BG Beter Geregeld ICT
Security zonder IT-afdeling · 5 min leestijd · 05 July 2026

Shortened links (bit.ly and co): how do you check where they go?

Bit.ly, tinyurl, t.co: handy shortened links, but you can't see where they lead. Here's how to unwrap them in ten seconds — without clicking.

You get an email from a supplier: "Dear customer, our office has moved and we'd like to ask you to fill in a short survey." There's a link included. The sender looks legitimate. But in the address bar you spot something odd: bit.ly/xyz123, or t.co/abc, or something longer like tinyurl.com/relocation2026. A shortened link. And you have no idea where it goes.

Shortened links are convenient — that's exactly why they exist. But they're also a favourite trick in phishing, because as a recipient you can't see what you're clicking on. In this post: how to check what's hiding behind such a link in ten seconds, without clicking it.

Why shortened links are a problem

A normal link shows you where it goes. If it says invoices.yoursupplier.com, you know you'll end up at that supplier. With a shortened link (bit.ly, tinyurl, t.co, ow.ly, is.gd, buff.ly, lnkd.in), the destination is hidden behind a redirect. That can happen for three reasons:

  • Legitimate: the original link is too long for a social media post or newsletter.
  • Tracking: the sender wants to monitor who clicks.
  • Not legitimate: someone wants to hide the fact that the link leads to a phishing page, malware download, or fake login screen.

You can't tell from the link itself which of those three it is. That's why: check first, then click.

When should you be on your guard?

Not every shortened link is suspicious. But there are signals that should put you on alert:

  1. The link is in an email from an unknown sender, or from a known sender who doesn't normally use shortened links.
  2. The message puts you under time pressure ("pay within 24 hours", "your account will be deactivated").
  3. The link is in an SMS or WhatsApp message — shortened links are especially popular with scammers there because screens are small.
  4. The link promises something to download (invoice, packing slip, "important document").
  5. You're asked to log in after clicking.

In these cases: unwrap what's really behind it first.

How to unwrap a shortened link — without clicking it

Method 1: use the shortener's own preview trick

Some shorteners have a built-in preview option. Worth remembering:

  • bit.ly: add a + to the end of the link. So bit.ly/xyz123+ shows you where it goes, without actually going there.
  • tinyurl.com: change tinyurl.com/xyz to preview.tinyurl.com/xyz.
  • t.co (Twitter/X): can't be previewed this way, but method 2 works.

Works in any browser tab. Takes ten seconds.

Method 2: an online unshorten service

There are websites where you paste a shortened link and they show you the full chain of redirects. Search for "unshorten link" and use a service that clearly explains what it does. Copy the shortened link (right-click → "copy link address", don't click!) and paste it in.

Pay attention to what comes back: does the domain check out? Is it really yourbank.com or something like yourbank-login.online? Small differences tell the whole story.

Method 3: hover and read

On a laptop: hover your mouse over the link without clicking. At the bottom of your browser or email client you'll see the real URL. With a shortened link you'll still only see the bit.ly version, but with a "disguised" link (where the visible text says something different from the destination) you'll spot the difference immediately.

On your phone: press and hold the link (don't tap). On both iOS and Android a pop-up will appear showing the full URL.

What if the domain looks strange?

Say you've unwrapped the link and it gives you something like login.microsoft-security-check.com. Looks official, right? But the real Microsoft domain is microsoft.com, not microsoft-security-check.com. Anyone can register whatever they like before the final dot-plus-extension.

Two rules of thumb:

  • Look at the part directly before the .com, .co.uk, .eu. That is the real domain.
  • If you're unsure about an IP address or domain, you can use our IP lookup to quickly check which country and hosting provider it belongs to. A "Dutch bank" hosted in Russia is a red flag.

What do you do as a team?

The biggest gains come not from tools, but from habits. Three agreements that work in any SMB:

  1. When in doubt, don't click — navigate instead. Need to log in to your bank, accounting package, or supplier? Type the address yourself, or use your bookmark. Never via a link in an email.
  2. Report suspicious emails internally. If one colleague receives a phishing email, others probably will too. One WhatsApp message in the team group can save a lot of grief.
  3. Make sure your email security is in order. SPF, DKIM and DMARC filter out a large portion of the junk before it even reaches your colleagues.

In short

Shortened links aren't inherently bad, but they do hide the destination. For an SMB the simplest rule is: if you get one you don't trust, unwrap it before you click. Use + after a bit.ly link, an unshorten service, or simply press and hold a link on your phone. Ten seconds of effort, and you avoid a day of damage control.

Want to reduce these kinds of risks structurally? Check out our page on email security (SPF/DKIM/DMARC) — it means a large portion of these messages never reach your inbox in the first place.

Onderwerpen

#phishing #Mail Beveiliging #Security Mkb #Veilig Klikken #Praktische Tips

Volledige gids: Security for SMBs without an IT department: what should you do this quarter?

Dit artikel is onderdeel van onze uitgebreide Security zonder IT-afdeling-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →