Would You Click This Link?

Category: Email , Security

Your mouse hovers over a link... your trembling finger is poised to click... but you stop to think. Is there danger lurking behind that link? Do you know how to tell right away if a website (or link) is going to lead you into a world of hurt? A single click can trigger an unwanted download, a malware infection, stolen login credentials, ransomware, or identity theft. Here are some practical tips and tools you can use to click smarter...

How To Tell If a Link or Website May Be Dangerous

The quotation “Eternal vigilance is the price of liberty,” dates back to the late 1790s. And though there is some argument over who said it first, it’s a particularly relevant dictum in this Internet Age. The human race has never enjoyed more liberty of ideas, communication, and personal action than we have since the World-Wide Web emerged as The Great Enabler.

But the need for constant vigilance against danger on the Web is also at an all-time high. Every click of a link has the potential to deliver a malware or ransomware infection, silently and instantly. Every new site that we visit stands a good chance of being a trap whose jaws can close on us so subtly we don’t notice until we’re swallowed.

Even sites we have visited a thousand times and know well can be mimicked with frightening accuracy by the bad guys. (See Here's Why Phishing is Getting Worse.) Eternal vigilance is, indeed, the price we must pay for the vast liberty the Web gives us. But what must we do in actual practice to remain vigilant?

Eternal Vigilance required for safety online

We cannot rely solely on other people to keep us safe out there on the Web. Nor can software alone outwit the evil but highly intelligent and adaptable people who wish to do us harm. So-called “reputation services” such as Web of Trust are not much use, especially against brand-new rogue sites that have no reputation yet. The labels and reviews that WoT members assign to sites are often polluted by personal vendettas, branding good sites as bad; worse, the bad guys brand each other’s sites as “good.”

Chrome, Firefox, Edge, and Safari web browsers have anti-phishing and anti-malware capabilities, meant to protect users from clicking malicious links. But there's no guarantee those filters are perfect, or 100% up to date.

Even the software that’s supposed to sniff out potentially malicious websites can suffer from false positives, branding legitimate ones as harmful. This happened to me, when McAfee slapped AskBobRankin.com with “suspicious content”, “potentially unwanted programs”, and “malicious website” labels that blocked their users from visiting. It took three weeks and 14 emails with McAfee support to convince them otherwise. I had to show them evidence that 79 other link checkers, and every other major security vendor showed my site as safe and malware-free. (See I'm Positive... It's a False Positive! for that story.)

Telltale Signs A Site May Be Dangerous

Nobody looks out for you as well as you can. So here is what to look out for, when you encounter a suspicious link, an unknown website, or a familiar one that just doesn’t seem right.

Raise your shields immediately if a website asks you to do something that seems unnecessary or out of the ordinary. You shouldn’t have to install a browser plug-in in order to view a site’s content. Creation of a username and password should never require a credit card, even if the site swears the card won’t be charged. A game or survey that asks where you bank, where you live, who your family members are, your pet’s name, and other questions you would find impertinent from a stranger should set your alarms ringing. (Those are common ways for scammers to get the answers to your security questions.)

If you see a message asking you to login and verify your account credentials (login, password, account number or social security number) be extra wary. Your bank or financial institution should never ask you for that information by email.

Unexpected email from strangers should always be approached cautiously. So should email that seems to be from someone you know (or a company you do business with) if it is “out of character” in timing, topic, or tone. Creating a sense of urgency is a common technique used by scammers to trick people into taking action. If anything seems “off” about an email, put down that mouse and back away slowly. Make a phone call (using a verified number) to check it out, or search online to see if it's a well-known scam.

My wife and I operate a short-term rental, and we regularly get sketchy inquiries from people who want to scam us. But when I Google the text of their inquiry, it often turns out they've simply cut-and-pasted a well-known scam without bothering to change the words. Thank goodness for stupid criminals.

Do not click on any links in a suspicious email. Instead, hover your cursor over the link and right-click to reveal a drop-down menu. Select the option to “copy link address” without opening the Web page to which it links. Then go check out that URL (web page address).

Anti-virus software can protect you from malicious links and rogue websites, up to a point. Most popular internet security tools rely on “black lists” of known threats and viruses, and will block them from being downloaded or executed. PC Matic assumes the opposite, treating any unknown software as unsafe until proven otherwise. My article What's New in PC Matic? explains why I replaced my antivirus software with PC Matic.

