Unmasking Shortened Links: See the Real URL Before You Click

Short links are convenient — they fit in tweets, look clean in emails, and track clicks. They're also a favourite tool of phishers, malware distributors, and affiliate spammers, because the destination is completely hidden behind a domain like bit.ly, t.co, tinyurl.com, or buff.ly. Clicking blind is a bad habit. Here's how to reliably uncover where a shortened URL actually leads before you load it in a browser.

Why You Can't Trust a Short Link at Face Value

A link shortener is just a redirect service. When you visit bit.ly/3xYz123, the bit.ly server responds with an HTTP 301 or 302 status and a Location header pointing somewhere else. That "somewhere else" could be:

• A legitimate site (most cases)
• An affiliate link with tracking parameters you didn't expect
• A second shortener, which redirects again — creating a redirect chain
• A phishing page that mimics a login screen
• A drive-by download or exploit kit landing page

Attackers often chain multiple shorteners together specifically to defeat manual inspection and bypass security filters that only check the first hop.

Built-In Preview Features (Use These First)

Several major shorteners offer a native preview mode. It's not always advertised, but it works:

Bitly

Append a + sign to any bit.ly link. For example: https://bit.ly/3xYz123+ takes you to Bitly's info page showing the destination, click count, and creation date — without redirecting.

TinyURL

Insert preview. before tinyurl.com. So tinyurl.com/abc123 becomes preview.tinyurl.com/abc123, which shows the destination first.

Ow.ly and Buff.ly

These don't have public preview suffixes, but Hootsuite's safety net will sometimes show a warning page if the destination has been flagged.

t.co (Twitter/X)

No preview mode. You'll need to inspect the redirect manually or use a tool.

Inspect the Redirect Manually with curl

If you're comfortable on the command line, curl is the fastest way to see exactly what a shortener returns without executing JavaScript or loading the page.

curl -I -L https://bit.ly/3xYz123

The flags do two things:

• -I requests only headers (no body)
• -L follows redirects so you see the entire chain

You'll get a sequence of responses. Look at each Location: header — that's the next URL in the chain. The final 200 OK response shows the true destination.

Example output

HTTP/2 301
location: https://example.com/landing?utm_source=twitter

HTTP/2 200
content-type: text/html

If you see multiple 301 or 302 hops through unfamiliar domains, treat it as suspicious. Legitimate links rarely chain through three or four redirectors.

Use a Redirect Chain Analyzer

Command-line tools are great, but a dedicated web tool gives you the full picture in one view — every hop, every status code, every header, and any cookies set along the way. The AXOX Hub Redirect Checker will follow a short link through every hop and display the entire chain so you can see:

• Every intermediate URL
• The HTTP status code at each step (301, 302, 307, etc.)
• The final destination URL and its response headers
• Any meta-refresh or JavaScript redirects

This is particularly useful when investigating suspicious links from emails, social media DMs, or QR codes, because you never execute the page in your own browser.

Red Flags in a Redirect Chain

Once you can see the chain, here's what should make you pause:

1. Multiple shorteners stacked together — e.g., bit.ly → tinyurl.com → cutt.ly → final destination. This is almost always intentional obfuscation.
2. Punycode domains — URLs containing xn-- that render as Cyrillic or Greek lookalikes (e.g., "раypal.com").
3. Long random subdomains on free hosting like *.web.app, *.pages.dev, or *.workers.dev — legitimate, but heavily abused for phishing kits.
4. Final URL that doesn't match the context — a "DHL tracking" link that ends at a Russian VPS, for example.
5. IP addresses instead of domains in the final destination.
6. Credentials in the URL like https://user:pass@somesite.com/ — an old phishing trick.

Quick-Check Workflow for Suspicious Links

When someone sends you a short link you're not sure about, run through this in under a minute:

1. Copy the link — don't click it. Right-click and "Copy link address" in most browsers.
2. Try the native preview suffix (+ for bit.ly, preview. for tinyurl).
3. If no preview is available, paste it into a redirect analyzer or run curl -IL.
4. Inspect the final destination domain. Does it match what the sender claimed?
5. If the destination looks legitimate but unfamiliar, run it through a reputation check or visit the root domain directly in a sandboxed browser.

What About QR Codes?

QR codes are just encoded URLs, and they very often contain shortened links — which means they have all the same risks plus the added problem that you can't see the URL at all until your phone decodes it. Use a QR scanner app that shows the decoded URL before opening it (most modern phone cameras do this), then run the URL through the same redirect-check workflow above.

Browser Extensions vs. Web Tools

There are browser extensions that auto-expand short links inline (Unshorten.link, ClearURLs, and similar). They're convenient but have trade-offs:

• Pros: Automatic, low friction, works on every page.
• Cons: They send every URL you hover over to a third-party service. That's a meaningful privacy cost, and the extension itself becomes a supply-chain risk if its developer changes hands.

For one-off investigations of suspicious links, a server-side web tool you visit deliberately is usually a better trade-off than an always-on extension.

Check a Short Link Right Now

If you've got a suspicious bit.ly, t.co, or tinyurl link sitting in your inbox, paste it into the AXOX Hub Redirect Checker to trace the full chain and see the real destination before you click. It's free, requires no account, and never loads the page in your browser.