We all receive emails with links. Sometimes we are certain they are legitimate based on past trust; other times we hesitate. That hesitation is healthy, because malicious links are today the primary entry point for attacks.
Here is how to verify a link before clicking, depending on what you are trying to detect.
Click — Photo by Gustavo Alejandro Espinosa Reyes on Unsplash
Step 0: look at the link without clicking
Before any tool, the first defence is visual.
On a computer: hover your mouse over the link without clicking. The real URL appears at the bottom left of your browser or in your email client. What you read in the email text (“Click here” or “www.your-bank.com”) can be entirely different from the real URL.
What to check with your eyes:
- The base domain: your-bank.com is very different from your-bank.secure-login.xyz. The real domain is what comes immediately before .com, .ca, .net, etc.
- Typosquatting: paypa1.com (with a 1), rbc-canada.net, microsoft-support.com. Subtle variations designed to fool the eye.
- Shortened links (bit.ly, tinyurl, t.co): they hide the real destination. Never click them without expanding the URL first.
To unwrap a shortened link without clicking: unshorten.it or expandurl.net. Paste the short URL and you see the real destination.
To detect malware and viruses: VirusTotal
VirusTotal.com analyses the URL with 90+ antivirus engines simultaneously. If the link leads to a malicious file or a site known for distributing malware, you will know in 10 seconds.
Usage: copy the URL, paste it into VirusTotal, run the scan. A “0/90” result (no engine detects anything) is reassuring, but not an absolute guarantee for phishing — that is this tool’s limitation.
To detect phishing: the right tools
Phishing is a fake page that mimics a real one (your bank, Microsoft, the government, Canada Post) to steal your credentials or personal information. No virus, no malware — just a convincing interface and a form that sends your data to attackers.
Here are the specialized tools:
1. URLScan.io — the most powerful
This is the most useful tool on this list. URLScan visits the link in an isolated environment (sandbox), takes a screenshot of the page, analyses the code, loaded resources, redirects, and gives you a complete report.
You can see visually what the page looks like without ever going there. If the site mimics your bank, you will see it immediately. If the page redirects elsewhere, you will know.
Caution: by default, scans are public. If you are analysing a sensitive link from an internal company email, use a private scan (requires a free account).
2. Google Safe Browsing — fast and reliable
transparencyreport.google.com/safe-browsing/search
Google maintains a continuously updated blacklist of phishing and malware sites. Paste the URL and Google tells you if it is flagged. Simple, fast, effective for already-known sites.
This is also what your browser (Chrome, Firefox, Safari) checks automatically on every page visit. But you can do it manually before clicking.
3. PhishTank — the community phishing database
PhishTank is a collaborative database: thousands of volunteers submit and verify phishing URLs. If someone else has already received the same suspicious link, it is probably here.
Very useful for high-volume phishing campaigns (fake Canada Post emails, CRA, banks), less useful for recent targeted attacks.
4. CheckPhish.ai — AI applied to phishing
A newer tool that uses artificial intelligence to detect phishing pages, even unknown ones. It analyses the visual structure and page content to determine whether it mimics a known brand. A good complement to URLScan for very recent sites.
The method in practice: 60 seconds, 3 steps
- Look at the URL without clicking. Does the base domain make sense? Did you really recognize the sender?
- Paste the URL into URLScan.io. Look at the screenshot. Does the page look like what you were promised? Are there suspicious redirects?
- If doubt persists, also run it through VirusTotal and Google Safe Browsing.
What no tool will replace
The golden rule that survives all technology:
If you are asked for your credentials, password, card number, or personal information via a link received by email — do not go to that link. Go directly to the official site by typing the address yourself.
Your bank will never send you a link asking you to “validate your account within 24 hours.” The CRA does not send emails with clickable links. These practices are red flags, no matter how legitimate the email seems.
Your best protection is to stay skeptical!