In our previous blog post, we explored the concerning issue of smishing—an insidious form of phishing that uses fraudulent text messages to deceive recipients into providing sensitive information or downloading harmful content. A noteworthy characteristic of smishing campaigns is the use of shortened URLs, often created through services like Bitly. These shortened links can obscure the true web address, making it difficult for users to determine their final destination before clicking. Frequently, such deceptive links redirect users to malicious websites designed to install harmful software, initiate unauthorized actions, elevate user permissions without consent, or expose individuals to a range of cybersecurity threats, including identity theft and financial fraud.

Understanding Bitly and Its Functionality

Bitly is a widely utilized URL shortening service on the internet, simplifying the process of transforming long and unwieldy web addresses into shortened links that are more readable, shareable, and memorable. A typical Bitly link appears as "bit.ly" followed by a unique alphanumeric string, such as "bit.ly/2KEOXNx." Creating these shortened URLs is a straightforward process; users simply input a lengthy URL into the Bitly platform, which then generates a concise link that maintains the original web address's functionality while presenting a more user-friendly format. This functionality is especially beneficial for sharing links on social media platforms, where character constraints can pose challenges.

Identifying and Interpreting Shortened URLs

While it’s essential to understand that shortened URLs—like those produced by Bitly—are not inherently dangerous, they do warrant caution. These links play a crucial role in making lengthy URLs more manageable and shareable, which can be particularly useful in contexts with space limitations, such as Twitter or SMS. However, users should remain vigilant when encountering Bitly links from unfamiliar or unreliable sources. The very nature of a shortened URL denies users visibility into its ultimate destination, presenting an opportunity for malicious actors to conceal harmful sites behind seemingly harmless links.

Consequently, clicking on these shortened URLs can unintentionally redirect users to perilous online environments aimed at exploiting personal data, infecting devices with malware, or engaging in other malicious activities. To mitigate these threats, it is advisable to adopt a cautious approach toward Bitly links and similar shortened URLs, especially when they originate from questionable or unknown senders. Verifying the source before clicking can serve as an effective safeguard against potential cybersecurity risks.

Mitigation

For Individuals:

Hovering over a link before clicking it is a crucial practice when dealing with shortened URLs. If possible, hover your mouse cursor over the link to see if your browser displays the actual URL. However, keep in mind that this method may not be reliable on mobile devices.

Another effective strategy is to use URL expansion tools. Several online tools and browser extensions can expand shortened URLs to reveal their true destinations. Before clicking on a shortened link, you can copy it and paste it into a URL expansion tool. For example, Bitly offers a "Bitly Link Checker" specifically for this purpose.

Be cautious of suspicious sources. Exercise care when clicking on shortened links from unknown or untrusted sources, such as unsolicited emails or social media messages. It’s also essential to keep your software updated; ensure that your operating system, browser, and antivirus software are current to protect against known vulnerabilities. Additionally, installing reputable antivirus and anti-malware software can help scan websites for malicious content.

When using mobile devices, consider extra precautions. Long-pressing a link often reveals the unshortened URL, but it requires attention, as it can be easier to overlook details on mobile devices compared to desktops.

For Organizations:

Organizations should implement URL filtering solutions to block access to known malicious websites and suspicious shortened URLs. This provides an additional layer of protection for users and helps mitigate potential threats.

Email security is also crucial. Utilizing email security gateways to scan incoming emails for malicious links and attachments can significantly reduce the risk of phishing attacks. Furthermore, integrating security awareness training into the organizational culture is vital. Educating employees about the risks associated with shortened URLs and phishing scams empowers them to identify and avoid suspicious links.

Establishing link management policies within the organization is important. Consider using internal URL shortening services that offer greater control and security. Lastly, ensure that all company devices have strong endpoint protection, including anti-phishing capabilities, to effectively guard against potential attacks.

References:

To check the destination of a shortened link, you can use the Bitly Link Checker (https://bitly.com/a/links/inspector).

