How to Check if a Link is Safe in 2026: URL Lookup

Before clicking a link that arrives in a message, an email, or a social media comment, knowing whether it's safe to follow is one of the most common digital security questions of 2026. Checking a link is not just about pasting it into a single tool and waiting for a verdict; it requires reading dozens of small signals together, from how the URL is spelled to the age of the domain, from which authority issued the certificate to the redirect chain leading to the landing page. This guide walks through a verification workflow that works for everyday users and security analysts alike, with real commands and real tools.

Phishing campaigns are now routinely launched in Turkish as well. Fake shipping notifications, fake e-Government screens, fake bank text messages, fake crypto exchange login pages — they all share the same pressure tactic: making the user click under a tight time window. Analyzing the link before clicking is the cheapest defense layer against credential theft and malware infection.

Why You Must Check Links Before Clicking

Most modern phishing attacks now manage to bypass spam folders, slip past email gateway antivirus scans, and even pass SPF/DKIM/DMARC checks. That's because the attack surface isn't the email body or attachment — it's the page at the end of the link. That page looks clean for the first few hours, then loads its payload; or worse, only serves malicious content when an actual user clicks.

According to anti-phishing researchers, in 2025 the average malicious domain stayed active for 4–9 hours before being detected and blacklisted. Anyone who clicks during that window is essentially unprotected. The habit of checking links closes that blind window in practice on the user side.

Pre-click checks stop phishing aimed at stealing credentials (usernames, passwords, OTPs, card numbers).
They block drive-by-download attacks — pages that exploit a CVE-2024 Chrome vulnerability the moment they load are still in circulation.
They catch socially engineered scams (fake giveaways, raffles, crypto airdrops) early.
They warn before contact with XSS / clickjacking pages that hijack browser session tokens.
In enterprise environments they prevent DLP incidents: protecting against fake SharePoint sites where an employee accidentally uploads internal documents.

Anatomy of a Link: How to Read a Safe URL

A user who can't read URLs correctly will misinterpret the output of even the best checking tool. Per RFC 3986, a standard URL has the following parts: scheme://userinfo@host:port/path?query#fragment. Attackers play their tricks in the gaps between these parts.

In the example above, the actual domain is dolandirici.com; www.banka-ornek.tr is just a subdomain. Browsers usually only show the beginning of long URLs, so deceptive subdomains can fool users. The Effective TLD + 1 (eTLD+1) principle determines the true owner — the Public Suffix List (publicsuffix.org) defines that boundary.

The Most Common URL Deception Techniques

Subdomain trick: apple.com.guvenli-giris.net — the real host is guvenli-giris.net.
Typosquatting: googIe.com (capital I), turkıye.gov.tr (Turkish ı), amaz0n.com (zero).
Punycode / IDN homograph: xn--pple-43d.com renders as аpple.com but contains a Cyrillic 'а'.
Userinfo injection: https://google.com@evil.example/ — everything after @ is the actual host.
Long query strings: ?utm_source=google.com&landing=... tries to disguise the real host.
Shortener services: bit.ly/3xK7, t.co/..., tinyurl.com/... — never click blindly without knowing the destination.
Excessive port or path length: a 200+ character path is meant to overwhelm the eye.
Wrong TLD: .tk instead of .tr, .cm instead of .com, .gob.tr instead of .gov.tr.

Parsing URLs from the Command Line

Programmatically parsing a URL is far safer than reading it by eye. Python's urllib.parse or Node's URL object exposes the real host in a single line.

First-Second Checks: The Browser Address Bar

If a link is already open or if opening it is unavoidable (for instance in a corporate workflow), the browser's address bar is the fastest first indicator. Modern Chrome, Firefox, Edge, and Safari render the eTLD+1 in bold and dim the rest — train your eye to look at the bold portion first.

The padlock icon: It indicates that an HTTPS connection is established, but it is not a security guarantee on its own. Today, 88% of phishing sites use free SSL via Let's Encrypt.
'Not secure' warning: Any form or login screen served over HTTP must be rejected outright.
Deceptive site warning: When Chrome shows a full-screen red 'Deceptive site ahead' warning, stop, don't click 'continue', go back.
Certificate error warning: NET::ERR_CERT_AUTHORITY_INVALID, NET::ERR_CERT_DATE_INVALID — close the connection rather than clicking 'proceed'.
Emoji or unicode control characters in the address bar: Almost always the signature of a homograph attack.

