You received a link via text, email, or scanned a QR Code in a public place — and you're not sure: "is this link safe?" That hesitation is healthy. Scams using shortened links and QR Codes (known as quishing) are on the rise, and the real destination stays hidden until you click.
This guide shows you how to verify any link in seconds using Code2Scan's URL checker — no app install needed.
Why check a link before clicking?
Shortened URLs (like bit.ly/xYz9) and QR Codes are convenient, but they completely hide the destination. A scammer can register secure-bank.com (a fake domain mimicking a real bank), create a QR Code on a fake flyer, and send victims to a page that steals passwords and banking details.
Quishing (phishing via QR Code) has grown precisely for this reason: whoever scans the code has no idea where they're going. Checking the link before opening it is the only way to stay safe.
What Code2Scan's URL checker analyzes
The URL checker performs four checks in seconds:
| Check | What it reveals |
|---|---|
| Real destination | The final URL after all redirects from short links |
| HTTPS | Whether the site uses an encrypted connection |
| Redirect chain | How many hops the link makes before reaching the destination |
| Reputation (Google Safe Browsing) | Whether the domain is listed as phishing, malware, or deceptive |
Even if you receive an innocent-looking link like cutt.ly/abc123, the tool follows every redirect and shows you the final address — whether it's a legitimate site or a trap.
Step by step: how to check a link
- Copy the suspicious link (don't click it).
- Go to Code2Scan's URL checker.
- Paste the link in the field and click Check.
- Read the report:
- Final destination: confirm the domain is what you expect (e.g.,
paypal.com, notpaypa1.com). - HTTPS: if the destination doesn't use HTTPS, never enter personal data.
- Redirects: many hops (3+) are a red flag.
- Reputation status: "Safe", "Suspicious", or "Dangerous".
- Final destination: confirm the domain is what you expect (e.g.,
- If everything looks clean, you can click with more confidence.
For links that arrive via QR Code, copy the URL from your QR reader and paste it directly here. See also how to read a QR Code on your phone safely.
Warning signs in a link
Even without tools, some signs demand immediate attention:
| Warning sign | What it means | What to do |
|---|---|---|
| Typosquatted domain | paypa1.com, g00gle.com |
Don't click; report as phishing |
| Shortened link from unknown sender | bit.ly, tinyurl from suspicious source |
Run through url-checker first |
| Asks for password or banking details | Login page outside the official site | Close immediately |
| Urgency or threats ("your account will be blocked") | Classic social engineering | Visit the site directly in your browser |
| QR Code sticker over another QR | Possible scammer replacement | Inspect the physical QR before scanning |
| HTTP without "s" at the destination | No encryption | Never enter personal data |
Links from link shorteners used in legitimate campaigns usually have a branded domain (e.g., brand.ly). If the shortener is generic and the sender unknown, be suspicious.
QR Codes in public places: extra caution
QR Codes in restaurants, transit stations, parking lots, and ATMs are prime targets for scammers. All it takes is sticking a fake QR sticker over the original. Before paying or entering data:
- Check whether the QR is physically attached to the support (not just a piece of paper stuck on top).
- Copy the URL from your QR reader and run it through the checker before confirming any payment.
- Read more about common QR Code mistakes that expose users to scams.
Common mistakes
❌ Clicking to "see if it's safe"
Clicking the link to check the destination is exactly what the scammer wants. Use the URL checker — you analyze without exposing your device.
❌ Trusting HTTPS as an absolute guarantee
HTTPS means the connection is encrypted, not that the site is legitimate. Scammers also use HTTPS. The padlock doesn't replace a reputation check.
❌ Ignoring the destination domain
After checking, many people just look at the "Safe/Dangerous" status and ignore the actual domain. Read the full final address — one wrong character can signal fraud.
❌ Not checking links from QR Codes sent by friends
Friends and colleagues can be hacked. A link from someone you trust can still be dangerous if their account is compromised.
❌ Relying solely on your phone's antivirus
Local antivirus tools don't analyze redirects in real time. The URL checker complements your existing protection.
Summary
- Never click a suspicious link to "see what it is" — use the URL checker first.
- Paste the link into Code2Scan's checker and read the final destination, HTTPS status, and reputation.
- Wrong domain, HTTP only, many redirects, or "Dangerous" status → don't visit.
- For QR Codes in public places, always verify the link before paying or entering data.
- HTTPS alone doesn't guarantee safety — check the domain and reputation too.
Stay safe before you click: use Code2Scan's URL checker and discover the real destination of any link or QR Code in seconds.
