Why you should be skeptical of Bitly links in SMS

You get a message from someone, maybe a company you know, and it comes with a link that features bit.ly in the beginning. Is it real?

Scammers are looking for ways to con you out of your money, your password, your ID, and your life. You and people like you are worth real dollars to them, so much that it’s expected Australians will see scam losses of over half a billion dollars by the end of this year.

That’s crazy, and it’s money that is seriously going to waste, ending up in the pockets of criminals.

One of the ways that is making a dent at the moment is that of SMS scams, and the neat tricks being used here.

Scammers have already worked out how to make their messages fall under the same company send name as legit ones, using the same name and letting smartphones join the dots. That leads to questions over whether JB HiFi, Qantas, Australia Post, and Telstra are actually sending you scam messages, or whether it’s someone else.

But it’s not the only tricks scammers are employing.

Recently, we’ve seen a move to use a different link, and it’s one that grabs attention.

The use of Bitly links in SMS

Typically, scammers will use two types of links in their SMS scams, choosing either

  • Links with names that are similar to the real thing, or
  • Links with names that are completely different to the real thing

With outlandish and different names, scammers are hoping you won’t check the link, and will just assume it’s legit. If you go to a website and it looks the same, maybe you’ll be convinced.

If you’re the sort of person that does check the web address, links with names that are similar to a real company or service may be enough to fool you: australiapost.direct is close enough to australiapost.com.au, likewise that jbstore.net.au might be close enough to jbhifi.com.au if you’re not paying close enough attention, and so you might be convinced enough to click.

But this isn’t the only tactic being used.

Lately, we’re seeing a push by scammers to use the URL shortening tool Bitly, which makes dodgy scam-filled links look more like not-so-dodgy real links.

Short links like Bitly aren’t necessary on SMS

Aside for all the neat tracking technology that Bitly offers in its short links, one of the main reasons you use its service is because it will shrink a link.

It means it can go from being a long page name to something much, much smaller.

On social media services that count the number of characters you have, shrinking a link is a useful idea, because it can drop the number of letters you have for a link down to its bare minimum. Companies can even change the “bitly” name with their own. For instance, here at Pickr, we use pickr.xyz.

That means a shortened link still has relevancy on an SMS because of the 160 character limitation, but not as much. Most scams we’re seeing aren’t using anywhere near close to the 160 character limit of an SMS, and you can always push beyond 160 on an SMS if you pay for a second message. The character limit on social is different that way, even if short links were invented at a time when Twitter had a similarly small amount of characters (Twitter previously had a 140 character limitation, and now offers up to 280).

These days, shortening a web link isn’t necessarily as much of a requirement on social. On SMS, even less so.

However there’s a better reason why scammers are doing it: shortened Bitly links are more convincing.

Think about it this way: you’re probably used to seeing Bitly links regularly over social, so if a scammers uses it, the whole thing seems legit.

Bitly links are freely available to everyone, and anyone can start a Bitly account to start hiding and shortening their links. They can even use it to track how many clicks they get.

Sadly, scammers have picked up on this, and are doing it as well.

Question Bitly links sent to your SMS

A scam link sent under the name of QantasWhen you get an SMS with a Bitly link in it, don’t assume everything is fine. Don’t make the assumption that the link doesn’t look dodgy, and that if you click, it will be legit.

Instead, question it and do a little bit of research. By “a little bit”, write it down and add a plus sign to the link. The plus sign will have Bitly tell you all about the link, such as where it goes to and how many people have clicked.

One example came from a scam link provided this week on Twitter, with http://bit.ly/31G6YOQ going to a Qantas scam, something detailed by http://bit.ly/31G6YOQ+.

This link goes to a rather dodgy scam site that has nothing to do Qantas, pointing out even by a disclaimer at the bottom stating the “website is not affiliated with or endorsed by Qantas”.

Frustratingly, over 2000 people had clicked on the link by the time this story went online, most of them from Australia.

Bitly clicks on a scam

The lesson: should you automatically trust links in an SMS?

You’re probably learning quickly that information that comes from companies might not be easy to trust, not so much because the company is doing anything particularly nefarious, but rather because the companies can be imitated.

It’s a growing concern, and one companies should be aware of. It is all too easy for a scammer to send their SMS under the same recognisable company name, and not remarkably easy for a person to tell the difference or even for the company to do anything about it.

But people can go on guard against the links they send out, watching and paying attention to what’s in them by making sure they’re not scammed with them.

If you see a Bitly link in an SMS from Qantas or any other major company and think it might be real, type it in and add a plus sign to the address.

Don’t go to the actual link, as that will just direct you to the real site. Make sure the plus sign is there, and you’ll see Bitly’s stats. You might be surprised and see a real link, but more likely, you might see something that is clearly a scam, and you’ll have saved yourself the trouble.