When you enable Chrome's 'Enhanced Safe Browsing', the browser queries unknown URLs against Google in real time before you visit them. This mode is more aggressive than standard Safe Browsing but also shares more telemetry — recommended for corporate devices, a personal preference call for home use.

HTTPS, the SSL Certificate, and Certificate Authority Checks

When evaluating link safety, the SSL/TLS certificate is the second most critical signal. A properly issued certificate tells you who it was issued to, which authority issued it, when, and which domain names it covers. Our HTTPS and TLS 1.3 article covers the protocol side; this section focuses on verification.

Three critical pieces of information to extract from a certificate: the issued domain name (CN and SAN), the issue date (newly minted phishing sites typically obtained certificates in the last 24–72 hours), and the issuer (Let's Encrypt, ZeroSSL, Google Trust Services are well known; a certificate from an unfamiliar CA is itself a red flag).

Certificate Transparency Logs

Since 2018, all trusted CAs have been required to publish every certificate they issue to Certificate Transparency logs. These logs are public, which makes it impossible for a malicious actor to silently mint a certificate for a given domain.

crt.sh — fastest search; type a domain and list its full certificate history.
Google Transparency Report — Certificates.
Censys — IP/host/certificate scanning with strong filters.
Censys Certificate Search — search dedicated to certificates.

Certificates issued in the name of a bank or government agency but not actually owned by that institution show up in these logs. For early phishing campaign detection, many organizations set up automated monitoring on crt.sh for any certificate issued in their brand name.

Online Link Checking Services: A Comparison

Single-click services where you submit a URL and get a report are the most popular form of link checking. Each has different strengths and weaknesses; for any serious analysis, the right approach is to use at least two of them together.

VirusTotal (virustotal.com): queries 70+ antivirus engines in parallel, runs sandbox + static analysis. Provides passive DNS history, related file hashes, and IP history. The most powerful free tool for discovering domains tied to the same ecosystem.
urlscan.io: opens the target page in a headless browser and reports a screenshot, DOM tree, network requests, and executed JavaScript. Each scan can be made Public or unlisted.
Google Safe Browsing: the blocklist that powers Chrome, Firefox, and Safari under the hood. Manually queryable at transparencyreport.google.com/safe-browsing/search.
PhishTank: community-vetted phishing database, owned by OpenDNS.
URLVoid / IPVoid: scans 30+ blocklists from a single interface.
Sucuri SiteCheck: detects embedded malware/spam injection on WordPress and PHP sites.
Quttera, Norton Safe Web, McAfee SiteAdvisor: enterprise-grade reputation services.
Hybrid Analysis (CrowdStrike Falcon Sandbox): deeper sandbox; runs files downloaded by the URL inside a VM and observes their behavior.
any.run: interactive sandbox; open the page in a virtual machine, move the cursor, and watch its behavior unfold.

Automated URL Analysis with the VirusTotal API

The web UI is fine for one-off URLs, but a corporate SOC team or a blog moderator will want to automate the incoming URL stream. VirusTotal's v3 API solves this with a free quota (4 requests/minute, 500/day).

The returned last_analysis_stats includes counts for malicious, suspicious, harmless, and undetected. In practice, blacklisting a URL makes sense once more than 3 of the 70+ engines flag it as 'malicious'; 1–2 positives can easily be false positives.

urlscan.io API: Headless Scanning

12 Classic Signals for Phishing Detection

There are heuristic signals that automated tools miss but seasoned analysts spot in seconds. A user who knows them is a powerful filter on their own.

Brand name in subdomain: e.g. microsoft-support.help-center.online.
Newly registered domain: a WHOIS age under 7 days is a serious red flag.
Mixed character sets: domain names blending Latin and Cyrillic.
Excessive hyphen (-) count: patterns like www-banka-online-giris-tr-2026.example.
Familiar brand + unrelated TLD: turkcell.icu, akbank.cyou.
Form over HTTP: in 2026, a site still posting forms over HTTP is either misconfigured or malicious.
Excessively long shortener chains: bit.ly → t.co → goo.gl → final-domain.
OTP/SMS code requested directly on the login screen: legitimate banks deliver OTPs through push notifications, not via a web form.
Forced file downloads: a page pushing .exe, .scr, or .apk files under the guise of a 'security update'.
Poor Turkish / machine-translated text: lines like 'Dear customer your account is suspending please click to update'.
Distorted logos, pixelated icons: the signature of fake pages assembled from screenshot snippets.
Urgency pressure: 'Your account will be closed within 24 hours' — the classic social engineering hook.

