Australian technology news, reviews, and guides to help you
Australian technology news, reviews, and guides to help you

How to unmask a Bitly text message scam

It’s been some time since a scammer tried to pull one over us with Bitly’s link shortening service, but if you get one of these scams, here’s what to do.

Scammers will try anything to relieve you of money, because that’s how they roll, leaving you to do everything you can to foil their attempts and prevent them from doing just that.

Preventing scams from affecting your life isn’t always easy, and while security software doesn’t always help, education certainly can, giving you the know-how to beat the bad folks doing just that.

Much of this is simply being aware and knowing what not to click on, but sometimes, the scams are convincing because of how they land in your life.

Take the Australia Post scams that have been popping up lately, as scammers turn to spoofing the “AusPost” sender ID on phones and manage to land text message scams that look convincing enough in your mobile inbox. They’re happening somewhat regularly, and are getting more and more convincing, though there are some obvious giveaways, especially if they have a “bitly” link inside.

What do Bitly text scams look like?

You’ve probably heard of Bit.ly before, also known as “Bitly”, as it’s one of the web’s main shortening services. Essentially, Bitly shortens website links so they’re smaller, making them easier to send in messages and on social platforms.

Aside for the actual legitimate uses for Bitly, scammers like to rely on the service because:

  1. It’s free, and
  2. It makes their dodgy links look more convincing in texts.

Typically, we’d tell you that the obvious way to tell a scam in text messages is by looking at the website link. If a scammer is trying to convince you they’re the real version of Australia Post, they’ll typically do it with something that offers a similar name to what they’re trying to trick you with, such as a redeliverysite.com, or something convincing enough to trick you at a moment’s glance.

But when a link is masked by the link shortening service Bitly, our expectation is the link is legitimate because we can recognise Bitly from other uses online.

It looks more real, even if it isn’t. In fact, here’s what one looked like this week:

A fake AusPost message that's actually a scam.

A package has apparently been put on hold, but the language is still sketchy. Australia Post wouldn’t write “please re-delivery”, as that’s not English.

The link, however, is convincing because it’s a Bitly link. So how do you know what Bitly is masking? How do you know what Bitly is hiding?

Bitly does offer a way for anyone to see what’s behind one of its shortened links, and it comes simply by adding a plus sign to the end.

Simply put, if you want to see what a Bitly link is hiding, type in the Bitly web address, and before you hit enter, add a plus (+). When you do, Bitly will show you where it’s supposed to take you, which in the case of this scam, revealed this location. In this example, it would mean looking up https://bitly.com/3PnGH1m+, which reveals the real website behind it.

Where the Bitly link actually directs to: a scam that isn't Australia Post.

Not even a secure website (not that it would matter), the destination of supportauspost-com-au.top is not actually Australia Post’s real websites of auspost.com.au or mypo.st for package tracking.

In fact, if you do a WHOIS on the actual web address, you won’t find Australia Post behind it, but rather someone trying to be very private.

What happens if you do click on this Australia Post scam?

If you were to click on this Bitly-protected Australia Post scam, you’d be taken to what is clearly a phishing attempt and scam, with a thin mobile oriented website set up with a suggested parcel tracking code waiting for you, which when you click to the next step, asks you for credit card details.

This is pretty much the regular approach for post delivery scammers, with the suggestion of a retrying a delivery costing you money. That’s not actually what happens, but scammers keep trying it, with this so-called $1.99 cost not only nonsense, but primarily a way for them to snag your debit or credit card details.

If you put in a fake set of details, there’s no credit card check — because it’s fake — and it asks you for your address.

Don’t get yourself up to that point, though. If you end up accidentally clicking on an Australia Post scam, look at the website up top and see if it matches an actual Australia Post website.

And if that still doesn’t make sense, the moment a website asks for your card details to retry a delivery, close the window ASAP, because you’ve very likely landed yourself into a scam.

Read next