Skip to main content
X

Send us a Topic or Tip

Have a suggestion for the blog? Perhaps a topic you'd like us to write about? If so, we'd love to hear from you! Fancy yourself a writer and have a tech tip, handy computer trick, or "how to" to share? Let us know what you'd like to contribute!

Thanks for reaching out!

Tech Tip: Checking Questionable Links Without Clicking Them

There’s nothing that can set off a feeling of unease in a person more than wondering whether the link you just clicked on a website or in an email is going to load malware onto your Mac or direct you to a malicious page. In today’s tech tip, we’ll show you some ways to check those links that are making you feel queasy without clicking on them.

Why Can’t I Just Click On Every Link I See On Websites or in Emails?
You can, but you’re taking a risk doing so. First, let’s say you get an email that appears to be from your bank, asking you to log in and verify some account information. Don’t do it!

This is most likely a phishing attack, where a malicious party is attempting to direct you to a website that very often looks nearly identical to the one you wanted to visit. You log in…and that party now has your user ID and password, and in many cases can just log in and clear out your accounts. In other cases, you may be directed to a site where malware will be installed surreptitiously on your Mac without you knowing.

Think before you click, unless you’re absolutely sure that you’re on a safe site. What are some warning signs of malware or phishing links that you should look for?

Watch Out For Shortened Links
If you’ve been around the Internet for any length of time, you’re familiar with link shortening services like Bitly and TinyUrl. They take a long web address like “https://eshop.macsales.com/blog/42686-a-complete-guide-to-universal-clipboard-in-macos-high-sierra” and shorten it to something like “http://bit.ly/2zTnIoT”. This used to be quite handy in the days when every character in a web address counted against the 140-character limit on Twitter, and now it’s a favorite of hackers since that “bit.ly” domain name can mask a malicious URL that’s masquerading as the site of a financial institution.

How can you tell where a shortened link is trying to point you? There are two handy ways: First, use a link expansion service like CheckShortURL.com. Paste in the short URL and it will display a page of information about the destination (see screenshot below). There are even a set of links that will further check if your link is safe.

Beware of Phishing Emails
Getting an unsolicited email from your bank or another financial institution that’s asking you to verify information should set off warning bells in your head, as it’s probably a phishing attack. Oddly enough, I received a phishing email yesterday (see screenshot below) that’s perfect for demonstrating the elements of a phishing attack:

(The phishing email that arrived yesterday…)

The emails will usually warn you of dire consequences if you do not respond to the email by logging into the service. In this case, it’s Stripe, which I use to receive payments for my business, and they’re trying to get my attention by telling me that I’m about to get a payment of $4600 and should check it out.

This is actually a pretty well-done phishing attack since a) I do have a Stripe account,  b) it’s not full of the grammatical and spelling error usually found in phishing emails, and c) it was a nicely done HTML email with a border, the Stripe logo, and even the correct address for Stripe. It set off the alarms in my brain because I never get payments that large through Stripe.

Fortunately there are a few ways to check out phishing emails without clicking any of the links contained in them. It’s possible to check the source of the email in macOS by hovering your cursor over the From address, then clicking the disclosure triangle ( ˇ ) that appears next to it. The screenshot below shows that the email address this was sent from was “strp33@sealcoatingandmore.com”, not an address at stripe.com.

This is NOT from Stripe
(This is NOT from Stripe.)

That same disclosure triangle appears in other places when the cursor is placed above a link. For example, I hovered my cursor above the payment amount — which is a link — and clicked the disclosure triangle to show a preview of the web page (see screenshot below). Sure enough, it looks just like the Stripe login page, but it shows an “hippls.com” domain name at the top (outlined in red). That’s my second indication that this isn’t a valid email.

The destination URL in this preview is NOT Stripe, although the page looks like the Stripe login page
(The destination URL in this preview is NOT Stripe, although the page looks like the Stripe login page.)

The disclosure triangle in macOS works well on the “View in Stripe Dashboard” link, too. Just hovering over the address shows a link to a “1stripe.com” domain, which is close, but still bogus… (see screenshot below)

1Stripe.com is NOT Stripe.com
(1Stripe.com is NOT Stripe.com.)

Many browsers including Safari also display a warning if a site is dangerous. For example, a click on the “support website” link displays a bright red web page in Safari with the following message (see screenshot below):

Warning! Warning!
(Warning! Warning!)

All of these methods are for macOS, but what about iOS? Fortunately, you can do similar things to check out a potential phishing email on your iPhone or iPad.

For example, tapping on the From address (“Stripe Support”) in the phishing email used as an example here brings up a Contact sheet, which promptly shows the fake email address (see screenshot below):

Stripe doesn't use a "sealcoatingandmore.com"email domain...
(Stripe doesn’t use a “sealcoatingandmore.com”email domain…)

Tapping and holding on any of the links in the email displays a menu of possible ways to process the link (see screenshot below), but the most important thing to note is the link address shown at the top of the menu (outlined in red). Once again, this is the faux “1stripe.com” website, not the real Stripe website.

Two things wrong here: No https prefix and the wrong URL
(Two things wrong here: No https prefix and the wrong URL.)

