How to Tell If a Link Is Safe Before You Click: A Practical Guide for Small Businesses

The Short Version

Before you click any link you didn’t explicitly request — whether it arrived in an email, a text message, a LinkedIn DM, or a Slack notification — you should verify it. Phishing attacks are responsible for more than 90% of successful data breaches, and the majority of them begin with a single click on a link that looked legitimate. This guide explains how to recognize dangerous links, what tools like VirusTotal actually check, and why no automated tool catches everything.

What Makes a Link Dangerous

A link is not inherently dangerous because of where it goes — it’s dangerous because of what happens when you get there. Malicious links generally fall into a few categories:

• Credential harvesting pages: These are fake login portals that look identical to Microsoft, Google, DocuSign, or your bank. You type your username and password, and they are captured instantly.
• Drive-by download sites: Simply visiting these pages can execute code in your browser and install malware, even if you click nothing.
• Malware delivery endpoints: The link triggers an automatic download of a .exe, .zip, .doc, or .pdf file that contains ransomware or a remote access trojan.
• Redirect chains: The link itself is innocent, but it bounces through several redirects before landing on a malicious page — specifically to evade email security scanners that check the first destination only.

The 7 Warning Signs of a Malicious Link

You don’t need a tool to spot most phishing links. Train yourself and your team to look for these patterns:

1. The domain is slightly off

Attackers register domains that look similar to real ones: paypa1.com, microsoft-login.net, wellsfarg0.com. The top-level domain (the part after the last dot) is the only part that matters for ownership. Everything before it is controlled by whoever registered the domain. secure.login.microsoft.com.phishingsite.ru belongs to phishingsite.ru, not Microsoft.

2. URL shorteners

Services like bit.ly, tinyurl.com, and t.co hide the real destination. Legitimate companies rarely shorten links in transactional emails. When you see a shortened link in an unexpected message, treat it as suspicious by default.

3. HTTPS isn’t a safety guarantee

One of the most persistent myths in security awareness training is that the padlock icon means a site is safe. It means the connection is encrypted — nothing more. Phishing sites routinely use HTTPS. According to the Anti-Phishing Working Group, more than 80% of phishing sites now use SSL certificates. The padlock doesn’t validate the owner of the site.

4. The sender address doesn’t match the domain in the link

If an email from support@microsoft.com contains a link to update-account.microsoftsupport247.com, those two domains are owned by completely different entities. Always cross-reference the sender’s domain against the link’s domain.

5. Urgency and pressure language

Phishing messages are engineered to bypass rational thinking. “Your account will be locked in 24 hours,” “Immediate action required,” and “You’ve been selected” are linguistic patterns designed to make you click before you think. Legitimate services give you time.

6. Unexpected file attachments or download prompts

A link that immediately triggers a download, especially of .exe, .doc (with macros), .zip, or .lnk files, is extremely high risk. No legitimate business operation sends unsolicited executables via email.

7. The context doesn’t match your recent activity

A shipping notification for a package you didn’t order, a DocuSign request for a contract you never initiated, or an invoice from a vendor you don’t use — these are classic pretexts. Phishing relies on volume; they send millions of messages hoping some percentage have recently shopped online or used the impersonated service.

What VirusTotal Actually Does

VirusTotal is a free service owned by Google that aggregates results from more than 90 antivirus engines and URL scanners simultaneously. When you submit a URL, VirusTotal checks it against databases maintained by vendors including Kaspersky, Symantec, Sophos, Avast, ESET, Bitdefender, and many others. It also performs behavioral analysis by visiting the URL in a sandboxed environment and recording what happens.

The results come back with a vendor count: “3 / 92 vendors flagged this URL as malicious.” That number matters, but it requires interpretation. A score of 0/92 doesn’t mean a URL is safe — it means no vendor in the consortium has seen it before, which is actually a risk indicator for brand-new phishing pages. A score of 3/92 might mean three vendors have already added it to their blocklists based on real-world incidents.

VirusTotal caches results. If a URL was scanned 48 hours ago and the page content has changed since then, you may receive a stale result. For high-risk links, force a rescan.

Why Free Tools Still Miss Some Threats

No tool provides 100% coverage, and understanding the gaps helps you use these tools appropriately rather than over-relying on them:

Zero-day phishing pages

A phishing page registered and deployed in the last few hours may not appear in any threat intelligence database yet. Attackers time their campaigns to run before defenses catch up, then abandon the domain. Modern phishing infrastructure can be stood up in under 15 minutes.

Geofenced and targeted attacks

Sophisticated attackers serve malicious content only to specific IP ranges, user agents, or referrers. If VirusTotal’s scanner visits from a Google IP address, the page may serve innocent content while delivering malware to your employees.

One-time-use tokens

Some phishing links are single-use. After the first click (by the victim), the link redirects to a benign page so that security researchers investigating the link see nothing suspicious.

Legitimate services used maliciously

Attackers increasingly host phishing content on legitimate platforms: Google Docs, SharePoint, Dropbox, OneDrive, and GitHub. These domains will never be flagged by VirusTotal because the infrastructure itself is legitimate — only the content is malicious.

What to Do After Clicking a Bad Link

If you or an employee clicks a suspicious link, the response matters as much as the prevention. Act quickly:

1. Disconnect from the network immediately — if malware was delivered, severing network access prevents it from communicating with its command-and-control server.
2. Don’t enter credentials — if you landed on a fake login page and didn’t type anything, you’re likely fine. If you did type credentials, change them immediately from a different device.
3. Report to IT immediately — the window between initial compromise and lateral movement is often less than 48 hours. Early containment is critical.
4. Enable MFA on the affected account — even if credentials were captured, a valid second factor prevents immediate account takeover.
5. Preserve evidence — don’t delete the original email or message. IT needs it for forensic analysis.

Train Your Team

Technology controls have a ceiling. The human element remains the primary attack surface. Effective phishing awareness training has three components:

Simulated phishing campaigns: Regular, realistic simulations sent to all staff measure click rates and identify employees who need additional coaching. The goal is not to punish — it’s to build muscle memory.

Just-in-time training: When an employee clicks a simulated phishing link, they receive immediate training at the moment of maximum receptiveness. This is far more effective than annual classroom sessions.

Clear reporting procedures: Employees need a simple, no-blame way to report suspicious links. Every reported phishing attempt is an opportunity to prevent a breach. If reporting feels risky, employees stay silent.

Check Phishing & Link Checker — Free

Paste any link into our free checker and get an instant risk assessment powered by VirusTotal’s 90+ engine consortium. Results include vendor flags, category classification, and a plain-language risk summary.

Nicholas Salem is the CEO of Boston Managed IT, a managed services provider serving professional services firms and small businesses across Greater Boston. BMIT helps clients build and operate security programs that meet Massachusetts compliance requirements.