URL Scanner

How to Spot a Phishing Link

Check the domain carefully

Phishing attacks rely on URLs that look legitimate at a glance. Attackers register domains like "paypa1.com" (number 1 instead of L), "amazon-support-login.com", or subdomains like "amazon.real-bank.com" — where the real domain is "real-bank.com". Always read the domain from right to left, stopping at the first slash.

HTTPS does not mean safe

A padlock icon only means the connection is encrypted — not that the site is legitimate. Phishing sites routinely use HTTPS and valid SSL certificates. A secure connection to a malicious site is still a malicious site.

Red flags to watch for

• Urgency: "Your account will be suspended", "Verify immediately"
• Shortened URLs (bit.ly, tinyurl) hiding the real destination
• Domains with extra words: "login-paypal-secure.com"
• Typosquatting: "goggle.com", "arnazon.com", "facebok.com"
• Unexpected redirects through multiple domains
• Requests for credentials or payment on unfamiliar pages

What VirusTotal detects

VirusTotal aggregates results from over 70 antivirus engines, URL scanners, and domain blacklists — including Google Safe Browsing, Kaspersky, Bitdefender, and dozens more. Each engine independently checks the URL for malware distribution, phishing pages, unwanted software, and malicious redirects. The result shows exactly how many engines flagged the URL and how many considered it clean.

What to do with a suspicious link

• Paste it here before clicking — takes seconds
• If it came by email, check the sender's actual address (not just the display name)
• When in doubt, navigate to the site manually by typing the domain directly
• Report phishing: safebrowsing.google.com/safebrowsing/report_phish