Shortened URL Security

There are a number of ways you can reveal the full URL behind a shortened URL:

• Use the shortening service preview feature. Type the shortened URL in the address bar of your web browser and add the characters described below to see a preview of the full URL:
  • tinyurl.com. Between the "http://" and the "tinyurl," type preview.
    • Example: http://preview.tinyurl.com/4uhd5ct8 
  • bit.ly. At the end of the URL, type a +.
    • Example: https://bit.ly/3DvZvug+
• Use a URL checker. These are just a few of the sites that let you enter a short URL and then see the full URL: 
• • unshorten.it
  • getlinkinfo.com
  • Virustotal

Some people will be suspicious—and rightly so—if you use shortened URLs in email or in your online or print materials. In general, do what you can to make it clear to people where they will go if they click or type the URL you provide.

• Use descriptive link text with the full URL. In emails and on web pages, it is best to use descriptive link text with the full URL behind it. That lets people know where they will go if they click; they can hover over the link with their mouse to see the full URL. It is also a recommended best practice for accessibility, because it provides people who use screen readers with clear, complete information.
• Don't use a shortened URL if people must log in. If you are directing people to a page that requires login, let them see the full URL and tell them login will be required.
• Be clear about the destination when you must use short URLs. On social media platforms, such as Twitter, you may need to use a shortened URL to stay within a character limit. It is helpful to let people know where the short URL will take them.

Criminals use shortened URLs to:

• Direct people to phishing websites —sites that ask you to log in or fill in a form and then steal your password and/or personal information
• Initiate download of malicious software, such as ransomware, to your device.

If you are suspicious of a shortened URL, don't click it.