Go to top of page

To click or not to click? Why link safety matters

19 April 2017

We often recommend that people “think before they click” on links; or “click with care” – why is that?

One of the main pieces of advice we give people for being safe online is to be wary of hyperlinks – don’t click on links in unexpected emails or messages from people or organisations you don’t know.

This is because emails with malicious links are still one of the most effective delivery methods* for many types of online scams and threats, like malware and ransomware.

Often, it is possible to hover over a link (in an email or on social media, instant messages, other webpages, or other means) to see the actual web address it will take you to (usually shown at the bottom of the browser window).

Then, if you do not recognise or trust the address, you can try searching for key terms or the destination website. This way you can find the article, video, or webpage without directly clicking on the suspicious link.

But what happens when the URL has been shortened?

Expand shortened links

Link shortening is often used by social media services which limit the number of words or characters you can use per post. Some URLs can be 100 characters long – so URL shortening is a very attractive service.

The trouble is that link shortening is also attractive to scammers because it can be difficult to know where short links will take you.

Just like email and SMS, social message-based phishing messages attempt to fool you into taking action. If compromised, not only will criminals have access to your private messages and information, your social media account can also be used to further spam messages to your contacts, circumventing many of the platform’s own protection mechanisms.

Your account can then be used to spread malware and other nasties online.

An expand link facility allows you to enter a shortened URL to see where it leads. It shows you the original, expanded URL that has been shortened.

Some of the services to unshorten URLs also check if the original link is available through search engines and other sites, which may indicate if the hidden link is safe or not.

Use a link expand service that is endorsed by your social media platform, security software vendor, or reputable computer review magazines or websites.

Staying safe

In the case of shortened URLs, understand that the destination link may not be what you expected.


  • Be careful clicking shortened links, particularly those that use shortening services outside of the platform’s own built-in service (for example, Twitter’s t.co service, Google’s goo.gl service, and Yahoo’s y.ahoo.it service.)
  • Evaluate the message, its context and its sender as part of your decision to click. If a message is ‘out of character’ for a sender, you should treat it with suspicion.
  • There are plug-ins available for most internet browsers that can display the original URL before you click. Look in your browser’s security settings or the vendor’s official help and support site.
  • Be cautious about messages from anyone you do not know or trust.
  • Never give out your account username or password. Reputable organisations including Twitter, will not request your personal information via a Tweet.
  • If you click a link, always check the website you are on before you interact with it, provide any information or download software.

Find more information about safely socialising online  and protecting your email.

* The Australian Competition and Consumer Commission Scamwatch website collects some excellent statistics on scams reported in Australia.