WHOIS, RDAP and Domain Age

When and by whom a domain was registered are foundational data points for any link safety assessment. Our domain lookup tools article covers the difference between WHOIS and RDAP at length; here we focus only on the security angle.

To keep costs down, malicious campaigns typically register domains in bulk through cheap registrars (NameSilo, Namecheap promos, Porkbun) and on cheap TLDs (.xyz,.icu,.top,.cfn,.cyou,.click). If a domain is less than 24 hours old and lives on one of these TLDs, that's already a red flag in your link check.

Bulk Domain History: Passive DNS

Passive DNS keeps a historical record of which domains an IP has hosted. If an IP has resolved to 50 different suspicious domains in recent history, any new domain on the same infrastructure is highly likely to be malicious as well.

AlienVault OTX — free, with a deep archive.
SecurityTrails — DNS, WHOIS, and IP history.
Censys — internet-scale scanning.
Shodan — open port + service profile.
VirusTotal's Relations tab — passive DNS, subdomains, related files.

Turkey-Specific: BTK and Güvenli Net Lookups

Turkey's Information and Communication Technologies Authority (BTK) publishes the list of access-blocked domains under Law No. 5651. To find out whether a link is reachable in Turkey and which authority blocked it, use the official lookup page.

internet.btk.gov.tr/sitesorgu — domain-level access-block lookup.
guvenlinet.org.tr/sorgula — query under the Safe Internet Service.
USOM (National Cyber Incident Response Center) malicious link reports.
For detailed usage, see our BTK lookup guide.

A 'blocked' result from a BTK query does not necessarily mean the site is malicious — it could be blocked for copyright reasons, a court order, an administrative measure, or a personal-rights violation. By contrast, a domain on the USOM list is technically and unambiguously categorized as malicious.

Expanding Short URLs: Methods That Work

Short links like bit.ly/3xK7, tinyurl.com/abc, or t.co/xyz hide their target. The safest way to expose the real URL without opening the page is to issue an HTTP HEAD request and read the Location header.

Some shortener services offer a preview interface: preview.tinyurl.com/3xK7, checkshorturl.com, unshorten.it, getlinkinfo.com. For a quick check from mobile, those services in a browser are enough.

Advanced: Sandboxes and Headless Browsers

As an analyst, when you want to see for yourself what a link does, you should never open it from your main machine — use a disposable sandbox. Three common approaches: any.run / Hybrid Analysis, Tor/Whonix in your own VM, and a headless Chromium script.

The HAR output of the script above stores every HTTP request the page made. snap.png gives you a clear visual of the page — phishing tells like distorted logos and typos become obvious there.

Disposable Tor Browser via Docker

Checking Links on Mobile

A large share of phishing targets mobile devices — small screens, truncated URLs, and rushed users. Pre-click checks are still possible on mobile.

Long-press the link (Android/iOS): a 'Preview' or 'Copy URL' menu appears. Copy the URL and paste it into a desktop checking tool.
In-browser safe browsing: Chrome > Settings > Privacy > Safe Browsing > turn on Enhanced protection.
WhatsApp / Telegram link previews: the preview image can be faked; trust the URL itself, not the thumbnail.
SMS phishing (smishing): 'Your package is waiting'-type SMS links were the most common attack vector in 2025–2026. Open the carrier's official site manually and track the package there.
QR codes: when scanning with the phone's default camera, wait for it to display the URL and ask 'Open' — don't use third-party QR readers that auto-open.

Links Inside Email: Header and Source Analysis

To distinguish email-based phishing, you need to inspect the message headers in addition to the link itself. SPF, DKIM, and DMARC results prove whether the message actually came from the domain it claims.