Look Before You Leap Think Before You Click

The Google Transparency Report is a great place to start, because it reports on websites, and not just individual pages. The Zulu URL Risk Analyzer is a good tool to examine a specific web site. Just paste the suspect URL into the Analyzer’s input box and it will scan the target site for malicious content.

Virus Total scans a site (or a download) using multiple antivirus engines. If the site or file has been scanned before and deemed malicious, Virus Total will warn you. Remember above when I said that I was able to provide 79 reasons why McAfee should unblock my site? VirusTotal checks dozens of sources to see if any have reported unsafe content. You can check a website, or upload a file of your own to be scanned.

If a URL has been shortened, it must be fully expanded before it can be scanned by Virus Total or another URL-checker. You don’t want to expand a shortened URL by actually fetching its target Web address; that could infect you with malware. Instead, copy the shortened URL to your clipboard and paste it into the form at Unshorten.it. The expanded URL will appear below the shortened one, and you can copy the latter to any place you wish.

Note: When using a smartphone, you can't place the mouse cursor over a link as you can on a desktop. Instead, press and hold the link, and you'll get a popup which allows you to view, copy, or share the link address without opening it.

A “secure connection” is vital when exchanging sensitive information, such a credit card details, with any site. Look at your browser’s address bar for the “https://” protocol symbol. The “s” in it means the current connection is secured with encryption so only you and the server to which you are connected can read the information exchanged. Your browser should warn you if a web server does not have a valid “digital certificate” to make secured connections. The certificate may - or may not - also authenticate the identity of the server and/or its owners.

Digital certificates are sold by “certificate authorities,” such as Verisign or Comodo. To create differentiated products and make more profit, certificate authorities sell different levels of certificates. A basic certificate secures an https connection, but provides no assurances about the server or the people who own it. A more expensive one may indicate that the certificate authority has verified the legitimacy of the server. The most expensive “extended validation certificates” deliver the authority’s assurance that it has thoroughly verified the business or people who own the server, too; that is the most trustworthy certificate. See Comodo’s explanation of the different types of digital certificates. When you understand them, you will be able to tell what level of trustworthiness a certificate offers.

What has been your experience with suspicious websites, sketchy emails, etc. How do you protect yourself? Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 4 Apr 2023

For Fun: Buy Bob a Snickers.

Prev Article:
REVEALED: How Creepy Marketers Get Your Email Address

The Top Twenty
Next Article:
LifeLock: Will it Save Your Digital Bacon?

Most recent comments on "Would You Click This Link?"

Posted by:

Kenneth Thrasher
04 Apr 2023

This a great reminder for me. I am aware of and use a number of these tips but got some new ones as well. Thank you!

Posted by:

04 Apr 2023

Interestingly, today Mom received an email from Amazon about just this issue, and the advice is good, so I hope it is okay to add to my post:

"Our customers helped us take the fight to scammers last year by reporting suspicious emails, texts, and phone calls. Each report matters.

Protect yourself from scammers
Be careful installing apps or software
Be careful installing apps or software
Amazon will not ask you to install an app or download software in order to receive a refund or to get help from customer service.
Never pay over the phone
Amazon will not ask you to provide payment information, including gift cards (or “verification cards," as some scammers call them), for products or services over the phone.

Always verify orders directly with Amazon
Amazon will not include purchased product information in order confirmation and shipping confirmation emails we send to customers. For any questions related to an order, always check Your Orders on Amazon.com or via the “Amazon Shopping” app.

Be wary of false urgency
Amazon will not pressure you to act now. Scammers may try to create a sense of urgency to persuade you to do what they're asking.

If you receive communication — a call, text, or email — that you think may not be from Amazon, please report it to us at amazon com/reportascam Visit the Message Center on our website to review emails from Amazon"

Posted by:

David Serfass
04 Apr 2023

My browser (Firefox) has a setting so it will only go to sites with HTTPS. When I try to, it gives me a message warning me.

Posted by:

04 Apr 2023

Lately, I've received a request from a company I take surveys from once in a while: asking me if they could share my views on the surveys with others. And I refused...

