They train customers to click links that don’t match the company’s main domain name.
Brands love branded URL shorteners. When sharing shortlinks, why use a default bitly link when you can include your brand in the domain?
Many companies use short country code domains as part of their shortlinks. .To and .ly are favorites.
But there’s a problem with so many companies using these links; they train customers that they can safely click links to go to websites on domains that don’t match the company’s main domain name. This desensitizes people to potential phishing campaigns and other scams.
Consider the text message I received last night (pictured). The link is for chase(.)lc.
Several things jumped out to tell me this was a scam: it’s from a random phone number, I didn’t just place an order, and a merchant wouldn’t ask me to confirm something with Chase.
But the domain name was low on the list of warning signs. If I received a real message from Chase, I might expect the company to use something other than Chase.com as the URL shortener.
Financial companies need to train their customers to go to one domain, not many. The widespread use of branded shorteners throws a wrench into this.
(Chase(.)lc was registered yesterday at EPAG, and as of today, the links don’t work. .Lc is the country code for Saint Lucia.)
I recently saw something similar albeit with the free URL shortening service “gg.gg” for a Brazilian bank (which does make use of branded URL shortening in SMS it sends to customers). The link has been banned after being reported but I can certainly imagine customers of Itau bank clicking through because of the similarity of the shortening they a very accustomed to seeing in SMS.
This would be one of the stronger cases as to why companies should consider applying for and operating their own .BRAND TLD (under a closed system).
Yes, it would take time and a huge financial investment to make the transition, but the payoff for a company like Chase to be able to say “Ignore any digital communication from a non .chase TLD” would be incredibly valuable in the long term from a security and risk mitigation perspective.
But they could just say ‘ignore communication from everything but chase.com’. It still won’t work, at least in the medium term, as long as people are conditioned by other companies to think its OK to go to sites ending in multiple TLDs.
Fair point. And I definitely agree with your fundamental argument that training users to expect comms from multiple extensions can be an issue (especially for financial companies). But I’d still make the case that, whereas .com is a generic extension that can be used for any purpose by anyone (IE a major bank or a spammer), the branded extension is completely locked in terms of who can use it, which adds a layer of security you can’t replicate on .com. Likewise, you can’t spoof a branded extension in the same way you can with a .com (chasebank.com, chaase.com, chased.com, ohase.com, etc. etc.)
It is just another round of confusion.
People don’t know what .chase is so telling them “Ignore any digital communication from a non .chase TLD” doesn’t mean a thing.
comment deleted for fake email address
That’s why the custom urls are super important. They let the users know where the link is redirecting. Most of the services have custom urls exhausted. So nowdays I use https://alias.com.
Oops wrote the wrong address. The address is https://alias.live.
My bad