Stop Phishing at the Source: Verify Links Like a Pro

The goal: trust the link before you click

Most phishing wins because we rush. You don’t need to become a forensic analyst—just apply a short, consistent verification routine that works across email, SMS, chat, and QR codes. Here’s the method.

Link verification in 10 seconds (the CORE routine)

• Copy, don’t click: Right-click (or long-press) and copy link first.
• Inspect the domain: Paste the URL into a plain-text field (notes app). Focus on the registered domain (e.g., example.com), not the subdomain.
• Check for tricks: Look for typos, extra words (-secure, -support), unusual TLDs, xn-- (punycode), or multiple dots like login.example.com.bad-site.io.
• Chase the redirect: If it’s shortened (bit.ly, tinyurl.com) or has a url= parameter, expand it first using a trusted expander or by previewing the shortlink (most services support + or preview endpoints).
• Decide: If anything feels off, don’t click. Go directly to the site by typing the known domain or using a saved bookmark.

Email & SMS: verify the sender before the link

• Display names lie: Tap/click the address to see the real sender. support@payments.example.com is very different from support@payments.example.co.
• Reply-To mismatch: If From and Reply-To differ (and the latter is unknown), be cautious.
• No urgency traps: “Pay now or account closes” is a classic pressure tactic. Slow down.
• Attachment-first = red flag: Real services rarely send unexpected attachments with “security updates.”

QR codes: look before you open

• Use a viewer, not auto-open: Prefer camera/QR apps that show the URL and ask for confirmation.
• Check the domain first: Same CORE routine—copy, inspect domain, watch for shorteners or redirect params.
• Public posters: QR stickers on signs/kiosks can be swapped. If in doubt, navigate manually to the official site.

URL anatomy: what to actually read

• Scheme: https:// is required—but padlocks aren’t proof of legitimacy.
• Registered domain: The part just before the TLD: example.com in pay.example.com. Ignore the leading subdomains.
• Path: Long, random paths are fine; paths that mimic other brands (/paypal/secure/ on a non-PayPal domain) are not.
• Query: Be wary of url=, redirect=, or next= parameters that jump to an external site.

Short links & redirects without the guesswork

• Preview shorteners: Many support a preview trick (e.g., append +). If not, use a reputable expander.
• Open in a sandboxed profile: If you must check a borderline link, use a separate browser profile with no cookies or logins.
• Never log in after following a link from an unexpected message. Instead, go to the site directly and sign in there.

Open-redirect traps (how they work)

Attackers use a normal-looking domain but add a parameter that silently forwards you elsewhere, e.g.:

https://legit.example.com/login?next=https://bad-site.io/steal

• Rule of thumb: If a trusted site must redirect, it should send you to a path on the same domain, not to an unrelated domain.
• Your move: Trim the URL to the base domain and navigate from the homepage.

Sender verification for teams (quick process)

• Out-of-band check: For payment changes or credential requests, call a known number (not the message’s number) to confirm.
• Least privilege links: Staff accounts should open unknown links in a non-privileged browser profile.
• Report & quarantine: If something looks off, report it and move on—don’t “test-click.”

What if you clicked?

• Don’t enter credentials: Close the tab immediately.
• Reset via known route: Go to the official site from a bookmark and change your password.
• Rotate if exposed: If you typed anything sensitive, rotate it and follow an incident playbook: The Simple Incident Playbook for Leaked Passwords.
• Enable/confirm MFA: It blocks many account-takeover attempts even after a slip-up.

Training your eye: fast telltales

• Misspelled brands: paypaI.com (with a capital “i”), microsofft.net, or strange TLDs.
• Weird subdomain stacks: support.login.verify.example.com.bad-site.io.
• Inconsistent tone: Robotic language, odd grammar, or urgent requests from “senior leadership.”
• Unexpected MFA resets: Prompts to “re-enroll 2FA” via a link in email/SMS.

Copy/paste playbook for your policy

• Never click-to-login from email/SMS. Navigate manually or use bookmarks.
• Always run the CORE routine (copy → inspect domain → expand shortlinks → decide).
• Split channels for sensitive shares: send link and access code separately with short expiry. Learn how: The Safe Way to Share Passwords in 2025 (No Email).
• Use zero-knowledge delivery for secrets so providers can’t read content. Primer: The Beginner’s Guide to Zero-Knowledge Sharing.
• Store, don’t thread: Keep permanent copies in a password manager, not in email. Passphrase tips: How to Create Strong Passphrases You’ll Actually Remember.

FAQ

Is the padlock enough?
No. HTTPS only means the connection is encrypted—it says nothing about who’s on the other end. Verify the domain, not just the padlock.

Are link previews safe?
Previews can fetch content and sometimes ping tracking pixels. Turn off auto-preview where possible and inspect the URL first.

What about mobile?
Long-press links to preview/copy without opening. Paste into notes to inspect the domain calmly before deciding.

Related reading

Send secrets safely (no inbox trails): The Safe Way to Share Passwords in 2025 (No Email)

Understand zero-knowledge delivery: The Beginner’s Guide to Zero-Knowledge Sharing

Compare sharing methods: One-Time Links vs. Encrypted Email: What’s Safer in 2025?

Respond fast after a slip-up: The Simple Incident Playbook for Leaked Passwords

Share Wi-Fi the safe way: How to Share Wi-Fi Credentials Securely with Guests

Bottom line

Slow is smooth, smooth is secure. Copy first, inspect the domain, expand shortlinks, and only then decide. Combine this habit with one-time sharing and MFA, and phishing loses most of its power.

Secure One-Time Messages - Send confidential messages that self-destruct after being read once. Your privacy is our priority. →.