Everyone knows of the common cybersecurity tips to be careful when you open links in an email. But every day we look for something on the Internet, clicking links which the search engine shows us, and we do not have the same fear. Why are the links in email considered more dangerous than links from web search results?

Maybe it is related to the fact that links in an email may contain a more personal attack malicious to you or your company?

Adam Shakhabov
The results of a search engine are based on previously collected data, i.e. the engine does not starts to scanning the whole internet when doing a search but it looks through an index of seen and stored sites. The results are also ordered, i.e. the sites which fit the query best and which also have the highest reputation for good answers in general are at the top. Thus, as long as fairly common search terms are used the top hits come from sites with a high reputation.

There are attempts to pollute search engines by returning different results to the search engines web bot than to the normal user. This is not new, so search engines partially try to detect such pollution by simulating normal users. They also include historic reputation information, i.e. sites which behaved shady in the past are considered shady for some time in the future too. New sites also have less reputation than established sites etc.

This together makes search engines results fairly good (but not perfect) curated data. Links in mails are the opposite of this: No up-front checks and curation are done to these links and it is all to the end user (or some security software in the path) to decide if this link is safe or not. That's why these links are far more dangerous.

Steffen Ullrich
  • 7
Let me use an analogy:

It's for the same reason we tell our children not to take sweets from strangers, but at the same time we allow them to buy some in the supermarket with their pocket money.

Or more technically: The difference is that in the first case you receive something you did (likely) not ask for, in the second case you yourself look out for something you need.

Or, in the form of an advice: Never accept something given to you without having asked for.

One reason might be that links in emails can be "personalized", links in web searches can not. A common tactic that spammers use is to send out links containing some token representing your email address. This can be as simple as:


but can also be hidden in various ways (by assigning some pseudo-random identifier to each email, and including a hex/base64/... string or even a series of words representing it).

The idea is that the spammer is able to learn who clicks the links in their emails, meaning that

  • this address actually exists and is accessed by a human* and
  • the person is more likely susceptible to spam, because they actually clicked the link

This is of course more an annoyance than a direct threat: You will simply get more spam mail. Although theoretically they might also be able to learn about things like the used browser and OS (from your browsers UserAgent) and use that to send more specific phishing mails in the future.

Also, this personalization might make the link itself more "dangerous". Imagine you open a link, forget about it, and later return to the tab. That tab now shows a Google log in page. You might be less suspicious if this log-in page already shows your correct email address entered. This doesn't just apply to the email address itself: Maybe the spammer (automatically) guessed your name or your company from the email, or found further information about you in a data leak, or maybe they sent mails linking to a fake corporate login page only to people from your company in the first place. The more information about you someone has, the more likely it is that he can make you enter a password or download some malware.

*By the way, this can also occur when the mail client is configured to automatically download and show images embedded in the email: This can immediately tell a spammer that the email was opened, even before any link is clicked.

You asked:

Why is a link in an email more dangerous than a link from a web search?

Respectfully, I think you asked the wrong question. I think a better question would be

Why does cyber security training focus on email links rather than for example links from a web search?

Because, according to Verizon, who does extensive analysis of breach incidents in their annual 2020 Data Breach Investigations Report:

90% of malware comes from emails (Verizon).

(citing a different page since the Verizon report is paywalled)

There certainly are attacks that start by clicking links in search engines. I helped clean up one incident where someone googled for the customer support number for their laptop manufacturer; the top sponsored link (ad) was actually a malware company that guided her to download and run their malware as part of the "tech support call".

I think search engine links can be just as dangerous as email links, they are just a lot less common for a breach to start with a search engine link.

Mike Ounsworth
Search engine finds are not completely harmless, however!

We once had to fight a virus downloaded from a top-ranking search result for a somewhat specific but legitimate topic. The user did not notice (or even could notice) that their German search result was on an otherwise English-speaking website hosted in Indonesia. I found out only because I noticed a non-https http request to a wordpress page with unusual in the proxy logs around the time of suspected infection. At that moment, the page was already offline, but searching for all search results with that site revealed lots of somewhat similar finds (but all unrelated to the site's natural topic) highly ranked by the search engine.

Apparently, they managed to hack a wordpress site, spam search terms, get high rank for these, and then switch to malicious content ...

Hagen von Eitzen
There are some inherent limitations in email which make it particularly difficult to determine authenticity of any communication, and as a result it has been really difficult to stamp out or control certain bad behaviour in that medium.

The issue is that if you have an email account, you are implicitly allowing anyone in the world to send email to you, rather than only people or companies you know and trust. And, when email arrives that appears to be from a person or organization you know, there is a lack of reliable ability to know for sure if the email really did come from that organization of if it's a complete fake, and part of a scam.

