeding. If the URL looks unfamiliar, contains a shortened link, or does not match the organization associated with the QR code, do not proceed.

Be particularly cautious of QR codes in physical locations — on posters, parking meters, restaurant tables, and public notices. Attackers have been documented placing stickers with fraudulent QR codes over legitimate ones in public spaces. The code looks real. The destination is not.

If you have clicked a suspicious link, the speed of your response matters significantly.

Do not enter any information. If the page asks for credentials, payment details, or personal information — close it immediately without entering anything. Simply visiting a malicious page carries some risk but is far less dangerous than submitting information to it.

Close the tab and clear your browser history and cookies. This removes session data and tracking information that the site may have attempted to capture.

Run a malware scan. Some malicious pages attempt to install malware simply through the act of being visited — a technique called a drive-by download. Running a scan with updated security software after a suspicious click is sensible precaution.

Change passwords for any accounts that may be affected. If you entered credentials on a page that turned out to be fraudulent, change those passwords immediately and enable two-factor authentication if it is not already active.

Every link is a door. Most of them lead somewhere safe. Some of them do not. The two seconds it takes to look at where a door goes before walking through it is not excessive caution. It is basic awareness — and in the current environment, it is one of the most valuable digital habits you can build.