Should organizations block URL shorteners?

The Case for Blocking URL Shorteners

URL shorteners present a genuine security challenge that has led many organizations to consider blocking them entirely. The argument for blocking is straightforward and compelling: URL shorteners obscure the true destination, making them ideal for phishing attacks, malware distribution, and other malicious activities. By blocking access to shortening services, organizations eliminate this risk entirely.

Organizations that take this hardline approach argue that the security benefits outweigh any inconvenience. In a security-first environment, the thinking goes, it's better to prevent all access to a high-risk service than to rely on employees to recognize which shortened URLs are safe and which are malicious.

However, the question of whether organizations should block URL shorteners isn't as straightforward as it might appear. The answer depends on factors including your security posture, user base, organizational culture, and available alternatives. A blanket blocking policy, while simple to implement, might not be the optimal approach for many organizations.

The Case Against Blocking

Completely blocking URL shorteners creates several practical problems:

Disruption to legitimate work: URL shorteners are used extensively for legitimate purposes. Marketing teams track campaign links, developers share documentation, and users share information on social media. Blocking shorteners entirely can impede normal business operations.

Broken communications: Employees collaborating with external partners or participating in industry communities often encounter shortened URLs. Complete blocking can make these collaborations difficult or impossible.

User frustration: Overly restrictive security policies can lead to workarounds. If employees can't use shorteners for legitimate purposes, they might use VPNs, public networks, or other circumvention methods that create security risks.

False sense of security: A policy of blocking all shorteners creates a false sense of security. Attackers don't rely solely on URL shorteners—they can and do use other techniques to distribute malicious links, such as redirects on legitimate sites or custom-built infrastructure.

The Real Cost-Benefit Analysis

The decision to block shorteners should be based on actual risk assessment rather than blanket assumptions. Consider:

Who are your users? Technical users in IT and security are more likely to recognize suspicious shortened URLs and use expansion tools. Less technical users in marketing or operations are more vulnerable to phishing via shortened URLs. Organizations with primarily technical staff might be able to trust employee judgment more than those with diverse user bases.

What are your current attack vectors? If your organization is frequently targeted by phishing attacks, blocking shorteners makes more sense. If you're not seeing attacks through shortened URLs, the security benefit is minimal.

What's your employee security awareness level? Organizations with strong security awareness training and high phishing reporting rates have demonstrated user sophistication that might make a complete block unnecessary.

What's your email security infrastructure? If your email gateway can expand and analyze shortened URLs before they reach users, you get much of the protection of blocking without the disruption.

What's the business impact? For organizations where employees frequently need to share links across multiple channels, blocking shorteners might have significant business impact.

Alternative Approaches to Blocking

Rather than a binary decision to block or allow, consider more sophisticated policies:

Expand and Analyze: Implement email gateway technology that automatically expands shortened URLs and analyzes the destination before emails reach users. This provides protection while not blocking legitimate uses outside of email.

Restrictions by context: Allow shortened URLs in certain contexts (internal messaging, for example) but not in others (where external users might send them). An email from an external sender with a shortened URL is more suspicious than one from an internal colleague.

User restrictions: Allow trusted users with demonstrated security awareness to use shorteners while restricting less technical users. This requires discipline in implementation but can balance security and usability.

Approved services only: Rather than blocking all shorteners, approve a whitelist of specific services that are well-established and trustworthy (bit.ly, tinyurl, etc.). This reduces risk while allowing common legitimate uses.

Monitoring and logging: Instead of blocking, implement monitoring that logs all shortened URL access and alerts security teams to suspicious patterns. This provides visibility into risks without blocking functionality.

User education with warnings: Instead of blocking, configure systems to warn users when they click shortened URLs. A prominent warning—"This is a shortened URL. Verify the destination before proceeding"—can be surprisingly effective.

Implementing a Nuanced Policy

For organizations considering more nuanced approaches, here's a practical framework:

1. Assess your threat model: Work with your security team to understand which attack vectors pose the greatest risk to your organization. If phishing via shorteners isn't a primary threat vector, blocking might not be justified.

2. Implement gateway analysis: Deploy email gateway technology that expands and analyzes shortened URLs. This catches many threats without blocking functionality.

3. Segment policies by user role: Consider different policies for different departments. Creative teams might need more flexibility; security-critical teams might have stricter controls.

4. Establish clear guidelines: Rather than a block, provide clear security guidance: "Verify shortened URLs before clicking. Use the company's URL expansion tool to preview the destination."

5. Monitor and measure: Implement logging to understand how your users interact with shortened URLs. Use this data to refine your policy over time.

6. Educate and train: Security awareness training should include information about shortened URL risks and how to safely verify the destination of suspicious links.

7. Create incident response procedures: Ensure your security team knows how to respond if shortened URLs are used in attacks against your organization.

Special Considerations for Different Organizations

Healthcare organizations: Regulatory requirements and high-stakes phishing targets might justify more restrictive policies. The cost of a successful attack is very high.

Financial services: Similar to healthcare, the regulated nature and attacker interest might justify blocking or very restrictive monitoring.

Technology companies: Employees typically have higher security sophistication and might not need as restrictive policies.

Retail and hospitality: These organizations often have less technical workforces and might benefit from stricter policies.

Government agencies: Regulatory requirements and strict security requirements might mandate blocking.

The Evolution of URL Shortener Security

It's worth noting that URL shortening services themselves are improving their security practices. Many legitimate services now:

• Implement abuse detection and automatic blocking of malicious URLs
• Require authentication for certain operations
• Provide security ratings and warnings about suspicious URLs
• Allow security researchers to report abuse
• Cooperate with law enforcement on malicious campaigns

As these services improve, the security risk profile of legitimate shortening might change over time.

Blocklist Maintenance Challenges

One practical challenge with blocking: shortening services are numerous and new ones emerge regularly. Maintaining comprehensive blocklists requires ongoing effort. This is one reason some organizations prefer allow-listing (approving specific services) rather than block-listing (blocking all except a few).

Indicators That a Block Is Appropriate

Consider implementing a blocking policy if:

1. Your organization has been targeted by phishing via shortened URLs: This demonstrates actual risk
2. Your users have very low security awareness: If you're experiencing high phishing click-through rates
3. Your industry has strict regulatory requirements: If compliance frameworks mandate such controls
4. You have highly sensitive information: If the cost of a successful attack is extremely high
5. You have available resources to maintain the policy: Blocking requires ongoing management

Indicators That a Block Might Be Overkill

Consider a less restrictive policy if:

1. You have sophisticated email gateway analysis: The technical safeguards already exist
2. Your user base is security-aware: Demonstrated by high phishing reporting rates
3. Your business requires sharing links: Marketing, sales, and other departments need this functionality
4. You collaborate with external partners: Who might legitimately use shortened URLs
5. Your threat model doesn't include shortener-based attacks: You're not actually seeing this risk

Conclusion

The question of whether organizations should block URL shorteners doesn't have a universal answer. While shorteners do present legitimate security risks—particularly for less sophisticated users vulnerable to phishing—a blanket block might be overly restrictive for many organizations. The optimal approach depends on your organization's specific risk profile, user base, and business requirements. For most organizations, a combination of email gateway analysis, user education, and monitoring will provide effective protection while maintaining the legitimate business functionality that URL shorteners enable. Those in high-risk industries with sophisticated threat models might justify stricter controls, but even then, understanding the specific threats and implementing proportionate defenses is preferable to broad-based blocking policies.