Shortened URL Security Tips

Shortened URLs, such as those from bit.ly and goo.gl, make it easy to type in a web address quickly but hard to tell where your web browser will actually take you.

  • Before clicking a shortened URL, check for the full URL. Most URL shorteners—including those used at U-M—include a preview feature. If you aren't sure it is safe, don't click!
  • Before creating or sharing a shortened URL, consider alternatives. If you must use one, make clear where it goes.
  • Be aware that criminals use shortened URLs to direct people to phishing sites and initiate malware downloads.

Before You Click, Reveal Full URLs

There are a number of ways you can reveal the full URL behind a shortened URL:

  • Use the shortening service preview feature. Type the shortened URL in the address bar of your web browser and add the characters described below to see a preview of the full URL:
    • tinyurl.com. Type preview. between the "http://" and the "tinyurl."
      Example: http://preview.tinyurl.com/zn7xnzu
    • bit.ly. Type a + at the end of the URL.
      Example: http://bit.ly/2lgPesi+
    • goo.gl. Type a + at the end of the URL.
      Example: https://goo.gl/vLfoaW+
  • Use a URL checker. These are just a few of the sites that let you enter a short URL and then see the full URL:

Shortened URLs at U-M

A number of university units use URL shorteners for official university use. You can trust these.

Before You Shorten a URL, Consider Alternatives

Some people will be suspicious—and rightly so—if you use shortened URLs in email or in your online or print materials. In general, do what you can to make it clear to people where they will go if they click or type the URL you provide.

  • Use descriptive link text with the full URL. In emails and on web pages, it is best to use descriptive link text with the full URL behind it.That lets people know where they will go if they click; they can hover over the link with their mouse to see the full URL. It is also a recommended best practice for accessibility, because it provides people who use screen readers with clear, complete information.
    Example: Visit Safe Computing for information about IT security and privacy at U-M.
  • Don't use a shortened URL if people must log in. If you are directing people to a page that requires login, let them see the full URL and tell them login will be required.
    Example: Access your AFS home directory at mfile.umich.edu (U-M login required).
  • Be clear about the destination when you must use short URLs. On social media platforms, such as Twitter, you may need to use a shortened URL to stay within a character limit. It is helpful to let people know where the short URL will take them.
    Example: Learn how to protect yourself from tax fraud at U-M Safe Computing. myumi.ch/Jdn1x

How Criminals Use Shortened URLs

Criminals use shortened URLs to:

  • Direct people to phishing websites—sites that ask you to log in or fill in a form and then steal your password and/or personal information. Always Look Before You Log In.
  • Initiate download of malicious software, such as ransomware, to your device.

If you are suspicious of a shortened URL, don't click it.