One of the things I always caution my customers about is clicking links in email messages. Just because a link says it’s going to http://www.foxnews.com, doesn’t really mean that it is. (Yes, it’s safe to click on the link – would I send you somewhere bad?)

One of the easy ways to check where a link is actually going, is usually in your browser or mailer window. If you read your email in a browser window, there’s usually a link identifier somewhere in the window (in IE and Firefox, it’s down at the bottom-left of your browser window) which will tell you where the link is actually going. In your mailer, there’s usually a similar function. In Outlook, for example, you need to hover over the link for a second or so, and the actual link address will pop up over it. If it isn’t a site that looks right, you probably don’t want to click on it.

Why does it matter?

Why? Because the link could redirect you wherever they want to. It could be a malware site (see this link for a demonstration of how that might work), that actually does something to your computer, like install a trojan. Or it could be a phishing site, trying to fool you into revealing something about yourself, or your web accounts. These are typically sites that look like the real site, and convince you to enter your username and password, which they can then use to access your accounts later.

How can you tell?

How do you tell if a site looks right? Well, that can actually be tough, because the bad guys… well, they don’t want you to know. So it might look something like this: , which just looks like it has so much random junk in it, that you may not be able to tell where it’s from. Or it might say something like , or , all of which could look very serious when looked at casually.

But a closer look reveals an important clue, if you know what you’re looking for: The most important parts of the website address, most of the time, are the last two dotted sections. Let’s look at the URLs. The ends of the dotted sections are:

• sezkmvob.cn
• ur.pl
• prevention.br

Now I don’t know what the first one is purporting to be (I pulled it off a spam message I got, and modified it so it doesn’t really go anywhere I know of), but I do know that the server location is CN – China. The other two are intentionally fraudulent. They’re using the name of a bank somewhere in their URL, in order to make you believe that they’re from that bank. But looking at the domains from which they actually come, show us that one is from a domain in PL – Poland, and the other is from a domain in BR – Brazil. It’s pretty unlikely that either of these are from the banks!

So a little bit of care in watching what you click, before you click on it, can save you from a world of hurt.

That said, there is an additional wrinkle involved, which I’ll save for another post. In the meantime, be safe!