A URL shortener does one job: it hides a long URL behind a short one. That is a feature when the long URL is an ugly analytics link, and a gift when it is a phishing page. The shortener's domain is old, reputable and allowlisted almost everywhere — which means the link inherits a reputation the destination never earned.
Why attackers love them
- Reputation laundering. Mail filters score the visible domain. A well-known shortener sails through filters that would quarantine the raw destination.
- Rotation after delivery. Some services allow editing the destination after creation — the link is benign while the email is being scanned and swaps to the payload an hour later.
- Built-in analytics. Campaign operators get click-through stats for free, including geography and device mix, which feeds targeting for the next wave.
- Chaining. A shortener resolving into another shortener into a traffic distribution system makes the cheap scanners give up before the destination.
Unwrapping without clicking
Most major shorteners offer a preview mechanism that shows the destination without following the redirect — appending + to a bit.ly link, or a preview parameter on others. That works for a quick manual check, but it has two limits: chained links need unwrapping repeatedly, and a cloaked destination can still serve the preview crawler something different from what a victim gets.
The safer habit is to let a scanner do the clicking. Submitting a short link to Voretix detonates the full chain in an isolated browser: the report shows every hop, the final destination, its screenshot and its verdict — without the link ever touching your machine or burning your IP into the operator's analytics.
Treat a short link like an unmarked package: you do not have to refuse delivery, but you also do not have to open it in your living room.
A 20-second triage checklist
- Did the sender have a reason to shorten this link at all? Corporate email rarely does.
- Scan it — and read the redirect chain, not just the verdict.
- Check whether the final domain matches the brand the message claimed.
- If the chain contains a second shortener or a fresh domain, stop there. You already have your answer.
Frequently asked questions
How do I see where a short link goes without clicking it?
Scan it. A sandbox follows the full redirect chain in an isolated browser and shows every hop plus the final page screenshot and verdict — safer than preview tricks, which cloaked pages can fool.
Why do scammers use link shorteners?
The shortener domain is old, reputable and allowlisted almost everywhere, so the link sails through filters that would quarantine the raw destination. Click analytics and post-delivery destination swaps are bonuses.