Over the years there have been a number of extensions to email that attempt to solve this problem, but all with flaws. Unlike with the web, efforts to secure DNS do not help email, as email is not tied to a hostname in a way that the user can easily see and verify. The best yet solution to the problem is DMARC, which allows verifying that the sender was authorized to use the hostname part of the from address. But, the slow adoption of this standard hinders its overall reliability, and usability-wise it comes nowhere close to the simplicity and effectiveness of the "padlock icon" in the location bar of a web browser.

All of this sum up to the fact that you should think twice about trusting anything in an email that arrives unsolicited (as tends to be the case for email). In particular, links give an untrusted party a lot of leeway to trick you in novel ways either by taking you to fake (phishing) sites or to real sites, to trick you into taking certain actions that may benefit the scammer. It just lets you go further into the world of the scammer.

To compare this with arriving at a website via a search engine: the way you got to the search engine in the first place probably ensured you were at the genuine search engine's site, either by building the search engine into the browser or using a known bookmark or even a known web address of the search engine. Major search engines go to great lengths to try and prevent phishing sites making it into results as do major web browsers, but on the off chance someone does manage to trick the search engine and you end up on a non-trustworthy site that isn't picked up by your web browser, users are arguably more familiar with the usual ways of knowing if a website is genuine: the padlock and the address "looking right", and so on. It's not out of the question that this fails, but the nature of it is very different to email, where the scammer directly contacts you and you don't go through those other steps.

I disagree with the concept present in other answers that search engines provide "curated" data that would be "safe". I however concede they have a point in that web search links:

  • Are ranked, and the user will barely pass the first few results. Reputation of top results (accrued through time) is probably orders of magnitude bigger than most phishing pages (which are shortly lived).
  • I expect <phishing inbox mails> / <total mail> will be higher than <phishing results> / <total indexed results> for most searches. (Proper) Web result sorting will make much more hard that it is clicked (a wrong sorting that put the phishing on the top would be really harmful, though), whereas likelihood of reaching the malicious link (prior to opening/filling the phishing form) will probably be equiprobable to the proportion of email in the INBOX/Spam folder (depending where it ends up) that the user reads. Up to 100% of being found by the user.
  • Search engines can dynamically remove search results. If they had a result for the user query that would have been shown, but it is now on a blacklist [they pay attention to], or simply they received enough user feedback to reconsider it, they can skip it on future searches of that term. While email providers do sometimes move to spam folder emails that had already been delivered into the inbox, if they were not seen by the user (and some companies even completely remove already received phishing mails from user mailboxes) generally, once delivered, the mail stays there, with the classification it got at time of reception.

However, I don't think those would be as important as the context in which they are framed.

First of all, I'm not completely sold that an email link is more dangerous than a web search one. This would probably be interesting for a study. Ultimately, the one that ends up affecting you is the one that was most dangerous for you (this time). You need to keep an eye on all fronts.

Why do I talk about the contexts of links coming from emails vs web searches? Typical fraudulent emails have lures such as:

  • New invoice
  • Your mailbox is full
  • Protected email
  • Hello adamshakhabov5
  • Bank account blocked

Phishing links flourish here, since receiving an email link from which you need to authenticate is a normal action. You need to enter your credentials to access your mail, your bank could send you notices by email (at least it would be conceivable that it did), and even the weird phishing pages where you need to log in with any email account to "download" the document have a fraction of plausibility (if you ignore their many telltale signs). on the the other hand, when were you last asked to provide your credentials (legitimately or not) as a result of a web search? It should raise much more suspicion.¹ They have no rationale to need your email password.

For malicious web search results or advertisements, you will mostly find things like fraudulent shops selling counterfeit goods. That's a model that fits much better the profile of a web search: the user wants <product> and gets to a web page claiming to sell it with a 80% discount ('surprisingly' they charge a different amount than advertised, the product is different to what was expected, it directly never arrives...).

Maybe it is related to the fact that links in an email may contain a more personal attack malicious to you or your company?

It depends. For instance, some companies would worried about attacks directed at them but not concerned about other malicious links not affecting them. An employee sharing their credentials to the company could lead to a leak of confidential data, access by an attacker to their systems, etc. but not consider an issue that an employee lost some money by buying a pair of fake shoes (in fact, they probably shouldn't have been buying shoes on company time).

Email would be an obvious point of entry for an attacker that tried to penetrate the company IT security, whereas getting their search engine results to lead to them would be harder, and it may be expected that you would have to be either the search engine or the ISP (not that you couldn't indirectly target specific people, though)

I would be wary of approaches that focused on specific threats and then neglected compromise sources not typically used by actors you are concerned about, though. Nowadays, nobody can be considered safe thinking they will be ignored. They will be compromised first, then sold to someone willing to pay for access to that company, not the other way around (while such focused targeting might still happen in some cases).

¹ Interestingly, this could change if "log in with Facebook/Google" options were much more widespread.

  • 1
First of all the email links are shared with you, so most probably you will notice them whereas web search links are not shared with you; they are on the web and come to you as a search result. Most likely you won't even notice all of them (when you search something on Google, you don't click each and every website that shows up in results; you click only the site that you want. You will scroll past all the other results.)

