Before clicking a link from an email, a WhatsApp message, or an ad — pause. It takes 10 seconds to verify a URL, and it could save you from losing your money, your identity, or your files.
Here’s exactly how to do it.
1. Look at the URL itself
The first check is the simplest. Before clicking, hover over any link to see where it actually goes. In browsers, the destination URL appears in the bottom-left corner of the screen.
Ask yourself:
- Is this the real domain? (
amazon.comvsamazon-orders.net) - Is there a subtle typo? (
paypa1.com,g00gle.com) - Does the URL use a long string of random characters?
Scammers often register domains that look like real ones. Read the domain carefully — start from the right and work left.
2. Check for HTTPS
A URL starting with https:// means the connection between your browser and the server is encrypted. It does not mean the website is safe or trustworthy — but http:// (no S) is an immediate red flag for any site asking for personal data.
Modern browsers show a padlock icon for HTTPS. If it’s missing, close the tab.
3. Scan it with VirusTotal
VirusTotal is a free tool that scans any URL against 90+ antivirus engines and blocklists simultaneously. It takes 3 seconds.
- Go to virustotal.com
- Click the URL tab
- Paste the link and hit Enter
- Review results — any “Malicious” or “Suspicious” flags are a red sign
If you’re on mobile or can’t access VirusTotal, try Google Safe Browsing: https://transparencyreport.google.com/safe-browsing/search
4. Check the domain age
Scam websites are usually brand new — set up, used for a campaign, then abandoned. A domain registered last week posing as a “trusted” shop is a red flag.
Use Whois Lookup or DomainTools Whois to see:
- When the domain was created
- Who registered it (often hidden behind privacy services for scam sites)
- Where it’s hosted
Rule of thumb: Domains less than 6 months old deserve extra scrutiny.
5. Read the page itself
If you do visit a page, look for these warning signs:
- Spelling and grammar mistakes — legitimate businesses proofread their content
- Urgency and fear — “Your account has been compromised! Act NOW!”
- Fake reviews — generic 5-star reviews with no detail
- Missing contact info — no address, phone, or real support email
- Too-good-to-be-true offers — an iPhone for $49
Trust your gut. If something feels off, it probably is.
6. Use a browser with built-in protection
Modern browsers like Chrome, Firefox, and Edge have built-in phishing and malware protection. Make sure it’s enabled:
- Chrome: Settings → Privacy and Security → Safe Browsing → Enhanced
- Firefox: Settings → Privacy & Security → Deceptive Content and Dangerous Software Protection
- Edge: Settings → Privacy, search, and services → Microsoft Defender SmartScreen → On
Bonus: Use a VPN for an extra layer
A VPN won’t tell you if a site is malicious, but it adds meaningful protection:
- Encrypts your connection so attackers on the same network can’t intercept your data
- Hides your real IP from the websites you visit
- Some VPNs (like NordVPN with Threat Protection) actively block known malicious domains
Automatically blocks malicious URLs, ads, and trackers before they load. Available on all major platforms.
From $3.99/mo
Quick reference checklist
| Check | What to look for |
|---|---|
| URL domain | Exact spelling, no typosquatting |
| HTTPS | Padlock icon, https:// |
| VirusTotal scan | Zero malicious/suspicious flags |
| Domain age | Older than 6 months |
| Page quality | Professional content, contact info |
| Browser protection | Safe Browsing enabled |
The web is full of traps, but most of them are avoidable with a few seconds of attention. Make these checks a habit and you’ll sidestep the vast majority of online threats.