Hyperlink security

A quick peice of security advice to any readers…You should usually not just click on any links presented to you in emails and on blogs, etc. This is because you don’t know if the actual link takes you to where you expect to go or to a fishing site. You could get sent to a site impersonating your bank in order to rob your log in details, or you could be sent to a site to ‘update to  the latest version of flash’ which instead downloads a virus or malware.

For example this link actually goes to Bing: www.google.com 

I know if you hover over it you can see the Bing address in your browser’s status bar. But there are more advanced techniques which can be used to make it virtually impossible to check where it is taking you before you click.

Okay so that’s not to worrying if it is just an innocuous site hosting info you are going to. But if it is a site for shopping, banking or downloading programs then you should NEVER just click on it.

The correct behaviour is to manually type the site location in your browser. Obviously that will be annoying most of the time so you just have to balance for yourself the added inconvenience factor vs the security factor. Personally my own rules are:

  • Happy to click on a link in an email if I am expecting it. I won’t click on a link in an unsolicited email.
    e.g. an email shows up from my bank one day saying I have a message on my account, log in at THIS LINK and check it.
    – I won’t click that link it could be to an impersonating website. I’ll go to the Bank website manually myself and log in.
    e.g. I have registered on a website and receive an email asking with a link to confirm registration.
    – Probably safe so I’ll happily click it.
  • If it is just a ‘for info’ site then I’ll click. e.g. for wikipedia listings.
  • I will never click on a link presented to me in a website which tells me I need to update something (e.g. Flash) in order to see the site. ALWAYS go to the manufacturer’s website yourself and download it – don’t click the link!
As Brian Krebs (https://krebsonsecurity.com/) says, “Don’t download something you didn’t go looking for.”Also check out Brian’s basics of online safety… http://krebsonsecurity.com/2011/05/krebss-3-basic-rules-for-online-safety/

This is why in this blog I always try to include the url for my links instead of just embedding the hyperlink. That way you’ll hopefully be able to see where you’re being directed to and if you want to you can copy paste or re-type into the address bar.

I was reminded to pop this up here by Steve Gibson on the Security Now podcast. The latest episode has a good summary and background… http://twit.tv/show/security-now/507 you can have a look at the episode transcript here… https://www.grc.com/sn/sn-507.txt

Leave a Reply

(email optional)