Shortened links have become extremely popular. One reason is that they take up less screen space, which is an advantage for mobile users. Likewise, they consume fewer characters, an advantage when publishing any content on social networks that includes a call to action. Almost all shortened links are legitimate and their creators use them for reasons of aesthetics and comfort, clicking on them is not without risks.
When you click on a shortened URL, you do not directly access the destination website, that is, the address specified by the creator of the link, but rather the real route is diverted to an intermediary. Marketing specialists use link shorteners, such as bit.ly or TinyURL, whose domains are recognizable by a considerable part of Internet users. But sometimes these services are not limited to providing a short link that redirects to the final website, but rather tend to collect data on clicks. A logical, common and harmless practice that, however, cybercriminals can apply for fraudulent purposes.
Cybercriminals take advantage of the fact that all shortened links look alike and the user never knows for sure where they are going to be redirected. That is why they are frequently used for phishing practices in emails and instant messaging applications. This way, they are less at risk of being discovered or, if they are caught, they can rehost the fraudulent URL in a shortened link to continue the attack.
In the event that cybercriminals have data about the users they are targeting – they may have obtained it after a leak or hack – these shortened links could even take you to a website with preloaded information about you. For example, imagine that attackers replicate your bank’s website. They could take your virtual banking access credentials if they request your username or password, your card number or even a security code for your coordinate card when emulating the payment gateway.
Certainly, it is impossible to check the reliability of a shortened link without first clicking on them. On the other hand, they have become such a common resource that avoiding them completely is not a viable option either. That is why you should apply common sense and only access URLs provided by reliable sources.
Messages from the private sphere, whether in the personal or work sphere, are the most sensitive and vulnerable scenario, which attackers usually take advantage of. Luckily, there are free web tools like GetLinkInfo or UnshortenIt that, by simply copying and pasting the link, are able to inspect them.
On the other hand, it is advisable to use a high-quality antivirus that warns you about browsing unsafe sites and blocks trackers, in order to maintain the security and privacy of your devices and data.