Carnegie Mellon University

Shortened URL Security Tips

Shortened URLs, such as those from bit.ly and goo.gl make it easy to type in a web address quickly, but difficult to determine where the web browser will actually take you. Criminals will use shortened URLs to direct victims to phishing sites or initiate a download of malicious software on to your device.

If you are suspicious of a shortened URL, don't click it. Use the tips on this page to help you determine the true path of a shortened URL.

Before You Click, Reveal Full URLs

There are a number of ways you can reveal the full URL behind a shortened URL:

  • Use the shortening service preview feature. Type the shortened URL in the address bar of your web browser and add teh characters described below to see a preview of the full URL:
    • tinyurl.com: Between the "http://" and the "tinyurl", type preview
      • Example: http://preview.tinyurl.com/zn7xnzu
    • bit.ly: At the end of the URL, type a +
      • Example: http://bit.ly/2DuNkeV+
  • Use a URL checker. These are a few of the sites that allow you to enter a short URL and view the full URL:

Before You Shorten a URL, Consider Alternatives

  • Use descriptive link text with the full URL. In emails and on web pages, it is best to use descriptive link text with the full URL behind it. This lets people know where they will be directed to once they click. They are able to hover their mouse cursor to see the full URL. It is also a recommended best practice for accessibility, because it provides people who user screen readers with clear, complete information.
  • Don't use a shortened URL if people must log in. If you are directing people to a page that requires login, let them see the full URL and tell them login will be required.
  • Be clear about the destination when you must use short URLs. On social media platforms, such as Twitter, you may need to use a shortened URL to stay within a character limit. It is helpful to let people know where the short URL will take them.