Hands-On: Investigate a Suspicious Link

These exercises teach you to investigate URLs and domains the way a security professional does — before clicking anything.

Exercise 1 — Scan a URL with VirusTotal

Before You Start: VirusTotal is a free service that checks URLs and files against dozens of antivirus and security engines simultaneously. It is the standard first tool when you receive a suspicious link.

  1. Open your browser and go to virustotal.com
  2. Tap the URL tab at the top
  3. In the search box, paste this test URL (it is a known phishing test domain, safe to check): http://phishing.test.eicar.org
  4. Tap the search icon and wait for results
  5. Read the results — how many security engines flagged it? What categories do they label it?
  6. Now check a legitimate site: search for https://sbi.co.in
  7. Compare the results

What You’re Seeing

VirusTotal queries dozens of security engines (Kaspersky, Avast, Google Safe Browsing, ESET, and many more) and shows you their collective verdict. A phishing URL will typically be flagged by many engines. A legitimate site will show clean results across the board.

Deepa Asks

“Can I check an SMS link before clicking it?”

Yes. Copy the link text from the SMS (long-press on the link to copy it without opening it), then paste it into VirusTotal. If the link is in a message that makes it hard to copy without clicking, you can type the domain name manually into VirusTotal’s URL scanner. Never click a suspicious link to find out if it is safe.

Discussion Prompt: VirusTotal shows results from many different engines. If 60 engines say “clean” and 3 say “malicious,” what would you do? Is majority vote the right metric here?

Exercise 2 — Check a Domain’s WHOIS Record

Before You Start: Every domain on the internet is registered with a creation date, registrant information, and an expiry date. WHOIS lets you look up this information. A domain registered yesterday claiming to be a major bank is a major red flag.

  1. Open your browser and go to lookup.icann.org
  2. In the search box, type sbi.co.in and tap Lookup
  3. Note the following:
    • Creation Date — when was the domain first registered?
    • Updated Date — when was it last modified?
    • Registrar — who manages the domain registration?
    • Name Servers — which DNS servers are authoritative for this domain?
  4. Now search for a suspicious-looking domain. Try sbi-kyc-update.com or make up a domain that sounds like a phishing site. If it exists, check when it was registered
  5. Compare the creation date of the real sbi.co.in with any suspicious variations you find

What You’re Seeing

sbi.co.in was registered many years ago. A phishing domain impersonating SBI would typically be registered days or weeks before use — attackers do not need the domain for long, because it gets blacklisted quickly. A domain registered recently that claims to be a major bank is almost certainly fraudulent.

Rohan Goes Deeper

Note the Name Servers in the WHOIS record. For sbi.co.in, these are SBI’s own DNS servers. For a phishing domain, you would likely see generic name servers from a cheap hosting provider. Combined with creation date and registrant information (which is often hidden behind privacy services), this gives a profile of whether the domain is legitimate.

Discussion Prompt: WHOIS records often show “Registrant information redacted for privacy.” Why would a legitimate business hide their registrant information, and why would a fraudster hide it?

Exercise 3 — DNS Lookup and Domain Investigation

Before You Start: The Google Admin Toolbox has a DNS lookup tool that lets you query DNS records for any domain. This is useful for understanding who controls a domain and verifying that the IP it resolves to is correct.

  1. Open your browser and go to toolbox.googleapps.com/apps/dig
  2. In the domain field, type sbi.co.in and select record type A (which gives you IPv4 addresses)
  3. Tap the Run button and note the IP address(es) returned
  4. Now go to who.is and paste that IP address — this shows you who owns the IP block
  5. Verify the organisation matches what you expect (SBI or a known Indian hosting provider)
  6. Now do the same for npci.org.in — check the IP and verify the owner

What You’re Seeing

The A record for a domain is its IPv4 address. The IP ownership (shown by the WHOIS on the IP itself, which is different from domain WHOIS) tells you which organisation owns that block of IP addresses. For sbi.co.in, you would expect to see an IP owned by SBI or a major Indian hosting/CDN provider. A phishing domain would resolve to an IP owned by a random hosting company, often outside India.

These Are Investigation Tools, Not Conclusive Tests

These tools are for investigation — building a picture. A site can pass all of these checks and still be malicious (sophisticated attackers do exist). And legitimate sites can fail individual checks. Use these as signals, not verdicts. The combination of multiple suspicious signals is what matters.

Discussion Prompt: You receive an email saying you have a refund from IRCTC. The link goes to irctc-refund-2024.com. Walk through what you would check using the three tools from this session before deciding whether to click.

Tying It Together

You now have a professional’s toolkit for investigating suspicious links:

  1. VirusTotal — has this URL already been flagged by security engines?
  2. ICANN WHOIS — how old is this domain? Who registered it?
  3. DNS lookup + IP WHOIS — does this domain resolve to an IP owned by who it claims to be?

Sunita didi wishes more customers used these tools before calling. In most cases, the investigation takes 30 seconds and the answer is clear. In Session 5, we put everything together — all five sessions in one walkthrough — and look at where these skills lead professionally.