Protection from Malicious Links

Malicious links are not new, but they continue to plague us. Research shows that a significant number of people will click on a link in an email, web page, or document without taking a second thought, and all too often, end up infecting their device with dangerous malware.

Stop Malicious Links

In a large-scale study by Verizon, 23 percent of recipients immediately opened phishing messages, and 11 percent of them went on to click on a link or open an attachment. And it happens fast. It takes an average of only 82 seconds from the time an attacker launches a phishing campaign until the first victim takes the bait and clicks a malicious link. This isn’t just occurring with personal accounts. It also takes place at businesses and government agencies where users should know better.

Clicking on a link is risky. It’s essentially telling your computer that you accept whatever this is, agree to go wherever the link takes you, and that you authorize any JavaScript on the page to execute on your device. Unfortunately, a simple click may lead to downloading malware that allows a hacker to take over your machine. When that happens, your computer and its contents can potentially be controlled and viewed by someone else. To make matters worse, you will rarely know that this is happening.

Although malicious links do present serious threats, there are a number of steps that users and organizations can take to effectively protect themselves from this type of cyberattack.

How End Users Can Protect Themselves from Malicious Links

To guard against malicious links in emails, websites, or documents, end-users can definitely fight back and in most cases, prevent an attack before it begins. Although it takes a bit of education and discipline, damage from malicious links can generally be avoided by adhering to a few guidelines.

Think Before You Click

Perhaps the best way to avoid clicking on a dangerous link is to browse intelligently.  Always carefully check the URL before clicking on it, especially when connecting to your bank, social networking site, email account, or when making an online transaction. Most browsers, including Firefox, Chrome, and Microsoft Edge, include a color-change on the left side of the location bar to indicate that the site has been verified as legitimate. If you don’t see a green “https”, abort, or at least proceed with caution.

If something seems a bit off, don’t click on the link.

Learn How to Spot a Malicious Link

Many malicious links are easy to spot or avoid if you know what to look for.   Here are a few telltale things to look for:

The Link Came in an Unsolicited Email – If you received an unsolicited email allegedly from a trusted person or entity, beware.  If for example, a message that looks like it’s from your bank requests that you “verify your information”, it’s most likely a phishing attack. Even if the message and link look legitimate, don’t click on it. Always go to your bank’s website by entering its address yourself, or use a bookmark you created. Never trust links in e-mails, text messages, or pop-ups.

Unencrypted Site – If you don’t see a green “https” address indicating that the system is encrypting all communication, you should probably abort, especially if you plan on performing any transactions or entering data. It’s always a good idea to enter financial or transaction oriented URLs yourself. Another option is to search for the site via your preferred search engine and click on the search results, but even then, inspect the URL.

Invalid Certificate – If you double-click on the padlock icon, the browser should display the website’s security certificate. If it doesn’t,  or you receive a message saying the URL address of the site does not match the certificate, it could be a malicious site.

The Message or Link seems out of character – Even if the link appears to have come from a friend or someone you trust, look for signs of foul play. Anything that seems out of character could mean that an imposter sent the message. Spelling and grammar errors are a good sign that the message came from a hacker. Short messages that don’t sound like the sender are another indicator of something amiss.  If anything looks strange, ignore any suggestions to click on a link. Contact the sender via your address book or by typing in their address and verify the message.  Don’t just reply or you’ll be responding to the attacker.

Spoofed Domain Name – Take a close look at the domain name in the link. Altered spelling of a domain name is an almost certain sign of a scamming attempt. For example, note the use of “0”, the number zero, instead of the letter “o” in the following domain: HTTP://WWW.N0TASAFESITE.COM.  

Strange Characters in the URL – Sometimes cybercriminals will try to conceal the actual name of a website using what is known as URL encoding. For instance, the letter “A” that has been URL-encoded would translate to “%41”. Using encoding, attackers can mask addresses, commands, and other malicious data within a link. If you see a bunch of “%” symbols in the URL, beware.

A “Shortened Link” – Link-shortening services such as bitly and others are popular choices for anyone trying to fit a link into the confines of a Twitter post. Unfortunately, link shortening is also a method used by cybercriminals to conceal its true destination. If the browser is displaying a shortened link, you can’t tell whether it’s bad or good just by looking at it. Don’t click on it without first using a tool that will let you see the full address.

Evaluating a Link Before Clicking on It

If a link looks suspicious but you can’t tell for certain if it’s legitimate, the best thing to do is verify the validity of the link by contacting the individual who supposedly sent it. Do that by sending a different message, don’t just hit reply.  If you can’t contact the sender to validate the link, there are a number of additional steps you can take to test a link—without clicking on it.

Hover Over the Link – Sometimes a link masks the website to which it links. If viewing the link with a browser, you can hover over it and the browser will display the URL, typically in a lower corner of the window. For example, click here will take you to Lastline’s home page, but you wouldn’t know that unless you hover over it.  

Expand Shortened Links – You can use a service like CheckShortURL to expand a short link.  Some link expanding sites will even check to see if the link is to a site known to be malicious.

Use a Link Scanner – There are a host of tools available to check the safety of a link before actually clicking on. URLVoid, and VirusTotal are examples.

Safely Copying a Link – Services like URLVoid and VirusTotal require you to type in or paste a suspicious link. You can safely copy the link to your clipboard by right-clicking on it. That won’t execute or take you to the destination site, but it will bring up a context menu that will allow you to copy the link to your clipboard. From there you can safely paste the link to VirusTotal or another scanning service.

Enable “Real-Time Scanning

Take advantage of link scanning features offered by your browser or antimalware software. Doing so may use more system resources, but it’s far better to identify malicious links before you click on them.

Stay Up to Date

If you do happen to click on a malicious link, it’s likely that malware will immediately scan your device for vulnerable applications. If you regularly update your operating system and other applications, it’s much less likely that the malware will be able to do any damage. Keeping your antivirus software updated is also a good idea. It may not detect the latest forms of malware, but it just might prevent a known attack from succeeding.

Augmenting Endpoint Protection

Educated and diligent end users, along with updated security tools residing on their devices, can go a long way towards preventing or at least minimizing damages due to malicious links. But as mentioned earlier, despite training and good intentions, a large percentage of users will still click on malicious links. As a result, organizations need to augment their endpoint antimalware and link analysis systems with advanced network level protection.

While secure web and email gateways, next-generation firewalls, and intrusion detection systems are fairly effective at detecting known threats, including known malicious links, they are not effective when it comes to preventing modern, advanced attacks. That requires an additional level of protection.

Organizations can augment their conventional security systems by integrating them with an advanced breach detection system like Lastline.  Firewalls, intrusion detection systems, web and email gateways, and other systems can submit files, objects, links, or JavaScript for advanced analysis.  It will identify malicious links and entities, enabling organizations to block them before they inflict serious damage.


Cybercriminals use malicious links because they work. They are an effective way for attackers to run their code on our phones, laptops, and desktops.  Fortunately, with a little education and discipline, diligent end-users will be able to spot and avoid most malicious links.  And when a bad link is clicked or allowed into the network, advanced breach detection systems can readily detect and thwart them.

Detecting malicious links and preventing them from damaging our systems will be an ongoing battle. But one that we can win if we work at it.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing