An unknown link in your email: how do you check it without clicking?

How do you judge in thirty seconds whether an unknown link in an email is safe? A practical checklist for SMB owners without an IT department.

You get an email from a supplier. Or a quote from a new client. Or a job application. There's a link in it, and that link leads to a website you've never seen before. Do you click? And if so — what do you check first?

For people without an IT background, this often feels like guesswork. "It looks fine" or "the company is real" aren't great checks — but they're what most people do. In this post we show you how to make a reasonably informed judgement about an unknown URL in about thirty seconds, without installing anything.

Why this matters

In 2026, phishing emails are barely recognisable by poor grammar or vague logos. AI tools produce polished, personalised messages. What remains as the difference between real and fake is almost always the destination of the link. That's where you'll find the misspellings, the odd domains, and the freshly registered addresses.

Good news: you can check that destination without clicking.

Step 1: read the link before you click

Hover your mouse over the link (or press and hold on mobile without releasing). At the bottom of your screen or in a tooltip you'll see the real URL. Only read the part before the first single forward slash. So in:

https://login.microsoft.com.account-verify.ru/secure

...the actual domain is account-verify.ru, not microsoft.com. The Microsoft part is a trick to fool your eye.

Rule of thumb: read the URL from right to left. The last segment before the first / is the domain that really matters.

Step 2: check for typos and unusual extensions

Attackers love domains that look almost identical to the real thing:

\n
• rabobаnk.nl — the 'a' is a Cyrillic character
\n
• marktplааts.nl — double trick letters
\n
• kvk-portal.com instead of kvk.nl
\n
• ing.nl.veilig-login.app — ING isn't on .app
\n

If you're unsure, type the official domain yourself in a new tab. It's faster than asking around, and safer than clicking.

Step 3: look up who owns the domain

A trustworthy company typically has a domain that has existed for years. A phishing domain is often just days or weeks old. You can look this up yourself using what's called a WHOIS lookup. It doesn't have to be technical — there are free tools where you enter a domain and see the registration date.

Our IP lookup tool shows you at a glance the IP address, the hosting country, and the provider behind a domain. A Dutch webshop suddenly running from a server in an unexpected country? That isn't necessarily a problem, but combined with a high-pressure email it's a red flag.

Step 4: open suspicious links in a safe environment

If you really need to know what's behind a link — for example because a colleague asks whether an email is legitimate — don't just open it on your work laptop. Two options that are easier than they sound:

\n
• Incognito window on a personal device: not ideal, but better than your regular work session where you're logged in everywhere.
\n
• Online URL scanner: there are free services where you paste a URL and they open it for you in a sandbox. You get a screenshot back and a verdict on whether it's malicious.
\n

Never do this with links that contain a unique personal token (such as a password-reset link or an invoice link with a token). These often only work once, and you'll be exposing yourself to the attacker.

Step 5: trust the padlock, but not the padlock alone

The padlock icon in the address bar only means that the connection is encrypted. Phishing sites now routinely have a padlock too. It says nothing about the trustworthiness of the owner. Use it as a basic check, not as proof.

A quick checklist for your team

\n
1. Hover over the link and read the domain before the first /.
\n
2. Does the domain match the real organisation, letter for letter?
\n
3. Did the email come out of nowhere and is there a sense of urgency? Be extra suspicious.
\n
4. When in doubt: type the official address yourself, or call the sender on a number you already had.
\n
5. Never log in via a link from an email you weren't expecting.
\n

If it helps, print these five rules and put them at reception or in the break room. It doesn't need to be complicated — it just needs to be done.

What if something already went wrong?

Has someone clicked a suspicious link and possibly entered their login credentials? Time is of the essence. Immediately change the password for the account in question, sign out all active sessions, and check whether two-factor authentication is enabled. If you haven't set that up everywhere yet, now is a good time to do so — a single stolen password will no longer be enough to get in.

Want to know where a domain is hosted before you click? Our IP lookup is free, requires no registration, and gives you a first impression in seconds.