CHECKLINK AI
Back to Learn
Trust Signals

URL Risk Signals: What CheckLink Looks For

A practical explanation of HTTPS, redirects, final domain mismatch, punycode, IP hosts, deep subdomains, and lookalike patterns.

Updated 2026-07-06 - 8 min - People who want to understand CheckLink verdicts

Signals are clues, not proof

A URL signal is a clue that helps estimate risk. One signal rarely proves that a link is safe or unsafe, but several signals together can guide a better decision.

Transport and destination

HTTPS is useful because it protects the connection, but it does not prove legitimacy. The final domain matters because redirects can send a user somewhere different from the visible link.

Structure and encoding

Raw IP hosts, punycode, unusual encoding, very deep subdomains, and strange URL structure can all deserve caution when the context is sensitive.

Lookalike patterns

Misspelled brands, number substitutions, and support or billing words attached to a brand can indicate possible impersonation. Similarity is a signal that needs context.

How CheckLink helps

CheckLink shows signals and reasons so users can decide whether to proceed, verify elsewhere, report the link, or request manual review.

Checklist

HTTPS
Redirect chain
Final domain
Punycode
Raw IP host
Lookalike pattern
Deep subdomains

FAQ

Does one bad signal mean phishing?

Not always. It means the link deserves closer review.

Why show reasons?

Reasons help people understand the verdict and take safer next steps.

Related guides

Related glossary terms

Use CheckLink before the next click

CheckLink provides risk signals and review paths. It does not guarantee that a website is risk-free.