You’ve heard it a bazillion times: “Don’t click links in email!” That’s usually for a very good reason. This is by far one of the biggest ways I see clients get bitten. But what makes email links bad? What’s the worst that could happen if I do click one? This topic is cloudy for most people, so let’s break it down once and for all.
How Email Links Work
Emails are typically formatted in a language known as HTML. It’s the same language that websites are made with. Emails are basically little web pages sent to your inbox. It’s possible to send plain text emails (without HTML), but that’s rarely done these days.
Practically anything you can do with a web page, you can do with an email. This includes linking. Hyperlinks (“links”) are possible because of the HTML working in the background. So what exactly is possible with hyperlinks?
Nothing new, right? So where is this link going to take you? It can be hard to tell. This particular link will take you to Google. But what about this next one?
This link takes you to Google as well. Why? Because the HTML code I made in the background told it to. You can never tell where a link will take you based on what it says. That goes for pictures and buttons, too.
This is an official PayPal button I got from a site somewhere. But it’s only an image (a “picture”). I can make it link anywhere I want. If you click this button, it actually goes to a special page I created.
What Are The Dangers of Email Links?
Phishing is the term for sending emails (considered the bait) with a link to a fake website. Once on the site, the user is tricked into giving sensitive information. For example, the link takes you to a fake site that looks like your bank, and you try to log in with your username and password. The bad guy has now captured your login info. And if he’s clever then it would redirect you to the real site afterward. You’d probably be none the wiser.
For an ongoing list of phishing alerts, check out FraudWatch International’s page.
Malware or “virus” downloads
The link may take you to a website that infects your computer with malware like ransomware or a keylogger (a “virus” that captures everything you type into your computer like passwords and credit card numbers). Or it might even download the virus directly without going to a web page. Malicious web pages are the most common way that I see computers get infected in my day job.
Why It’s Hard To Tell the Real from the Fake
Most of the emails you get will be fine. The trouble is, do you know which is which? Some bogus emails are obviously fake to most people, full of misspellings and shady suggestions. But some of them look very professional. Take these for instance. They’re both fake. Would you be able to tell the difference?
Phishing Example 1
Phishing Example 2
These would fool most people. But besides looking legitimate, there are other ways to fool us.
Hacked email account
If a spammer hacks an email account, he can send out an email blast to all the contacts stored in the account. This is dangerous because you may get a phishing email that’s actually sent from the real account of someone you know. Unless the email seems out of the ordinary, you’ll have no way of knowing.
Email address spoofing
Spoofing is essentially “faking”. It’s possible to spoof the sender’s address so it looks like it’s coming from someone you know, when in reality it’s coming from the bad guy’s email account. It can be very hard or impossible to tell if an email address is spoofed. It requires digging through the email header which is, itself, prone to tampering. But if that interests you then check out this guide for basic instructions.
Forwarding a phishing email
Sometimes people are just naive and forward an email to you that has a malicious link in it. They might not realize it’s there, and have possibly become a victim themselves. I see it happen.
Which Email Links Can I Click?
Well, if you don’t click any of them you won’t have a problem. But that’s not realistic. Very few people will ever take that advice. The good news is you don’t have to. I suggest treating links like attachments. Only click it if you’re expecting it.
Examples of when to click
You just ordered something from Amazon. Feel free to click the shipment tracking link in the email they send you. Just make sure it’s exactly what you’re expecting. If you get a tracking link that you weren’t expecting, or for a product you don’t recognize, delete the email right away.
You just signed up for an account on a website. If they send you a link to confirm your email address, it’s okay to click it. But again, make sure it’s exactly what you’re expecting and you specifically remember requesting it.
Examples of when NOT to click
You get an unexpected email from your bank. Maybe it says that you need to log in and take care of something important. Don’t click the link they give you. If you didn’t know it was coming, there’s no guarantee it’s a legitimate email.
Your friend sends you a link that you weren’t expecting. Don’t click it. Remember, the sender’s address can be spoofed or their account hacked. Yeah, I know, this is all awfully annoying, so is there anything else we can do?
What To Do Instead of Clicking Links
In the case of your bank or other institution, just go to the website yourself and log in. Type in the address manually in the browser or click your bookmark. That way you can see if there’s something that needs taken care of without the risk of ending up on a phishing site.
In the case of your friend’s email, chances are that they copied/pasted the link into the message. That means you can see the full address. You can just copy/paste the address into the browser yourself without clicking anything. Of course, before doing that make sure you recognize the website and that it’s not misspelled. Make sure it looks like this:
and not like this:
Other Things To Consider
It’s up to you how far you want to take this. For instance, I’ve made a rule never to click links in emails notifying me that my paycheck has been deposited. Yes that really happens, and I get one every week, but automated recurring emails can be dangerous. They’re commonly faked because the bad guys know we’re expecting them.
The bottom line is that unless you explicitly know and trust it, avoid it. That’s all there is to it. Make this a habit and you can avoid one of the biggest mistakes in internet safety.