In many phishing emails, the link's display text differs from its actual href. Outlook and Apple Mail show the real URL in the lower corner when you hover the link; on mobile, long-press the link instead.

Browser Extensions: A Passive Defense Layer

uBlock Origin (Firefox/Chrome): blocks not just ads but also known malware/tracker domain lists.
Privacy Badger (EFF): behavior-based tracker blocking.
Bitdefender TrafficLight: link reputation badges in Google, Bing, and social media feeds.
Avira Browser Safety: phishing/malware prediction, free tier available.
Netcraft Extension: a classic tool used by phishing professionals; shows risk scores in real time.
HTTPS Everywhere (now built into most browsers as 'HTTPS-Only Mode'): blocks HTTP fallbacks entirely.

When picking an extension, weigh the developer's trustworthiness as heavily as its popularity — in recent years, several popular extensions changed hands and shipped versions that exfiltrated user data. Check store reviews and the last update date.

Automated Bulk Link-Checking Pipelines

Blog moderators, forum admins, e-commerce customer service teams, and SOC analysts all face dozens to hundreds of links per day. Pasting them into a UI one by one doesn't scale. Below is a Python example that combines VirusTotal + urlscan + Google Safe Browsing in a single script.

You can run the script like so: cat suspicious-links.txt | python linkcheck.py > report.jsonl. The output is in JSON Lines format, easy to filter with jq or pipe into a Slack alert.

Site Safety: From the Administrator's Side

Checking links as a user is one half of the equation; verifying that your own site is safe as an administrator is the other half. To keep your site continuously clean, run the following tests on a regular schedule:

Qualys SSL Labs SSL Test — aim for an A+ score, identify weak ciphers.
securityheaders.com — grades headers like CSP, HSTS, X-Frame-Options.
Mozilla Observatory — combined report on headers, TLS, and cookie security.
Sucuri SiteCheck — embedded malware/spam scan.
In-house SSL Check tool — quick certificate and expiry verification.
web.dev/measure — performance + best practices + security best-practice grades.

On top of these, your HTTP headers must include Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options: nosniff, and Referrer-Policy: strict-origin-when-cross-origin. Our XSS and CSP protection article covers this in depth.

Essential Security Headers on Nginx

If You've Been Phished: 5 Emergency Steps

If you realize after clicking, panic is the worst response. The sequence below limits the damage in most cases.

1. Disconnect from the internet: turn off Wi-Fi, unplug the cable — if the malicious page is still exfiltrating data, this stops it.
2. Change passwords: if you typed credentials, reset the password for that account from a different device. Same for every account where you reused that password.
3. Enable two-factor authentication (2FA): prefer TOTP (Authenticator app) or a hardware key (FIDO2). SMS as a last resort.
4. Contact your bank: if card data was entered, call your bank's customer hotline immediately to block the card.
5. Report the attack: USOM (www.usom.gov.tr) malicious link report, ihbar.gov.tr complaint form, file a complaint with the Public Prosecutor's Office.

Common Misconceptions

'If it has HTTPS, it's safe': Wrong. HTTPS only confirms the traffic is encrypted, not that the page is benign. Today nearly every phishing site serves HTTPS.
'A domain that mentions a famous brand belongs to that brand': microsoft-support-help.online is not owned by Microsoft.
'My antivirus protects me anyway': antivirus is reactive; it can't catch zero-day phishing pages in their first hours.
'Checking on my computer is enough': phones are an easier target and a less protected attack surface.
'I'm on the corporate VPN, I'm safe': VPNs encrypt traffic but don't sanitize the destination content.

For Professionals: Threat Intelligence Feeds

Corporate security teams don't rely solely on user reports; they pull continuously updated threat intelligence (TI) feeds. The sources below still include open and free feeds in active use in 2026.

URLhaus (abuse.ch) — malicious URL database, RSS/CSV/JSON feed.
Feodo Tracker — banking trojan C2 IP list.
OpenPhish — phishing URL feed (premium paid, free tier limited).
MISP — open-source threat intel platform, IOC sharing.
AlienVault OTX — Pulses, IOCs, indicator sharing.
USOM — Turkey-focused malicious domain/IP list.

A Local Blocklist Auto-Fed by URLhaus

DNS-Side Defense: DoH, DoT and Filtering

DNS queries between your client and your browser still travel as plaintext UDP/53 by default; an attacker on a coffee-shop Wi-Fi can manipulate DNS responses and redirect you to a fake IP. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt that traffic. Our DNS article dives into the protocol details.

Cloudflare 1.1.1.1 / 1.0.0.1 — DoH/DoT support, free.
Quad9 9.9.9.9 — blocks malicious domains at the DNS level.
NextDNS — personal/family filter, managed via a dashboard.
AdGuard DNS — ad + tracker + malware blocking.
Pi-hole / AdGuard Home — run your own DNS server inside your network.

In a corporate network these aren't enough; DNS security services like Cisco Umbrella, DNSFilter, or Akamai EZ Protect provide category-based blocking, reporting, and per-user policy management.

Local Providers and Services in Turkey

Familiar names in the Turkish market for link/site safety include BTK, USOM, and ISP-level offerings such as Türk Telekom Güvenli İnternet, Turkcell Güvenli İnternet, Vodafone Güvenli İnternet, and Superonline Aile Profili. Most of these apply DNS-based category filtering at the ISP level and offer family, child, and standard profiles.

On the business side, local cybersecurity firms such as BGA, STM, Pruva, and Beam Teknoloji actively offer SOC services. Pricing is usually subscription-based and varies by provider, ranging in 2026 from roughly ₺8,000 to ₺80,000 per month (approximately $250–$2,500 USD/month, varies by provider).

Quick Self-Check with JavaScript in the Browser

With a few lines of JavaScript in the developer console, you can read the basic security indicators of the page you're connected to.

Mixed content (HTTP resources loaded from an HTTPS page) is already blocked in modern browsers, but legacy sites can fail-open. The snippet above summarizes the basic hygiene of a page in seconds.

Frequently Asked Questions

Which link-checking tool is the best?

There is no single 'best'. A common combination is to do the first scan with VirusTotal, the visual verification with urlscan.io, and the blocklist comparison with Google Safe Browsing. The three return different signals, and the convergence of all three sharpens the verdict.

Does a VPN protect me from phishing?

No. A VPN secures the tunnel by encrypting your network traffic; if the page at the end of the tunnel is malicious, the VPN can neither see nor stop that. Use a VPN for location/privacy; for link safety you need separate tools.

Does antivirus scan a link before you click it?

Modern endpoint protection products (Kaspersky, ESET, Bitdefender, Defender, etc.) — through browser extensions or DNS/HTTP-based modules — resolve the link at click time and check it against a blocklist. Even so, this check is blocklist-based; zero-day phishing campaigns can slip through in their first hours.

If a link is marked 'not unsafe', is it definitely clean?

No. All reputation services follow the principle that 'absence of evidence is not evidence of absence'. A newly registered domain may simply not be on a blocklist yet. Cross-check the other signals — age, certificate, content quality.

Could the QR code I scanned with my phone be fake?

Yes. 'Quishing', or QR phishing, has been a serious vector since 2024. A fake QR sticker placed on top of the menu QR at a restaurant table can take you to a fake payment page. After scanning a QR, read the URL the camera shows before tapping 'Open'.

Should I ban short URLs entirely?

At the corporate email gateway level, an 'unknown shortener' policy is a common control. For personal use, a blanket ban is overkill; the habit of expanding any short link with a HEAD request before opening it is enough.

Quick Decision Flow (One-Page Recap)

1. Read the URL with your bare eyes — what is the eTLD+1? Is the familiar brand only in a subdomain?
2. Is the WHOIS age under 7 days? > Suspicious.
3. Is HTTPS in place and is the issuing CA reasonable? Are there earlier entries in CT logs?
4. Are there positives on VirusTotal?
5. Does the urlscan.io screenshot match the real brand's site?
6. Does Google Safe Browsing flag it as 'malicious'?
7. If it's a short URL, expand it with HEAD to see the actual destination.
8. If still unsure, open it in a sandbox or disposable VM.
9. At the slightest doubt, don't click — the cheapest defense is choosing not to click when in doubt.

Readers of this article also read these

guvenlik 26 min

Software Development

SEO & Optimization

API & Integration

Web Hosting

VPS Server

Dedicated Server

Domain & SSL

Why KEYDAL?

Projelerimiz

About Us

Contact