Summary
URL shorteners, like bit.ly and goo.gl, are frequently used to make it easier to display and enter a web address. However, these services make it difficult to determine what the actual address of the site is and where your browser will take you before you click on a shortened link. Bad actors persistently use these services to disguise malicious URLs, often for phishing or to initiative a download link for malware or ransomware.
Body
Introduction
URL shorteners, like bit.ly and goo.gl, are frequently used to make it easier to display and enter a web address. However, these services make it difficult to determine what the actual address of the site is and where your browser will take you before you click on a shortened link. Bad actors persistently use these services to disguise malicious URLs, often for phishing or to initiate a download link for malware or ransomware.
If you have any suspicion that a shortened URL may not be trustworthy, you can reveal the full address with a couple of alternatives.
- You can preview a shortened URL by typing it in the address bar of your web browser and add the characters described below to see a preview of the full URL:
- tinyurl.com: Between the "http://" and the "tinyurl", type “preview”
- Example: http://preview.tinyurl.com/zn7xnzu
- bit.ly: At the end of the URL, type a “+” symbol
- Example: http://bit.ly/2DuNkeV+
- Use a shortened URL expander.
Considerations in using URL Shortening
- In emails and links on web pages, use descriptive link text that indicates the full URL. For example, you can use this link to learn more about inserting links into text. This will let people know where they will be directed if they hover their mouse cursor over the link to see the full URL. This is the best practice for accessibility, as it provides complete information to people who use screen readers.
- Do not use a shortened URL to send others to login pages. This will lead to distrust of legitimate login pages, as it may not seem like an expected web address.
- Provide a clear description of the linked domain when providing short URLs in email or in a link on a web page. Even if you are trying to meet a character limit (like on Twitter), it is helpful to let people know where the short URL will take them.
Conclusion
Before clicking on shortened URL links, use the information above to verify the full address to avoid malware and/or phishing attempts.