Is This Link Safe? How to Check Any Suspicious Link Before You Click

My uncle called me one evening, embarrassed. He had received an SMS saying his electricity would be disconnected at 9:30 PM that night unless he updated his account through a link. The message looked official. He was about to lose power, or so he believed, so he tapped the link and started entering his details. Halfway through typing his debit card number, something felt off and he stopped. He called me. We caught it in time. Many people do not.

That single hesitation saved him from joining a very large group. India lost Rs.22,495 crore to cybercrime in 2025, with 28.15 lakh complaints filed, and the overwhelming majority started with one thing: a person clicking a link they should not have.

The good news is that spotting a dangerous link is a skill, and it takes about 20 seconds once you know what to look for. This article, the fourth in my Cyber Kavach series, teaches you to read any link like a security professional, check it with free tools, and recognise the exact scam patterns flooding Indian phones right now. Share it with your parents. This is the one everyone in your family needs.

How do you read a URL to spot a fake?

This one skill defeats most phishing. Every web address has a real domain hidden inside it, and scammers rely on you not knowing where to look. Here is the rule: find the first single slash after https://, then read the word immediately to its left. That word, plus its ending (.com, .in), is the real site. Nothing else matters.

Look at these examples. The real destination is in bold:

The link you see	The real site	Verdict
https://www.hdfcbank.com/login	hdfcbank.com	Safe
https://hdfcbank.security-verify.com/login	security-verify.com	Fake
https://www.hdfc-bank-kyc.in/update	hdfc-bank-kyc.in	Fake
https://amazon.in.offers-claim.xyz	offers-claim.xyz	Fake

Scammers put the trusted brand name in the subdomain (the part before the real domain) or in the path (the part after the slash) because they know most people scan for "hdfcbank" or "amazon," see it, and stop reading. Train yourself to ignore the brand name and find the real domain instead.

The specific tricks to watch for

• Lookalike letters (homoglyphs). rnicrosoft.com uses "r" and "n" together to imitate the "m" in microsoft.com. paypa1.com uses the number 1 instead of the letter l. At a glance they pass.
• Extra words bolted on. amazon-rewards.in, sbi-netbanking-secure.com, flipkart-bigsale.shop. The real brand never adds promotional words to its main domain.
• Odd domain endings. A bank or big brand that you know uses .com suddenly appearing on .xyz, .top, .info, .shop, or .online. These cheap endings are favourites for throwaway scam sites.
• The @ trick. Anything before an @ symbol in a URL is ignored by the browser. https://www.icicibank.com@scamsite.in actually takes you to scamsite.in. The real bank name is a decoy.
• Raw IP addresses. A link like http://103.42.18.7/login that shows numbers instead of a domain name is almost never legitimate for a consumer service.
• No padlock, or http instead of https. Not a guarantee of safety on its own (scammers get padlocks too), but a banking or payment page without https is an instant no.

Which free tools check a link in seconds?

When the domain is hard to read, or you just want certainty, paste the link into one of these. Copy the link without opening it: long-press it on your phone and choose Copy, or right-click and Copy link on a computer.

Tool	What it does	Best for
VirusTotal	Scans the URL against 70+ antivirus and blocklist engines, gives a malicious/clean count	A fast, trusted verdict
urlscan.io	Opens the link in a safe sandbox, shows the real domain, screenshots, and what it loads	Seeing what a link actually does
Google Transparency Report	Google's own Safe Browsing verdict on the site	A second opinion from Google
Norton SafeWeb	Reputation rating and community reports for a domain	Checking a site's history
unshorten.it	Reveals where a bit.ly or short link really points, without clicking	Expanding shortened links

The two I reach for: VirusTotal for a quick yes-or-no, and urlscan.io when I want to see the page's real behaviour without risking my device. For Google's verdict, use the Safe Browsing site status tool.

Shortened links: reveal before you trust

Short links (bit.ly, tinyurl, t.co, and dozens more) hide the destination by design. That is convenient for marketers and perfect for scammers. To see where one really goes without clicking, paste it into unshorten.it or straight into VirusTotal, which expands and scans in one step. On many shorteners, adding a + to the end of the link (like bit.ly/xyz123+) shows a preview page instead of redirecting you. A shortened link in an unexpected SMS or WhatsApp message deserves zero trust until you have expanded it.

Are QR codes safe to scan?

A QR code is a link you cannot read with your eyes. Every rule above still applies, except you are blind to the destination until your phone opens it. That blindness is why QR scams, nicknamed quishing, rose roughly 5x in 2025 according to multiple security trackers.

For India, one rule prevents almost every QR payment scam:

Beyond payments, treat physical QR codes with suspicion too. Fraudsters paste their own QR stickers over genuine ones on parking meters, restaurant tables, and shop counters. When you scan any code, your phone shows a preview of the URL before opening it. Read that preview. If it is a shortened link, a raw IP, or a domain unrelated to where you are standing, do not open it.

Should you ever open an APK file from WhatsApp?

Never. This deserves its own section because it is the fastest-growing phone-takeover scam in India and it is hitting families hard.

An APK is an Android app installer. Through 2025 and 2026, scammers have flooded WhatsApp with files named to look harmless: WeddingInvitation.apk, ShaadiCard.apk, fake CourierTracking.apk, or a counterfeit bank or income-tax app. The message often comes from a known contact, because their phone was already infected the same way and the malware spreads itself to their contacts.

Install one and you hand the attacker remote control of your phone. The malware reads your SMS, which means it captures every bank OTP, steals your UPI credentials, and can empty accounts within minutes while you see nothing. CERT-In, India's national cyber agency, has issued repeated advisories about exactly this.

The rule is absolute: real apps come only from the Google Play Store or Apple App Store. A genuine wedding invitation is a PDF or an image. No legitimate invite, courier, or bank ever arrives as an app you must sideload from a chat. If you receive an APK, even from your closest friend, do not install it, and tell them their account may be compromised.

What do the common scam links in India look like?

Almost every scam link belongs to one of five families. Learn the shape and you recognise new variants instantly.

• Courier and parcel scams. "Your FedEx / India Post / Blue Dart parcel is held. Pay Rs.25 customs to release it." The tiny amount lowers your guard while they capture your card.
• KYC update scams. "Your PayTM / bank / SIM KYC has expired. Update now or your account will be blocked today." Banks never collect KYC through a link in an SMS.
• Electricity bill scams. "Your power will be disconnected tonight at 9:30 PM. Clear your bill via this link." The exact one my uncle nearly fell for. Real boards do not work this way.
• Job and work-from-home scams. "Earn Rs.5,000 a day. Click to start. Pay a small registration fee." The fee, and your details, are the actual product.
• Prize, refund, and cashback scams. "You won Rs.10 lakh in the KBC lottery" or "Your refund is ready, scan to claim." Refunds never require you to scan a code or share an OTP.

Every one of them shares three ingredients: manufactured urgency (act now or lose something), a link or QR code to tap, and a request for money or personal details. When you see those three together, stop. That combination is the signature of fraud, no matter how official the message looks. The same dynamics now play out across the platforms where Indians spend their time, which I broke down in my piece on India's social media and how attention gets exploited.

What if you already clicked?

Do not freeze and do not hide it. Speed decides how much you lose. Work down this list based on how far you went.

The Cyber Kavach series

This is article 4 of the opening season. The full run:

• Article 1: How to check if your email has been hacked, a free 5-minute self-check
• Article 2: How to check if your WordPress website is hacked, the DIY malware scan guide
• Article 3: Digital arrest scams in India, how to spot the fraud in 30 seconds (coming soon)
• Article 4: Is this link safe? How to check any suspicious link (you are here)
• Article 5: UPI fraud in 2026, the 10 active scams and the 5-step safety setup (coming soon)

Each article ships with a free, printable resource on my Free Resources page. For this one, download the Safe Link Checklist: Spot a Scam Link in 20 Seconds, sized for your phone screen so you can forward it to your family WhatsApp group. It is the fastest way to protect the people who are most targeted.

Frequently asked questions

How can I check if a link is safe before clicking it?
Copy the link without opening it and paste it into VirusTotal (scans 70+ engines) or urlscan.io (opens it in a safe sandbox). Also read the domain: find the first single slash after https:// and look at the word just before it. That is the real site.

What is the most reliable free tool to scan a suspicious link?
VirusTotal (virustotal.com), free and owned by Google, checks any URL against 70+ security services at once. For seeing what a link actually does, urlscan.io visits it in an isolated sandbox so your device never touches it.

How do I read a URL to spot a fake website?
Find the first single slash after https:// and read the word immediately before it. In hdfcbank.security-verify.com/login the real site is security-verify.com, not HDFC. Watch for misspellings, lookalike letters, brand names with extra words, and odd endings like .xyz.

Are QR codes safe to scan?
A QR code is a link you cannot read in advance, so quishing scams rose about 5x in 2025. The India rule: you never scan a QR code to RECEIVE money, only to send it. Check the preview URL before opening, and never scan codes from strangers or stuck on public surfaces.

Is it safe to open an APK file sent on WhatsApp?
No, never. Files like WeddingInvitation.apk or fake courier apps hand attackers control of your phone, including your SMS and bank OTPs. Real apps come only from official app stores. A real invite is a PDF or image, never an app.

What should I do if I already clicked a suspicious link?
If you only opened the page, close and scan it. If you entered details or installed something, change passwords from a clean device, call your bank to freeze the card, and call 1930 plus file at cybercrime.gov.in within the first hour.

How do I see where a shortened link really goes?
Paste it into unshorten.it or VirusTotal to reveal and scan the destination without clicking. On many shorteners, adding a + to the end shows a preview. Never trust an unexpected short link.

What are the most common scam link types in India?
Fake courier and parcel fees, KYC update threats, electricity disconnection scams, fake job offers, and prize or refund links. All combine urgency, a link or QR code, and a demand for money or details. Real institutions never collect payments or OTPs through unsolicited links.