How to Analyse a Suspicious Link Before You Click

Every phishing attack needs a mechanism to do harm, and in the vast majority of cases, that mechanism is a link. Whether the link arrives in an email, a text message, a QR code, or a social media message, the attacker's goal is the same: get you to click it. The link might lead to a fake login page designed to steal your credentials, a website that downloads malware onto your device, or a form that harvests sensitive business information.

flowchart LR
    A["Suspicious Link"] --> B["Hover to Preview URL"]
    B --> C["Check Domain Spelling"]
    C --> D["Use URL Scanner"]
    D --> E{"Safe?"}
    E -->|No| F["Report & Delete"]
    E -->|Yes| G["Proceed with Caution"]
  

Learning to analyse a link before you click it is one of the most practical cybersecurity skills any employee can develop. It does not require technical expertise or expensive tools — just a basic understanding of how URLs work and the common tricks attackers use to disguise malicious destinations. This guide will walk you through everything you need to know to evaluate a suspicious link safely and confidently.

The Hover-Check: Your First Line of Defence

The simplest and most important technique for analysing a link is hovering over it without clicking. On a desktop computer or laptop, move your mouse cursor over the link and look at the bottom-left corner of your browser window or email client. This area will display the actual URL that the link points to, which may be completely different from the text displayed in the message.

For example, an email might contain a link that reads "Click here to view your invoice from Acme Ltd" — but when you hover over it, the actual URL might point to something entirely unrelated, such as a domain in a foreign country or a string of random characters. This mismatch between the displayed text and the actual destination is one of the most common indicators of a phishing email.

On mobile devices, hovering is not possible in the same way, which makes link analysis more challenging. On most phones, you can long-press (press and hold) on a link to see a preview of the destination URL. Avoid tapping links directly on mobile devices if you have any reason to be suspicious — the small screen makes it difficult to read URLs carefully, and accidental taps are common.

Understanding URL Structure: Domains vs Subdomains

To effectively analyse a link, you need to understand the basic structure of a URL. This knowledge is essential because attackers rely on the fact that most people do not know how to read a web address properly. A URL has several components, but the most important one for security purposes is the domain name.

Consider this URL: https://accounts.google.com/signin

The domain name is google.com. The word "accounts" before google.com is a subdomain — a section controlled by the owner of google.com. The "/signin" at the end is a path on that server. This URL is legitimate because the domain is google.com, and Google controls everything to the left of it.

Now consider this URL: https://google.com.account-verify.net/signin

At first glance, this might look like a Google URL. But the actual domain here is account-verify.net — not google.com. The "google.com" portion is merely a subdomain of account-verify.net, chosen deliberately to deceive. The critical rule is: always read the domain from right to left, starting just before the first single forward slash. The domain is the last two parts before that slash (or three parts for country-specific domains like .co.uk).

Practice Reading Domains

Here are a few examples to sharpen your skills:

• https://login.microsoft.com/oauth — Domain is microsoft.com. This is legitimate.
• https://microsoft-login.secure-auth.com/oauth — Domain is secure-auth.com. This is suspicious. The word "microsoft" is just a subdomain of someone else's domain.
• https://paypal.com-secure.review/account — Domain is com-secure.review. This is malicious despite containing "paypal.com" in the URL.
• https://www.amazon.co.uk/orders — Domain is amazon.co.uk. This is legitimate (note the three-part domain for a UK site).

Common URL Tricks Attackers Use

Beyond subdomain abuse, attackers employ a wide range of techniques to make malicious links appear trustworthy. Understanding these tricks will help you spot them before they cause harm.

Lookalike Domains (Typosquatting)

Attackers register domains that closely resemble legitimate ones, relying on the fact that people read quickly and may not notice small differences. Common techniques include swapping similar-looking letters (using "rn" instead of "m", "vv" instead of "w", or "1" instead of "l"), adding or removing letters (microsoftt.com, amaz0n.com), and using alternative top-level domains (google.net instead of google.com, apple.support instead of support.apple.com).

