5 URL red flags that catch most scams

A bad link does not need to install malware to ruin your day. If it steals a password, redirects you to a fake payment page, or tricks you into handing over personal info, the scam already worked.

Browsers like Chrome warn about known dangerous sites through services like Google Safe Browsing, but plenty of scam links are brand new or rotate faster than blocklists can keep up. Knowing how to read a URL yourself is still one of the most useful things you can learn.

1. The domain is "close enough" to a real brand

Classic impersonation. Extra letters, swapped characters, lookalike domains designed to pass a quick glance.

• paypaI.com - capital "I" instead of lowercase "L"
• microsoft-support-login.com - sounds real, completely fake
• amazon-confirmation.net - wrong TLD, extra words tacked on

If the domain is not exactly the brand's real domain, treat it as suspicious. Close does not count.

2. URL shorteners hiding the destination

Shortened links are not automatically malicious, but they strip out the most important safety signal: where the link actually goes. You have zero idea what is on the other end until you expand it.

Scam campaigns also love redirect chains, bouncing through multiple URLs before landing on the real phishing page. Each redirect makes it harder to see the true destination.

If you cannot see where a link leads, do not trust it. Expand shortened URLs before clicking.

3. Weird structure: too long, too many parts

Scam links often look like a mess on purpose. Attackers count on visual overload so you stop reading and just click:

• Extremely long URLs, 100+ characters
• Tons of query parameters with random-looking values
• Multiple subdomains stacked together (e.g., secure.login.verify.account.example.xyz)

Legitimate sites can have long URLs too. The thing to focus on is the actual domain: everything before the first slash after https://. That is the real server you are connecting to. Everything else is noise.

4. "Login" and "verify" keywords in the URL

Scammers embed words that trigger autopilot. When you see login, verify, secure, update, or billing in a URL, your brain thinks "this is normal, I log in to things all the time."

When those keywords show up on a domain you do not recognize, that is the setup for a credential harvesting page: a fake login form that sends your password straight to the attacker.

5. Browser warnings

If Chrome, Firefox, or your browser shows a red warning screen, treat that as a hard stop. Google Safe Browsing is built to detect phishing, social engineering, and malware distribution pages. These warnings exist for a reason.

If you need to investigate further for research purposes, use a sandbox or a tool like ScamKit's URL analyzer. Never enter real credentials on a flagged page.

How to safely check a link

1. Copy the URL without opening it (right-click, copy link).
2. Look at the domain carefully. Is it the real site?
3. Expand shortened links with an unshortener service.
4. Check for the red flags listed above.
5. If you still need to dig deeper, paste it into ScamKit's URL analyzer instead of visiting it directly.

Why these five

These will not catch every scam. But they catch most of the ones that land in your inbox, your texts, or your DMs. The point is not perfect detection. It is building a habit so the obvious traps stop working on you.

Related guides

• I looked at 50 phishing emails
• QR code scams are showing up everywhere
• Is this website safe to buy from?
• That job offer might be a scam
• What to do if you got scammed