Shortened URLS and QR Codes
Shortened URLs and Quick Response Codes (QR codes) make web addresses easier to access or type, but can disguise where the link truly goes, creating opportunities for bad actors.
Why Be Cautious of Shortened URLS and QR Codes?
Bad actors may use shortened URLs or QR Codes to:
- Convince you to click on phishing websites, or to spoof legitimate websites. For example, a bad actor may send a link designed to appear like a Microsoft login page, tricking you into signing in and sending your credentials to them.
- Convince you to download an executable file such malware or ransomware on your device.
If you are suspicious of a shortened URL, don't click it. Remember you can always send suspicious emails to the Security office.
Shortened URL Security and QR Codes Best Practices
- Only click shortened URLS and scan QR codes from trusted locations and sources.
- Check for the full URL and ensure the full URL matches the content expected. Most URL shorteners include a preview.
- If your browser or OS does not offer a preview feature, you can check the URL by adding an extra character to the end of the URL. To do this, type the shortened URL in the address bar of your web browser and add the characters described below to see a preview of the full URL:
- tinyurl.com: Insert preview between "http://" and "tinyurl”
- bit.ly. and goog.gl: At the end of the URL, type a +.
- There are several sites on which you can enter a shortened URL and see the full URL destination including:
- Disable any setting on your device that opens a QR code automatically. It is best to configure your device so that when a QR code is scanned, your scanner will display the link and wait for some action before opening that link.
- Some mobile payment services, such as Venmo, generate QR codes for use with their services. If you are using these QR codes for mobile payments, be sure to carefully check the details on the application and your bank transactions to identify any discrepancies between the two.
Guidance On Implementing Shortened URLS and QR Codes
Best practice is to make sure those who are using the shortened URL know where it is going.
- Test the URL or QR Code before giving it to others to use.
It is best to use a shortened URL that includes a descriptive link that includes the full URL, so that individuals utilizing the link can see where it goes, and anyone using a screen reader has that information as well.
Providing context for the link when possible is best.
Avoid using shortened URLs if you are directing to a site where someone must log in.