You have added "social engineering as a tag. If you know SET (Social Engineering Toolkit), it is an application that has many attack options and most of them require an email to send.

These are some really big reasons that prove why email links are more dangerous than web search links.

I found a site which you can read for more info

One additional reason, not mentioned in other answers (it seems) is that search engines will not render deceiving attacker controlled html code (they prefer to do the deceiving themself), therefore the target domain and rest of the URL can usually not be obfuscated like you can do it in a hand crafted HTML where the text is using for example JavaScript or large username@ hacks to confuse people hovering over the link.

Also if a phishing attack is detected search engines are quicker to blacklist or demote the offending search results, so it is very unlikely the attack persists for long.

But of course, using your own bookmarks or typing in the wanted target is safer than any of the both other ways. (Or at least only clicking on links in expected emails).

Having said that, most of the time clicking on a dangerous link should not compromise you, real drive by downloads or browser exploits are seldom and should be avoided by software. (Which does not mean you should not avoid them anyway). What’s really critical is signing in or sending sensitive forms to unexpected peers. Here it helps if your password manager actually verifies the input field origin domain

That's a good question and you're on the right track doubting that the search engine result is more secure.

What could make a search engine result secure?

  • Hoping that dangerous links have bad ranking
  • Hoping that search engines use blacklists
  • You are choosing your search terms, the attacker does not know them

What could make an e-mail dangerous?

  • A spam filter (and its blacklists) do not recognize the e-mail / link in the e-mail
  • You may be targeted, as an attacker may explicitely choose your e-mail address
  • You do not have to take action (like searching for something) but get a prompt to do something in your inbox

But what, if a bad link has good SEO, is not on a blacklist and the page optimizes for common search terms? Then you have absolutely the same problem.

Try to search for some Windows system file names. You will probably get a lot of "Fix freezes caused by explorer.exe" pages, which want you to download their special anti-virus program. That is malware (or at least deceptive software that wants to make you pay) with good SEO optimized for a certain target group, i.e., people trying to find solutions for Windows problems.

So your search results may be safer when the search engine does good filtering for your usual search terms and your inbox may be safer when your spam filter is very good (or your e-mail address is hard to guess and only known to trusted people).

A general statement "search result links are safe(er)" is not possible.

The primary reason is this, SSL/TLS authenticates the domain name, and you use an encrypted protocol. This means eavesdroppers can't decrypt the message or alter it. So you can trust the domain names most times assuming they are legitimate and not malware sites.

Email however it is possible for people to send an email claiming to be from anyone they want. They won't be able to receive further replies from you as the address they claim will receive them however, it doesn't matter. They can put any URL in the hypertext link, leading often to a fake site etc.

The key difference is, you trust your browser, it then connects you to the actual domain name you requested, on a secure line. If you trust the actual site, you know that is who it really is. Email, you would actually have to look at the URL, and anyone can spoof an email as from someone else. Nobody as of today can spoof a domain name TCP connection with SSL/TLS enabled. This means a server certificate, which authenticates the server is who they say they are.

I think the main difference is that a link in an email can be tracked to your actual email address. So the attacker can collect informations about your system like "language, os version, ip-address" e.g. and link this informations to an email account. This doesnt mean that this informations are not retrievable on a normal weblink, but the allocation to an email address would be missing. So the attaker is able to create a profile and hast the option to send a second email. On normal weblinks the chance of having an option of recontacting is very low.

Links on a website are located a remote server, "sandboxed"* inside a web browser.

Links in an email are located on the local machine.

*I say sandboxed here, not to imply they exist in an environment that's 100% isolated from the local machine, but to imply that web browsers generally have some characteristics that create impediments for malware to infect machines, locally.

For instance, most browsers treat any link that downloads a file with some sort of caution. These impediments range from a simple message box warning the user, to outright refusing to download the file at all.

Another characteristic of browsers is that code is usually run on the server side, not the client side. Take Google Sheets or MS Excel on Office.com. When a cell's formula is calculated, that is being done "in the cloud", not locally. When you enter a formula and press enter, the browser updates the SERVER and the server calculates the cell and then displays the result. At no time does the browser use the cores on the local machine to process the calculations.

Obviously, browsers are much more capable of doing things "client side" than they once were. But HTML, PHP, CSS, javascript, SQL...these are basically scripts, they are not true code, such as that can modify a local registry. To infect a local machine from within a browser, a piece of code must usually hijack a benign process. The ability to create an HTTP link that does this requires a decent amount of knowledge about malware and exploits, etc.

On the flip side, a local email client sits inside the local OS environment, which has access to the kernel. Any malware process originating from within the email client is starting out as a local process. The only thing protecting you at this point is whatever security your OS inherently provides (UAC, process isolation, etc) plus any add-on security app that may be running in the background.

