When I first began writing on security issues, experts told me repeatedly that the best way to avoid viruses and falling for phishing scams was to hold my cursor over the link in the e-mail message. If the preview of the URL doesn't match the URL link in the message, you can be fairly sure it is a scam. It's a habit I've picked up for every single Web link I get in e-mail and in social media sites.
Except-users on Twitter (and other sites) automatically shorten URLs so they fit into the 140-character limit. The cursor trick doesn't work with shortened URLs, so you really have no idea where the link is taking you until you are there-and that might be too late.
"Phishers are exploiting URL-shortening utilities to conceal the identity of links to malware sites. The shortened URL adds a level of indirection and also hides the actual location of the URL. Shorter URLs make the phishing and URLs less suspicious than using the exact URL, which could be unrelated to the site the spam message appears to come from. The same is true with Trojans that use the same approach to send shortened URLs in instant messages to buddy lists."
Companies have a dual problem: They want to make sure customers know their shortened URL links are safe, and they also want to make sure employees aren't clicking on dangerous links.
In a conversation with Gartner analyst Avivah Litan, she told me the best way for enterprises to build trust with consumers is to authenticate themselves to users with shared secrets (e.g., icons, questions/answers) if it's a site the user regularly does business with. The advanced browser features or toolbars that warn users about phishing and other illegitimate sites are still a decent choice for end users, although they certainly are far from perfect, she added.
Another option is to use services like shortened URL checkers, like Tiny URL Checker from PCIS or LinkScanner from AVG, to find potentially malicious hidden links.