21+ Promotional gaming credit is not cash. Terms, eligibility and local laws apply.

Play within limits ↗
Player guide / Natalie Yap

How to Check a Free Credit Link and Offer
before you tap anything.

A shared link, a shiny landing page and a big number aren't proof of anything. This guide walks through the checks we run on every destination before it earns a place on this site, so you can run the same checks yourself in a few minutes.

Before you register anywhere, check where the link actually sends you, not just where it claims to send you.

Where Does That Link Actually Send You?

A link posted on social media, in a group chat, or on a "free credit" page rarely shows you the real destination up front. Shortened links (the bit.ly or TinyURL style) hide the true web address until you click, and even a normal-looking link can quietly redirect two or three times before it lands. Checking the final domain in your browser's address bar, after the page has fully loaded, is the single most useful five-second habit in this whole guide.

Why Shortened Links Hide the Real Destination

A shortener swaps a long web address for a short one. That's handy for sharing, but it also means you can't see the destination until you've already clicked. Anyone can create a shortened link pointing anywhere: a genuine promotions page, a copycat page, or something worse. In our own link checks, we've seen the same shortened link redirect to a different destination on different days, which is exactly why a one-time check isn't enough.

How to Check a Redirect Before You Click

You don't need special tools for most of this. On a desktop browser, hover over a link (without clicking) and the real destination often shows in the bottom corner of the screen. On mobile, a long press usually previews the address. If a link has already redirected once, check the address bar again after the page loads, not just the first screen you see.

i

Expert tip

Bookmark the destination once you've confirmed it's the one you intend to use. Typing a saved bookmark is safer than re-clicking a shared link every time, since a shared link can be edited to point somewhere new after you've already trusted it once.

Our verified links page lists destinations we've checked and dated, along with the date of the last check. Treat any link outside that list, or older than the listed check date, as unverified rather than assumed safe.

Who's Really Running the Site You Landed On?

A page that looks polished doesn't tell you who owns it. Checking for an About page, a registered company name, and a real contact method, before you register, is a basic step most people skip. Malaysia's national communications regulator publishes general online-safety guidance for consumers along these lines.

What an About or Company Page Should Tell You

Look for a company or brand name, not just a logo. A genuine operator will usually name the business behind the site somewhere, often in the footer or an About/Company section. If that information is missing entirely, or it's just a generic paragraph with no names, treat that as a gap in the record rather than filling it in with assumptions.

Red Flags in Contact Information

  • Only a webform with no email address or phone number anywhere on the site.
  • A support chat that never connects to a real person, only automated replies.
  • Contact details that don't match the domain name at all.
  • No physical address, licence number, or company registration reference of any kind.

We've noticed that pages built purely to chase search traffic tend to copy the same generic "About Us" paragraph across several unrelated domains. If a paragraph reads like it could belong to any business anywhere, it probably wasn't written for the one you're looking at.

Is That Licence Claim Actually Real?

A licence claim on its own proves nothing until you can check it against a named regulator. Any operator can print a licence number or a badge image on a page; the number only means something if you can look it up independently and it matches the operating entity.

What a Licence Claim Should Let You Do

A genuine licence claim should point to a specific regulator by name, give a licence or registration number, and name the exact legal entity holding that licence. That combination is what lets you check the claim yourself, rather than just trusting the badge image on the page.

Treat Unverifiable Claims as Unverified

If a site names a regulator but gives no licence number, or gives a number you can't match to the entity operating that specific site, don't assume the claim is true. Mark it as unverified and factor that gap into your decision. A missing or unmatched licence detail is information in itself.

i

Expert tip

Search the regulator's name plus "check licence" or "verify licence" rather than clicking a badge image on the operator's page. Badge images can be copied onto any site; they don't verify anything by themselves.

What Should You Read Before You Register?

Reading the offer terms before you sign up, not after, is how you find out what a "free credit" promotion actually requires. Deposit conditions, wagering rules, expiry windows and excluded games are usually written down somewhere, even when they're not mentioned in the headline offer.

