LINK INSPECTOR

Inspect a link before you click

A bad link is the single most common way a scam reaches you. Paste a web address here and the inspector reads it apart in your browser, naming each tell and pointing you at the phishing guide. It checks the link itself — it does not open it.

HOW TO READ A LINK BY HAND

The inspector needs JavaScript. Without it, here is the same checklist you can run on any link in your head.

1. Find the real domain. Read the host from the right: the last two parts (like example.com) are the true owner. Everything to the left is a label they chose.
2. Watch for a brand bolted onto another domain, like paypal.com.secure-login.ru — the real site is secure-login.ru.
3. Be wary of an @ in the address. Anything before it is ignored by the browser; the real host is what follows the @.
4. Distrust raw numbers for a host (like 192.168.0.1) and links that start with http instead of https.
5. Look hard at lookalikes: a digit standing in for a letter (paypa1), or a foreign letter that mimics a Latin one (Cyrillic а for a).
6. When anything looks off, do not click. Type the address you know yourself, or open the app you already trust.

HOW TO USE IT

1. Copy the link without opening it. On a phone, press and hold; on a computer, right-click and copy the link address.
2. Paste it into the box and press INSPECT. The inspector reads the address, not the page behind it.
3. Read the tells. Each one explains what it found and why it matters. When in doubt, type the real address yourself instead of clicking.

WHAT HAPPENS TO THE LINK

Nothing is sent anywhere. The inspector runs entirely in your browser — the link you paste is never uploaded, stored, or logged, and the page behind it is never opened. This is a heuristic read of the address, not a verdict on the site.

A WORKED EXAMPLE

Here is a single address that looks almost right, and exactly where it goes wrong. Read it left to right.

WHAT THE INSPECTOR FINDS


        http://paypal.com.secure-login.ru/account/verify

The real domain is secure-login.ru, not paypal.com. Everything before the last two parts is just a label the scammer chose — paypal.com is a sub-domain prefix here, not the destination.
It starts with http, not https, so the connection is not even encrypted. A real bank login is always https.
A trusted brand name is bolted onto an unrelated domain to win a glance of trust. Read a host from the right: the last two parts are who you are really talking to.

> Inspect a link before you click