Set Up Two-Factor Authentication
Even if you fall prey to a phishing attack like this one, there’s a way to ensure that the bad guys aren’t going to get into your account: set up two-factor authentication at your financial institutions. This usually works by sending an authentication code to something only you have — an email address or an iPhone — that you then enter into a field on the website for verification.

If the hackers don’t have your iPhone or Mac at hand, there’s no way they’re going to be able to receive that code and enter it into the website. This is the beauty of two-factor authentication – even if they have been successful in getting your user name and password, there’s no way they can log into the site.

Watch For Strange Characters in Links
Hackers and malware distributors often try to conceal the destination of their malicious websites by using URL encoding. In URL encoding, the letters and symbols that make up the website name are encoded as a percent sign ( % ) followed by a number. For example, MacSales.com might be encoded as %6D%61%63%73%61%6C%65%73%2E%63%6F%6D (an encoding table can be found here).

Long story short? Watch out for long URLs full of “%” symbols and avoid them at all cost.

Check a Suspicious URL with a Link Scanner
Finally, there are ways to test those web addresses that may look “OK”, but are still making you feel uneasy. Enter the web address into a known link scanner and see if it’s a valid address. Three sites that work well are Norton SafeWeb, URLVoid, and ScanURL. Enter an address into one of these sites, and they will provide a rating or response.

If the site shows up as “unknown”, with a “red” rating, or with a response of “URL is not valid”, you know you’ve got a live one.

Use Antimalware Software That Has Real-Time or Active Scanning Available
Let’s say you accidentally click a link that sends you to a site that’s set up to unload some malware onto your Mac. If you’re running antimalware and/or antivirus software on your Mac, make sure that it has a “real-time” or “active” scanning option and that it’s turned on. This will protect you from malware that may try to load itself onto your Mac if you hit one of these bad sites. Of course, you should make sure that your antimalware/antivirus software is updated frequently with virus definitions and engine updates.


Stay safe out there, please! Be sure not to click on any links in emails or on websites unless you’re absolutely certain they’re from a reliable source. Watch for misspellings and bad grammar on linked web pages and in emails, and set up two-level authentication when you want an extra level of safety.

Steve Sande
the authorSteve Sande
Contributing Author
Steve has been writing about Apple products since 1986, starting on a bulletin board system, creating the first of his many Apple-related websites in 1994, joining the staff of The Unofficial Apple Weblog in 2008, and founding Apple World Today in 2015. He’s semi-retired, loves to camp and take photos, and is an FAA-licensed drone pilot.
Be Sociable, Share This Post!

Leave a Reply

16 Comments

  • You lost me when you said to “hover” the mouse at one point. Not relevant to iPhone touchscreen. I used to be able to click and hold my finger to see info about the link without going to it but in the last year or so that activity is not safe since it acts like I clicked the link and takes me there. Is there some setting that takes me back to that original functionality?

  • I’m not sure if it’s a good idea to use the Safari link preview function in some spam emails because it might cause a web-tracking “bug” to load content, which is then tied to your email address and lets the sender know that it is a live email address.

  • But a malware program can not be installed on a Mac without the user account password!

  • I think there is a typo here: “The screenshot below shows that the email address this was sent to was ”

    I believe you meant “…..the email address this was sent FROM..”

  • I use virustotal.com. It has an option to check a url or upload a file to check. I use it before installing any apps from outside the App Store. It farms out the check to several dozen sites to check.

  • Another trap I’ve encountered is this:
    You get a warning that someone in a foreign country has attempted access to your iCloud a/c. Some days later you get what APPEARS TO BE a legitimate message from iCloud stating that you need to update your details, including Credit Card information. I was sucked in and sure enough funds soon got withdrawn from the credit card a/c . Luckily my bank was sufficiently watchful to halt the transaction and recover the funds.
    Lesson learned!

  • I understand and use most of these precautions. However, there seems to be a new breed of spammer who can monitor and gather data from transactions I do on-line with different businesses. Example: I recently flew to another city in Canada. The day before the flight, I get a spam email offering a link to download my ticket. It was not the correct flight, but it was the right airline, the starting airport listed was my destination. Along the same lines, I have bought from an Italian eyeglasses frames and sunglasses vendor in Italy and a clothing company in the UK in the last year. Two months ago, I started getting spam emails pitching Ray Ban sunglasses and Michael Kors clothing at claimed discounts of 80%.
    What is going on? I use tracking blockers, a cookie destroyer and an ad blocker. I am running Sierra with Outlook 365 for email and I use and independent ISP over a DSL.

  • Maybe I am being simplistic, but in the example given (ostensibly from “Stripe”), the e-mail was apparently to one person about a specific sum of money – but! – it was addressed to “undisclosed-recipients”! Right there is my first signal that this is a crock of….

    Interesting world we live in!!

  • What’s this “disclosure triangle?” Is it a feature of mac “Mail” ? Its not an OSX thing since it does not appear in Thunderbird.

    Looks like you are somehow viewing the contents of the email outside of an email app ???::

    The destination URL in this preview

  • Even simpler: NEVER follow a link in an even faintly suspicious email. Go to the site from the link stored in your browser and investigate. This is SOP here.