Check a Suspicious Link Safely — 6-Minute Playbook
TL;DR: Don’t click unknown links. Copy the URL as text, expand shorteners, inspect the domain, scan with multi-engine services (VirusTotal / URLScan), preview the page in a sandbox or VM with JS disabled, then report or block if malicious.
When to be suspicious
- Unexpected account-recovery or OTP messages with a link.
- Shortened links (bit.ly, t.co) that hide the destination.
- Slight misspellings of brand names (ex: paypa1).
- Links in images, PDFs, or QR codes that bypass basic filters.
6-minute safe workflow
Right-click → “Copy link address”. For QR codes, copy the URL string instead of opening it. Paste into Notepad to inspect safely.
Use a URL expander service, or append + to many bit.ly links (e.g., https://bit.ly/abc+) to preview the destination without visiting.
Check the registrable domain only (e.g., example.com). Beware of hostnames like google.com.security-check.example.ru.
Good: https://accounts.google.com/… Bad: https://google.com.security-check.example.ru/…
Submit the URL text to VirusTotal and URLScan (do not click links in results). Check both the URL and any domain history or screenshots provided.
Recommended: VirusTotal, URLScan.io, Google Safe Browsing
Open in a disposable VM or a new browser profile with JavaScript disabled, or use URLScan’s render/screenshot. Never enter credentials on an untrusted page.
Report phishing to your email provider, the impersonated brand, and Google Safe Browsing. Add the domain to your router/endpoint blocklist.
Quick one-time prevention
- Enable DNS filtering (Quad9, Cloudflare Family) at the router.
- Use a content blocker (uBlock Origin) and disable autofill for new/unknown domains.
- Enable 2-factor authentication for critical accounts and store backup codes securely.
Quick commands (don’t visit)
nslookup suspicious-domain.tld whois suspicious-domain.tld curl -I https://suspicious-domain.tld/ # fetch headers only
Published: October 09, 2025 • Author: Elvin Sathianathen
0 Comments