Posted by:

04 Apr 2023

The key line was "you stop to think." When I get in trouble is when I DON'T stop to think. When you slow down, you're more likely to see one of those danger signals. My last "gotcha" was an IM message supposedly from a friend with a subject line that made sense to be coming from her. Had the subject been "How are you?" I would never have taken the bait, but the subject sounded right. Fortunately, it wasn't a serious breach, but I felt like a dummy. That'll protect me next time and for a while, but reminders like yours are needed constantly.

Posted by:

04 Apr 2023

"Thank goodness for stupid criminals." Incorrect!! They are smart criminals; they are looking for stupid victims!

Why try to to scam the smart people, when there are so many more stupid (or more properly, "naive" or uninformed) people.

Important: if you are scammed, don't think you're stupid, you just didn't know. Read Dr. Bob Rankin and know better!

Posted by:

05 Apr 2023

To answer the question (How do you protect yourself?) from the closing paragraph (above), I have worked very hard over the years to learn the habit of checking EVERY link before I click it.

Before I retired, I had a side business building, troubleshooting, and repairing computers for a handful of customers. One of them called me back in the early 2000s asking if I can help her. Her computer suddenly became very unresponsive earlier that day. I directed her to shut down, then I went to her home. She had contracted malware (we called it a virus back then). I ended up restoring her computer from the previous day's backup, and all was well (see how important backing up your system can be?). After I got everything set right, I showed her how to check the URL for any link she was tempted to click (both in email and on web pages). Her experience taught us both a very valuable lesson (look before you leap!) which can best be describes as "CHECK BEFORE YOU CLICK!". I then worked to develop that habit, even up to the point of putting a paper sticky note on the side of my desktop PC monitor (at home) with the brief admonition "CHECK BEFORE YOU CLICK!" handwritten with as large sized text as would fit using a felt-tipped pen to make the text as bold (attention-getting) as possible. After a month or so, I no longer needed the sticky note. Today, checking the URL a link will take me to is as habitually natural for me as anything else I do on my computer (and, yes, I still check). If I forget to check a link, before I click it, alarm bells go off in my mind, so I stop and try to figure out what's wrong before I click, then, when I realize I haven't checked the link yet, I do so.

For me, link checking is a part of what I call "Cognitive Security" which, in addition to the above, involves remaining very skeptical about EVERYTHING that comes from the Internet. Fundamentally, it is based on the concept of "check before you trust". This applies to anything you see, hear or read on the Internet (especially if it reinforces or enhances your current beliefs because you can never know the true intent of the original author(s)). The concept of social engineering involves much more than tricking you into clicking some link. Politicians and many other groups employ it to promote their agenda(s). If you don't want to be manipulated, check before you trust or believe.



Posted by:

05 Apr 2023

I still use an ancient email client (Eudora). Maybe other clients do this, but Eudora allows me display the target URL by hover my cursor over a link, at which point I can see the target URL at the bottom of the screen without Eudora opening the URL. In nearly all instances, I can tell whether the URL points to a legitimate source. Quick and simple.

Posted by:

Hugh Gautier
05 Apr 2023

Possibly that is the reason I open unknown URL links in the Incognito mode, as I did tothe question that you initially asked. It is similar to a VPN but isn't that either. It doesn't allow tracking nor will cookies be able to get through.

EDITOR'S NOTE: Incognito Mode won't stop a virus, phishing attack, or ransomware.

Posted by:

Doc Elliott
05 Apr 2023

I've been using MailWasher for many years to vet my emails. For example, Outlook only shows this email is from "Bob Rankin". MailWasher, which sits between the email server and Outlook and shows the whole email sender as "Bob Rankin (bob@rankin.org)"
This has allowed me to bounce and delete suspicious emails where the sender's name doesn't match the email address.

Posted by:

07 Apr 2023

Firefox does warn if a site doesn't use HTTPS. Trouble is, they are often wrong. I often click on a message from Threads magazine to which I've had a subscription forever (one guess about what it covers). Firefox tells me it doesn't use HTTPS but it does and I know that. So maybe they're wrong about other sites too.

Posted by:

DBA Steve
12 Apr 2023

Would you click this link? Click here to read.

The irony is amazing.

And thanks for the ongoing information!

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Would You Click This Link? (Posted: 4 Apr 2023)
Source: https://askbobrankin.com/would_you_click_this_link.html
Copyright © 2005 - Bob Rankin - All Rights Reserved