Checking a domain: reputation (VirusTotal) and ownership (WHOIS)

Once you've found the domain in a sender address or link (see Reading domains and URLs), you can look it up before trusting it. Two free tools do almost everything a beginner needs: VirusTotal (is this domain known to be bad, and how old is it?) and WHOIS (who actually owns it?). You don't install anything — both are websites.

A note on the brackets you'll see on the cards: we write dangerous-looking links defanged, like paypa1[.]com or hxxps://. That's a safety convention so nothing is clickable. Both VirusTotal and WHOIS accept the defanged form — you can copy a value straight off a card and paste it in.

VirusTotal — reputation and age

VirusTotal checks a domain (or link, or file) against ~70 security vendors at once and shows you what they think.

How to use it for a suspicious email:

  1. Go to virustotal.com and choose the URL (or Search) tab.
  2. Paste the sender's domain (the part after the @) or the link's domain, then press enter.
  3. Read two things:
    • Detections — how many vendors flag it as malicious or suspicious. Even a few detections on a domain you were about to "log in" to is a hard stop.
    • The "Details" tab → Creation Date / first seenhow old the domain is.

Why age matters so much. Real companies have owned their domains for years or decades (paypal.com since the 1990s). Phishing domains are usually registered days or hours before the attack, then burned. So a domain that is brand new and is pressuring you to log in, pay, or hurry is a giant red flag — even if no vendor has flagged it yet (it's often too new for the feeds to catch up). New by itself isn't proof of evil; new + urgency + asking for credentials or money is.

Do this for both the sender domain and the link domain. Phishers often use one domain to send and a different one for the link — checking both catches more.

WHOIS — who owns the domain?

Every domain has a registration record. WHOIS is how you look it up — go to whois.com/whois/ (or who.is) and type the domain. It shows when the domain was registered, by which registrar, and often the organization or country.

The PayPal example. Say you get an email from service@paypa1-billing.com claiming to be PayPal. Run that domain through WHOIS:

  • If it were really PayPal, the record would tie back to PayPal/its brand-protection registrar, with a registration date going back many years.
  • Instead you'll typically see a domain registered last week, through a cheap registrar, with the owner hidden behind a privacy service, often in an unrelated country.

That mismatch answers the only question that matters: is the sender even associated with PayPal? No. PayPal does not send mail from a domain someone registered last Tuesday. The display name said "PayPal"; the ownership record says otherwise — and ownership wins.

A simple routine

For any message you're unsure about:

  1. Pull the sender domain and the link domain (right-to-left rule).
  2. VirusTotal each one → detections + creation date.
  3. If still unsure, WHOIS the domain → registration age + owner.
  4. Old, clean, and owned by the real company → probably fine. New, flagged, privacy-hidden, or owned by a stranger → treat as malicious and go to the company directly instead.

This takes about thirty seconds once you've done it a few times, and it's the same routine professional analysts run.