Desai, T. (2025, January 14). How To Shorten a URL + Benefits, Use Cases & Examples. Bitly | Blog. https://bitly.com/blog/how-to-shorten-a-url/

Johnson, L. (2024, January 3). The risks of shortened URLs. Tech Today. https://www.techtoday.com/shortened-urls-risks

National Institute of Standards and Technology. (2023, November 15). Protecting against phishing. NIST. https://www.nist.gov/phishing-protection

Smith, J. D. (2023, October 26). Cybersecurity best practices. Secure Online. https://www.secureonline.com/best-practices

A Growing Threat in the Digital Age 

Dear Cyber-Naughts, 

In the ever-evolving landscape of digital communication, the convenience of cellphones has revolutionized our lives. Unfortunately, this convenience also comes with significant challenges, particularly in the realm of cybersecurity. One such threat on the rise is smishing—an insidious form of phishing that targets individuals through SMS (Short Message Service) or text messages. 

What is Smishing? 

Smishing, a combination of "SMS" and "phishing," involves cybercriminals sending fraudulent text messages to trick recipients into divulging personal information, such as passwords, credit card numbers, or other sensitive data. These messages often seem to come from legitimate sources, such as banks, government agencies, or well-known companies, making them particularly deceptive and dangerous. 

Common Tactics Used in Smishing 

Cybercriminals employ a variety of tactics to lure their victims. Some of the most common methods include: 

• Urgent Messages: Smishing attempts often create a sense of urgency, claiming that immediate action is required to avoid negative consequences. This could include messages about suspicious account activity, unpaid bills, or urgent security updates. 

• Enticing Offers: Fraudulent messages may promise attractive offers, such as winning a prize, receiving a gift card, or participating in a survey for a reward. These offers are designed to entice the recipient to click on a malicious link or provide personal information. 

• Impersonation: Cybercriminals frequently impersonate trusted entities, including financial institutions, delivery services, or government bodies. They may ask recipients to verify their identity, update account information, or complete a transaction. 

Recognizing the Red Flags 

Recognizing the signs of a smishing attempt is crucial for protecting yourself from falling victim to this scam. Here are some red flags to watch out for: 

• Unknown Senders: Be cautious of text messages from unknown or suspicious numbers. Legitimate organizations typically use recognizable numbers or email addresses. 

• Grammatical Errors: Many smishing messages contain spelling and grammatical errors, which can be a telltale sign of a scam. Smishing attempts often exhibit broken English due to translation issues. 

• Unsolicited Links: Avoid clicking on links in unsolicited text messages. These links may lead to malicious websites designed to steal your information. Always examine the URL to ensure it resembles a legitimate website and maintains the correct structure of the supposed source. Look out for look-alike URLs that may replace letters with numbers, as these can appear legitimate in certain fonts but direct you to malicious sites. What is difference with the below links?  

• Requests for Personal Information: Reputable organizations will never ask for sensitive information, such as passwords or Social Security numbers, via text message 

Steps to Protect Yourself 

Protecting yourself from smishing attempts requires a combination of awareness and proactive measures. These steps are quick but can greatly enhance your security: 

• Verify the Source: If you receive a suspicious message, verify its legitimacy by contacting the organization directly using a trusted phone number or website. NEVER click on links or call back the number from the message; instead, use a search engine to find the official contact information. 

• Enable Security Features: Utilize security features on your cellphone, such as two-factor authentication and spam filters, to add an extra layer of protection. While this won't prevent all attacks, it can help fend off many low-level threats. 

• Report Smishing Attempts: Report smishing attempts to your mobile carrier and relevant authorities. This helps raise awareness and prevents others from being targeted. 

• Educate Yourself: Stay informed about the latest smishing tactics and best practices for cybersecurity. Knowledge is your best defense against these scams. 

Conclusion 

In conclusion, smishing is a growing threat in our digitally connected world. By staying vigilant, recognizing the red flags, and taking proactive steps to protect yourself, you can minimize the risk of falling victim to these scams. Remember, the convenience of modern technology should never come at the expense of your security. 

Stay safe, informed, and always be cautious when handling unsolicited text messages. 

A case study is available under our Premium Cyber Blog at the link below regarding a recent Smishing attack!

References 

• Federal Trade Commission. How to Recognize and Avoid Phishing Scams. 

• Federal Communications Commission. Consumer Guide: Smishing. 

• National Cyber Security Centre. Protecting Your Device from Smishing. 

• McAfee. What is Smishing & How to Protect Yourself.