Picture this: You get a text from your bank saying you have an outstanding balance and must pay it immediately. You notice a few things in the message that suggest it might be a scam, but you’re not totally sure.
How do you verify before clicking the link and risking your identity and finances?
Maintain a verification mindset
Your instinct for catching red flags is a good foundation. Always make checking and double-checking your first response, and trust your gut. If something feels wrong, it probably is. Remember that if you are interacting with a legitimate company, you’ll never get penalized for being cautious.
Even if a message passes your initial gut check, use these tips to safely inspect links before taking action.
Inspecting links: How to check before you click
You’ll need to view the full link to verify its legitimacy. Once you have the full URL, check carefully for these red flags:
Misspellings (all-y.com vs ally.com)
Extra characters (allybank-secure.com)
Suspicious country codes (.ru, .tk)
URL shorteners hiding malicious destinations (bit.ly, tinyurl.com)
Legitimate services being used for malicious activities (ex. Electronic document signing platforms used to deliver malware)
Remember that legitimate URLs from companies will match their official domain exactly. For example, Ally uses ally.com, not allybanksecure.com or secure-ally-login.com.
Read more: How Ally Bank keeps your money safe
To view a link on desktop
To view a suspicious link on a desktop, use the hover technique and be careful not to click. Place your cursor above the link without clicking. A URL preview will appear as a pop-up or in the bottom-left corner of your browser window.
To view a link on mobile
Ultimately, the safest way to verify a link is to instead log in directly to your account or access the official website instead of clicking the link in the text message, especially if the communication was unexpected or from an unknown sender. Additionally, there are a few ways you can read a URL on our mobile device:
Use built-in previews: Many messaging apps show link previews where you can check the domain that is displayed
Take a screenshot: If the text is too small or you can’t inspect the link clearly, take a screenshot of the message and zoom in to read the domain carefully.
Staying one step ahead: Verification tools and techniques
Along with inspecting the domain yourself, you can use these techniques to determine if a link is safe.
Search the scam
If you believe the text is a scam, search the scam in your browser. For example, search “Jury duty text message scam” and you’ll be able to see if others are receiving similar messages.
Verify with the company
If the message is coming from a company you have an account with, you can go directly to the company website to verify. Open a new browser tab and type in the company’s official URL manually, then log in and check your account for the alleged issue mentioned in the message. Or, you can always call the company’s customer service phone number on their website directly.
Remember that a legitimate organization will never fault you for needing additional verification.
Verify sender identity
The sender of the message can help you identify whether a link is safe. If the link is in an email, check the email sender domain — whatever comes after the @ symbol should exactly match the company domain. If it’s a text, search the number online to see if it’s associated with scams. Be aware that even caller IDs can be faked to appear legitimate.
How to report a scam link
If you’ve received a message with a scam link, reporting it will help protect others and enable companies to shut down scam operations. If the message is spoofing your bank or another institution, contact its official fraud department. You can also file a report with the FTC using reportfraud.ftc.gov for consumer protection reporting.
For a text scam, text “SPAM” to 7726 to report the text to your mobile carrier. If you received the message on a work device, share it with your IT department to alert your company’s security team.
Your “click-or-skip" checklist
Before clicking on any link, ask yourself:
Did I expect this message?
Have I verified the sender independently?
Have I inspected the link/URL?
Does the domain match the official company website?
Have I checked the link with a URL scanner?
If you can't answer yes to all five questions, don’t click. Instead, go through official company channels to verify your account status directly.
More skills for your security toolkit
Following these verification steps only takes a few minutes, but can prevent major problems. Remember, a legitimate organization will never fault you for needing additional verification. Keep these skills in your security toolkit to stay one step ahead of scammers.