The Core Terms Worth Checking

TermWhy it matters
Deposit ruleWhether the promotion needs a deposit first, or is offered without one, changes what you're agreeing to.
Wagering requirementHow many times the credit (and any winnings from it) must be played through before withdrawal is possible.
Expiry windowHow long you have to use the credit and meet any wagering conditions before it's removed.
Excluded gamesSome game types may not count toward wagering, or may be excluded from the promotion entirely.

Excluded Games and Expiry Windows

These two details get skipped over the most, and they're often where a promotion turns out to be less useful than the headline suggested. If a term isn't listed on the promotion page, check the operator's general terms and conditions page before you register, not after.

EXAMPLEPromotion page says "free credit," full terms page (linked in small text at the bottom) lists a deposit requirement, a wagering multiplier, a 7-day expiry, and a list of excluded game types. Reading only the promotion page would have missed all four conditions.

Does the Site Have Real Privacy and Support Info?

A working privacy policy and a support contact you can actually reach are basic signs that a site takes its obligations seriously. Their absence, or a policy that's clearly copied from somewhere else, tells you something worth noting before you hand over any personal details.

What a Genuine Privacy Policy Covers

A real privacy policy should explain what data is collected, why it's collected, and who it might be shared with. It should be specific to the site you're on, not a generic template with placeholder text or a company name that doesn't match the domain.

Testing the Support Contact Before You Need It

Send a short, simple question through the listed support channel before you register, not after something's gone wrong. A reply that comes from a real person, references your actual question, and arrives within a reasonable time is a better signal than any badge on the homepage.

i

Expert tip

Test support with a low-stakes question first, something like asking which currencies the site accepts. It's a low-pressure way to see how (and whether) they respond before you've committed anything.

How Do You Spot a Phishing or Impersonation Attempt?

Phishing pages copy a real brand's look while sending you to a different destination or collecting your details directly. Lookalike domains, urgency pressure and fake "verification" pop-ups are the three patterns that show up again and again in reports to Malaysian consumer and cybersecurity bodies.

Lookalike Domains and Spoofed Branding

A lookalike domain swaps a letter, adds a hyphen, or uses a different ending (like .net instead of .com) to look almost identical to a genuine brand at a glance. Spoofed branding copies logos and colour schemes exactly, so the visual look of a page tells you very little on its own.

Pressure Tactics and Fake Verification Pop-Ups

Watch for these common warning signs before you enter any personal or payment details:

  • Countdown timers claiming an offer expires in minutes.
  • Pop-ups asking you to "verify your account" by entering a password or OTP.
  • Messages pushing you to act "now" or "urgently" with no clear reason why.
  • A domain that's almost, but not quite, the one you expected.
  • Requests to install an app or extension before you can "claim" anything.
  • Spelling or grammar that shifts noticeably between pages on the same site.

When we've traced reported lookalike domains, the giveaway was almost always the same: a genuine-looking front page paired with a checkout or "verification" step that asked for far more information than the front page ever mentioned.

Why Should You Never Share a Password, PIN or OTP?

No legitimate operator, bank or payment provider needs your password, PIN or one-time passcode (OTP) to "verify," "unlock," or "process" anything. Anyone who asks for one of these, in chat, by phone or in a pop-up, is asking for the one thing that lets them take over your account directly.

What a Legitimate Site Will Never Ask For

A genuine platform verifies you through its own login process, not through a support agent asking you to read out a code. If a message asks you to share an OTP "to confirm your bonus" or "to release your withdrawal," that's the request itself, not the site, that's the problem.

A Typical OTP Scam Script, Word for Word

Scam scripts tend to follow a familiar shape. Recognising the pattern is often enough to stop it working on you.

EXAMPLE"Congratulations, your free credit bonus is ready! To release it, reply with the 6-digit code just sent to your phone." The code is a login or payment OTP. Sharing it hands over account access, not a bonus.
!

Warning

Never share a password, PIN or OTP with anyone, including someone claiming to be support staff. A real support agent can help you without ever needing that code read out loud or typed into a chat window.

