Advisory on Risks of Shortened URLs

Published on 10 Jan 2020

Updated on 10 Jan 2020

Joint Advisory by Cyber Security Agency of Singapore and Government Technology Agency

 

Overview

Uniform Resource Locator (URL) shortening is a technique used to generate a shorter hyperlink that is more user-friendly, while directing users to the required webpage. Scammers can make use of URL shortening to mask phishing or malware-infected websites, hence it is often difficult to ascertain the legitimacy of the shortened link and unsuspecting users could easily be tricked into clicking on these links.

 

How do users know if a government web link is legitimate?  

The Government Technology Agency (GovTech) has launched an official URL shortening service – https://go.gov.sg – that indicates the “go.gov.sg” domain in shortened URLs, such as https://go.gov.sg/singpass-guides. This would help users recognise shortened yet legitimate web links that are generated by government agencies.

 

What happens if users click on a dubious URL?

Clicking on dubious shortened links that redirect users to illegitimate websites may allow attackers to carry out malicious acts, such as installing malware, disrupting your device’s operation and gathering your personal information.

 

What should users do to protect themselves online?

Users are advised to:

  • Exercise caution towards shortened URLs, such as those involving bit.ly and tinyurl. We strongly recommend users to hover their cursors over the shortened URLs (if possible) to see the full website domain which they are visiting

  • For legitimate government websites, users should look out for the “gov.sg” domain in the URL, such as https://tech.gov.sg/media/events, and “go.gov.sg” domain in the shortened URLs, such as https://go.gov.sg/singpass-guides

  • Only click on URLs that clearly indicate the website domain. When in doubt, users can search for the organisation’s website directly using search engines to ensure that the websites they visited are legitimate

  • Pay particular attention to any misspelling and/or substitution of letters in the URLs of the websites they are browsing

  • Look out for valid encryption certificates by checking for the green lock in the browser’s address bar, before providing any sensitive information such as personal particulars or account login details