Security · ~3 min read

Is this link a scam? A 30-second check anyone can do

By Gary Amick · That Computer Guy 26 · Seymour, Indiana

You got a text. Or an email. It says your package is held up, your bank account is locked, your USPS delivery needs a $2.95 reschedule fee. There’s a link. Should you click? Here are the five red flags — and a tool on this site that does the analysis without sending the link to anyone.

The five red flags

1. The visible text doesn’t match the actual URL

On a phone, long-press the link. On a computer, hover over it without clicking. The actual URL appears at the bottom of the screen or in a popup. If the text says chase.com but the actual URL is chasse-secure-login.com.tk, that’s the scam.

2. The hostname is weird

Random words: secure-update-portal-1843.com — legit companies don’t use IDs in subdomains.
Brand name + extras: amazon-account-security.help — the real Amazon is just amazon.com.
Country codes that don’t match: usps.delivery.tk, fedex.com.ru, anything ending in .tk / .ml / .gq / .cf is almost always a scam.
Numbers replacing letters: g00gle.com, paypa1.com.

3. There’s no HTTPS — or the certificate is brand new

If the URL starts with http:// instead of https://, walk away. Even scammers usually have HTTPS now — but if it’s missing, the site isn’t even trying.

4. The message creates artificial urgency

“Your account will be closed in 24 hours.” “Final notice.” “Action required immediately.” Real banks, USPS, and the IRS don’t communicate this way. They send paper mail. They give you weeks.

5. They’re asking for credentials, payment, or remote-access

If a link asks you to log in, pay a tiny fee, or download a remote-access tool (AnyDesk, TeamViewer), that’s the scam itself. Real institutions never need you to install remote-access software for them.

The cleanest rule. If you got the message and weren’t expecting it — even if it looks legit — close the message, open a fresh browser tab, and type the company’s URL yourself. Log in there. If the message was real, you’ll see a notification in your account. If it wasn’t, you just dodged a phishing attempt.

Use the local analyzer (privacy-respecting)

The Scam Link Analyzer on the home page does these checks automatically — in your browser. The link never gets sent to me, to a third-party API, or to anyone. It runs in your browser, applies the heuristics above, and tells you the risk level. If 3+ red flags trigger, don’t click.

What to do if you already clicked

Don’t panic. Visiting a page rarely infects you by itself.
Did you enter a password? Change it on the real site immediately. Use a password you’ve never used elsewhere.
Did you enter banking or card info? Call your bank’s fraud line on the back of your card and freeze it. The bank will replace the card.
Did you download or install anything? Disconnect the device from the internet. Run Malwarebytes free in Safe Mode. Or call.
Forward the original phishing message to reportphishing@apwg.org and (if it impersonated a US agency) phishing-report@us-cert.gov. Free, takes 30 seconds, helps shut the campaign down faster.

Need help right now?

If you clicked something and aren’t sure what happened, or the device is acting strange, call 812-414-9097. We’ll triage it — usually a remote session is enough to confirm whether anything actually happened.

See Business IT services → ☎ 812-414-9097