Why Do Affiliate Disclosures Matter?

An affiliate disclosure tells you when a site earns money from the links it publishes. That doesn't make a listing untrustworthy by itself, but it's information you deserve to have before you decide how much weight to give any single recommendation.

What This Site Discloses About Its Own Links

Some links on this site may be affiliate links, and a listing here is not an endorsement. We've laid out exactly what that means, and what it doesn't change about our review process, on our affiliate disclosure page.

How to Read Any Site's Disclosure Statement

Look for a disclosure that's specific: does it say which links are affiliate links, and does it explain whether that relationship affects rankings or ratings? A vague one-line disclosure buried in a footer tells you less than a clear statement placed where you'll actually see it.

i

Expert tip

A site that discloses its affiliate relationships clearly and separately from its review content is generally easier to trust than one that mentions it only once, in tiny text, at the very bottom of the page.

How and Where Do You Report a Suspicious Link?

Reporting a suspicious link helps other players avoid it, and it gives platforms and regulators a record to act on. Collecting a few basic details before you report makes the process faster and more useful for whoever reviews it.

What to Collect Before You Report

Take a screenshot of the page, note the exact web address from your address bar, and record roughly when you saw it. If you were asked for a password, PIN or OTP at any point, note that too, since it's a strong indicator of a phishing attempt rather than a genuine offer.

Who to Contact, on This Site and Beyond

You can report a suspicious link or listing to us directly through our contact page, and we'll review it against the same checks in this guide. For scams involving payment or personal data, your bank's fraud line and Malaysia's national cybersecurity reporting channels are the right next step.

The 60-Second Safety Check

  1. Check the full web address in your browser bar, after any redirect has finished.
  2. Look for a company name, About page or contact details that match the domain.
  3. Scroll to the terms and confirm deposit, wagering, expiry and excluded-game rules exist.
  4. Search the named regulator's site to confirm any licence claim independently.
  5. Confirm there's a real privacy policy and a support contact you can test.
  6. Note whether the page is pressuring you with countdowns, pop-ups or urgent language.

Clicking Straight Through vs Checking First

Clicking straight through

Faster to get started. But you're trusting the destination, the identity, the terms and the licence claim all at once, with no record if something turns out wrong.

Checking first

Takes a few extra minutes using the steps above. You end up with a dated record of what you checked, and you're far less likely to hand over an OTP to a lookalike page.

Frequently asked questions

How do I check where a shortened link actually goes?

Hover over the link on desktop, or long-press it on mobile, to preview the destination before clicking. After it loads, check the full address bar again, since some links redirect more than once before landing.

Is a padlock icon or HTTPS enough to prove a site is safe?

No. HTTPS only means the connection is encrypted, not that the operator, terms or licence claim are genuine. Treat it as one small technical signal, never as proof of trustworthiness on its own.

What should I do if a licence number doesn't match the operator name?

Treat the licence claim as unverified rather than assuming it's a typo. Search the regulator's own site for the licence number and compare the listed entity name against the site you're checking.

Can I trust a site just because it has good-looking reviews?

Reviews alone don't confirm identity, licensing or terms. Use them alongside the other checks in this guide, not instead of them, since reviews can be written, copied or paid for.

What's the biggest red flag in a phishing attempt?

A request for your password, PIN or OTP is the clearest warning sign. No genuine verification step needs that information, so any message asking for it should be treated as a scam attempt.

Does this site verify every offer it lists?

We run the checks described in this guide on destinations we list and record the date of the last check. Unverified or older checks are labelled as such rather than presented as current. See our verification methodology for details.

Where do affiliate links fit into this site's recommendations?

Some links on this site may be affiliate links, and a listing is not an endorsement. Full details are on our affiliate disclosure page, which we keep separate from our review content.

Who do I contact if I think a link is a scam?

Report it through our contact page with a screenshot, the exact web address, and roughly when you saw it. For payment or data loss, also contact your bank and Malaysia's cybersecurity reporting channels.