Internationalised Domain Name (IDN) Attacks

Some attackers use characters from non-Latin alphabets that look identical to English letters. For example, the Cyrillic letter "a" looks identical to the Latin "a" but is technically a different character. This allows an attacker to register a domain that looks exactly like a legitimate one in your browser but is actually a completely different address. Most modern browsers display these domains in their encoded format (starting with "xn--") as a defence, but older browsers and some applications may still display the deceptive version.

URL Shorteners

Services like bit.ly, t.co, and tinyurl.com are commonly used to shorten long URLs for convenience. Unfortunately, they also hide the actual destination, making them a favourite tool of attackers. A shortened URL reveals nothing about where it leads, which means you cannot analyse it using the techniques described above without first expanding it. Several free online tools allow you to expand a shortened URL to see its true destination before you visit it.

Legitimate-Looking Redirect Chains

Some attackers abuse redirect features on legitimate websites to mask malicious destinations. For example, they might craft a URL that starts with a trusted domain but includes a redirect parameter pointing to a malicious site. The URL might look like it belongs to a familiar service, but it actually bounces the user through one or more redirects before arriving at a phishing page.

Tools for Checking Links Safely

If you encounter a suspicious link and want to investigate it without risking your own device, several free tools can help. These are part of the safe browsing habits that every employee should practise:

• VirusTotal (virustotal.com): Paste a URL into VirusTotal and it will scan the destination against dozens of security engines, checking for known malware, phishing pages, and other threats. It will also show you where the URL redirects to.
• URLScan.io (urlscan.io): This tool takes a screenshot of the destination page and provides detailed information about the site, including the technologies it uses, the server it is hosted on, and any redirects that occur.
• Google Safe Browsing Transparency Report: Google maintains a database of unsafe websites. You can check any URL against this database to see if Google has flagged it as dangerous.
• URL expanders: Services like CheckShortURL or GetLinkInfo will expand shortened URLs to reveal their true destination without requiring you to visit the site.

When using these tools, always copy and paste the URL rather than clicking it. Right-click on the link and select "Copy link address" (or equivalent) to capture the URL without navigating to it.

What to Do If You Accidentally Click a Suspicious Link

Despite your best efforts, there may be occasions when you click a link before realising it is suspicious. If this happens, speed is important. Take the following steps immediately:

1. Do not enter any information. If the link takes you to a login page, a form, or a page requesting any kind of data, close the browser tab immediately. Do not type anything.
2. Disconnect from the internet if you suspect malware. If the page attempted to download a file or if your device begins behaving unusually, disconnect from your network (turn off Wi-Fi or unplug your ethernet cable) to prevent potential malware from communicating with the attacker's servers.
3. Run a malware scan. Use your organisation's endpoint security software to perform a full system scan. If you do not have endpoint protection, use a reputable free scanner to check for threats.
4. Change your passwords. If you entered any credentials on the suspicious page, change those passwords immediately from a different, trusted device. Enable multi-factor authentication on the affected accounts if it is not already active.
5. Report the incident. Notify your IT team or security contact immediately, even if you believe no harm was done. Early reporting allows your organisation to take protective action, such as blocking the domain across all company devices or alerting other employees.
6. Monitor your accounts. Keep a close watch on your email and financial accounts for any unusual activity in the days following the incident. Attackers who obtain credentials may not use them immediately.

Building a Link-Aware Culture in Your Organisation

Individual skill is important, but the strongest defence is an organisational culture where employees feel comfortable pausing to analyse a link, asking a colleague for a second opinion, or reporting a suspicious message without fear of judgement. Encourage your team to adopt a simple rule: if in doubt, do not click. Instead, navigate to the supposed website directly by typing the known address into the browser, or contact the sender through a separate channel to confirm the link is legitimate.

Regular training that includes practical exercises — such as presenting employees with real and fake URLs and asking them to identify which are malicious — is far more effective than theoretical instruction alone. The ability to read and analyse a URL is a skill that improves with practice, and it is one of the most cost-effective defences any organisation can invest in.

Every malicious link is an opportunity for an attacker — but it is also a decision point where an informed employee can stop an attack in its tracks. By taking a few seconds to hover, read, and verify before clicking, your team can dramatically reduce the risk of a successful phishing attack.