🛡 Scam Prevention Guide

Step-by-Step Guide: How to Safely Inspect a URL Before You Click

Published: March 11, 2026

Share: Facebook X LinkedIn WhatsApp

Summary

How to Safely Inspect a URL Before You Click
This article provides a practical, step-by-step guide to inspecting URLs before clicking them, helping consumers identify the tactics fraudsters use to disguise malicious links. It covers domain analysis, HTTPS misconceptions, free verification tools, and what to do if you have already clicked a suspicious link. Understanding these techniques is essential for anyone looking to avoid phishing scams, cloned firm fraud, and other online threats.

Contents

Full Guide

Why Inspecting a URL Before You Click Could Save You From a Scam

Every day, millions of people click links without a second thought — in emails, text messages, social media posts, and online advertisements. Cybercriminals know this, and they exploit it. A carefully disguised URL is one of the most common tools used in phishing attacks, investment fraud, and cloned firm scams. Learning to inspect a link before you click it is one of the most practical and effective steps you can take to protect yourself online.

Before clicking any hyperlink, hover your mouse cursor over it without clicking. In most browsers and email clients, this will display the actual destination URL in the bottom-left corner of your screen. On a mobile device, press and hold the link to reveal the underlying address.

Ask yourself: does the displayed URL match what the link text claims? If a message says it is from your bank but the URL reveals an unfamiliar domain, treat that as an immediate red flag.

Step 2: Examine the Domain Name Carefully

The domain name is the core part of a URL — for example, in https://www.example.com/login, the domain is example.com. Fraudsters use several tactics to make fake domains look convincing:

  • Typosquatting: Swapping or adding letters, such as paypa1.com instead of paypal.com.
  • Subdomain spoofing: Placing a legitimate-looking name before a fake domain, such as barclays.secure-login.com — here the real domain is secure-login.com, not Barclays.
  • Homograph attacks: Using characters from other alphabets that look identical to standard letters.
  • Extra words or hyphens: Such as hmrc-refund-portal.com or fca-register-official.net.

Always read the domain from right to left, starting after the final slash and working backwards. The segment immediately before the first single slash — or the final full stop before a path — is the true domain.

Step 3: Check for HTTPS — But Do Not Rely on It Alone

A padlock icon and an https:// prefix indicate that the connection between your browser and the website is encrypted. This is a positive sign, but it does not mean the website itself is legitimate. Scammers routinely obtain SSL certificates for fraudulent websites, so a padlock is not proof of trustworthiness.

Use HTTPS as a minimum baseline, not a final verdict. If a site does not have HTTPS, leave immediately. If it does, continue your inspection using the other steps in this guide.

Step 4: Use a URL Checker Tool

Several free tools can help you assess the safety of a URL before you visit it:

  • Google Safe Browsing: Visit transparencyreport.google.com/safe-browsing/search and paste the URL to check its status.
  • VirusTotal: Scans URLs against dozens of security databases simultaneously.
  • URLVoid: Checks whether a domain has been flagged by any blacklisting services.

These tools are not infallible, particularly for newly registered fraudulent sites, but they provide a valuable additional layer of verification.

Step 5: Verify the Organisation Independently

If a link claims to represent a financial firm, regulator, or government body, do not use the contact details or links provided in the message itself. Instead, search for the organisation's official website independently through a trusted search engine, and verify the URL you find matches exactly.

For financial firms operating in the United Kingdom, you can check the Financial Conduct Authority's Financial Services Register at register.fca.org.uk. If a firm is contacting you but cannot be found on official registers, this is a serious warning sign of a cloned or fraudulent firm.

Red Flags That Should Stop You Clicking

  • The URL contains a string of random numbers or characters.
  • The domain name was registered very recently (you can check this using a WHOIS lookup tool).
  • The link was sent unexpectedly, without prior contact from the supposed sender.
  • You are being urged to click urgently or risk missing out on something.
  • The email address or sender details do not match the organisation being represented.

If you believe you have visited a fraudulent website or entered personal information on a fake page, act quickly. Disconnect your device from the internet, run a reputable antivirus scan, and change any passwords that may have been compromised. Contact your bank immediately if you entered financial details. Report the URL to Action Fraud at actionfraud.police.uk and to the National Cyber Security Centre at ncsc.gov.uk/report.

Reporting suspected scam websites helps authorities take action and protects other potential victims from the same threat.

This guide is published for consumer protection and educational purposes. Always verify firm credentials via your national financial authority before transacting.

Published: March 11, 2026  |  Last updated: March 11, 2026 By: Michael Turner