How to Spot a Fake Link Before You Click

Got a suspicious link?

Paste it into our checker — we'll analyse it without you having to click.

Scammers are experts at making dangerous links look legitimate. A single click on the wrong link can lead to stolen passwords, drained bank accounts, or malware on your device.

The good news? Once you know the tricks, they're easy to spot. Takes 10 seconds.

Quick Verdict

What it usually is: Phishing pages designed to steal your login credentials or payment details.

Who gets targeted: Everyone. These links arrive via SMS, email, WhatsApp, and social media.

Red Flags to Look For

Subdomain tricks — The real domain is what comes right before the .com/.com.au. In "commbank.secure-login.com", the real domain is secure-login.com, NOT commbank.
Letter substitutions — "rn" looks like "m", "1" looks like "l", "0" looks like "O". Watch for amaz0n.com or paypa1.com.
Extra words added — commbank-verify.com, ato-refund-portal.com, auspost-delivery.net
Wrong domain extension — Real Australian sites use .com.au or .gov.au. Scams often use .com, .net, .xyz, .top.
URL shorteners — bit.ly, tinyurl.com hide the real destination. Legitimate businesses rarely use these.
Random characters — Long strings of letters and numbers are suspicious: track-pkg-au.com/delivery/8f7a2c...
Punycode attacks — International characters that look like English letters. applе.com (using Cyrillic е) looks identical to apple.com.

Realistic Examples

Looks legit: https://commbank.com.au.secure-login.net/verify

Reality: The real domain is secure-login.net. Everything before that is decoration to fool you.

What to do: Go directly to commbank.com.au by typing it yourself.

Looks legit: https://auspost.com.au-tracking.info/parcel

Reality: The domain is au-tracking.info. "auspost.com" is just a subdomain.

What to do: Track parcels only at auspost.com.au directly.

Looks legit: https://myg0v.com.au/ato-refund

Reality: Notice the zero instead of 'o'. The real site is my.gov.au (two words, .gov.au domain).

What to do: Always access myGov through my.gov.au directly.

What to Do Next

Don't click — If you're suspicious, don't risk it.
Check the domain — Look at what's immediately before the .com/.com.au. That's the real website.
Go direct — Type the official URL yourself or use a saved bookmark.
Hover before clicking — On desktop, hover over links to preview the URL in your browser's status bar.
Use our checker — Paste the link and we'll tell you if it's dodgy.

If You Already Clicked

Close the page immediately — Don't enter any information.
If you entered login details: Change that password immediately, on the REAL site. Enable 2FA if available.
If you entered card details: Call your bank and report the card compromised.
Run a virus scan — Some links download malware automatically.

Frequently Asked Questions

Can just clicking a link infect my device?

Usually no, but sometimes yes. Exploit kits can attack unpatched browsers. Keep your device and browser updated to minimise risk.

What's the difference between HTTP and HTTPS?

HTTPS encrypts data between you and the site. But scammers can get HTTPS too — it doesn't mean a site is legitimate, just that the connection is encrypted.

How do I check a link on my phone?

Long-press the link to preview the URL. On iPhone, a popup shows the destination. On Android, hold until options appear. Or just paste it into our checker.

Why do scammers use URL shorteners?

To hide the real destination. A bit.ly link could go anywhere. Some URL expander tools can reveal the destination safely.

How to Spot a Fake Link Before You Click

Quick Verdict

Red Flags to Look For

Realistic Examples

What to Do Next

If You Already Clicked

Frequently Asked Questions

Related Guides

Is This Website Legit? How to Check Before You Buy

Email Phishing Examples: Spot the Fakes

Scam Text Message Examples: SMS Fraud Patterns Explained

Suspicious about a message you received?