How to Check if a URL is Safe — Without Getting Burned

Someone sends you a link. Looks fine. The domain seems legit, there's a padlock, it even loads over HTTPS. You click it.

And that's exactly how phishing works in 2025.

The days of obvious "paypa1.com" typosquats are mostly gone. Modern phishing campaigns use Unicode lookalike characters, perfectly valid SSL certificates, aged domains, and page designs that are pixel-for-pixel clones of the real thing. The padlock tells you the connection is encrypted. It says absolutely nothing about whether the destination is trying to steal your credentials.

This matters for developers in a few specific ways. You might be building a link-preview feature, processing user-submitted URLs, doing security research on a suspicious domain, or just need to quickly vet something without clicking it. Let's talk about what actually works.

HTTPS means the connection between your browser and the server is encrypted. That's it. Let's Encrypt issues free certificates to anyone who can pass a domain control check — which includes every attacker running a phishing page. Over half of phishing sites now use HTTPS. The padlock is table stakes, not a safety signal.

URL safety is a completely different question from connection security, and it requires a completely different set of checks.

A proper URL safety check runs through several layers at once:

• Reputation databases — Google Safe Browsing, PhishTank, and VirusTotal maintain constantly updated lists of known malicious URLs. A good safety checker queries these in real time. • Domain age — Freshly registered domains are disproportionately used in phishing campaigns. A domain registered three days ago serving a bank login page is a massive red flag. • Redirect chain analysis — Attackers often use clean URLs that chain through several redirects before landing on the malicious page. The initial URL looks fine. The destination doesn't. • Lookalike domain detection — Unicode homograph attacks use Cyrillic or Greek characters that are visually identical to Latin ones. • Content signals — Does the page contain a login form? Is it impersonating a known brand?

The most widely trusted source. Free for reasonable volumes. You POST a list of URLs and get back threat classifications — malware, social engineering, unwanted software, potentially harmful applications.

POST https://safebrowsing.googleapis.com/v4/threatMatches:find?key=YOUR_KEY

Aggregates results from 70+ scanners. More thorough than a single source. Rate-limited on the free tier but excellent for security-sensitive contexts where you need a second opinion.

curl --request POST \ --url https://www.virustotal.com/api/v3/urls \ --header "x-apikey: YOUR_KEY" \ --form url=https://suspicious-domain.com

For production systems: use Google Safe Browsing as your primary check and VirusTotal for anything that triggers warnings. Never rely on a single source for safety decisions.

Automated tools come back clean but something still feels off? Here's what to inspect yourself:

• Check the actual href destination, not the display text. In HTML they're completely independent. • Subdomain abuse: paypal.com.evil-site.com is NOT a PayPal domain. The real domain is evil-site.com. • Percent-encoded characters: %40 is @, %2F is /, %3A is :. Obfuscation through URL encoding is common. • Unusually long URLs with random-looking path strings often indicate abused redirect services. • IP-based URLs for services that should have domain names are almost always suspicious.

When you just need to vet a URL quickly without writing code or opening a terminal, use our Safe URL Checker. It queries multiple reputation databases simultaneously and checks redirect chains in seconds: