Why is a link in an email more dangerous than a link from a web search?

The results of a search engine are based on previously collected data, i.e. the engine does not starts to scanning the whole internet when doing a search but it looks through an index of seen and stored sites. The results are also ordered, i.e. the sites which fit the query best and which also have the highest reputation for good answers in general are at the top. Thus, as long as fairly common search terms are used the top hits come from sites with a high reputation.

There are attempts to pollute search engines by returning different results to the search engines web bot than to the normal user. This is not new, so search engines partially try to detect such pollution by simulating normal users. They also include historic reputation information, i.e. sites which behaved shady in the past are considered shady for some time in the future too. New sites also have less reputation than established sites etc.

This together makes search engines results fairly good (but not perfect) curated data. Links in mails are the opposite of this: No up-front checks and curation are done to these links and it is all to the end user (or some security software in the path) to decide if this link is safe or not. That's why these links are far more dangerous.

Let me use an analogy:

It's for the same reason we tell our children not to take sweets from strangers, but at the same time we allow them to buy some in the supermarket with their pocket money.

Or more technically: The difference is that in the first case you receive something you did (likely) not ask for, in the second case you yourself look out for something you need.

Or, in the form of an advice: Never accept something given to you without having asked for.

One reason might be that links in emails can be "personalized", links in web searches can not. A common tactic that spammers use is to send out links containing some token representing your email address. This can be as simple as:

http://totallylegit.domain/[email protected]

but can also be hidden in various ways (by assigning some pseudo-random identifier to each email, and including a hex/base64/... string or even a series of words representing it).

The idea is that the spammer is able to learn who clicks the links in their emails, meaning that

  • this address actually exists and is accessed by a human* and
  • the person is more likely susceptible to spam, because they actually clicked the link

This is of course more an annoyance than a direct threat: You will simply get more spam mail. Although theoretically they might also be able to learn about things like the used browser and OS (from your browsers UserAgent) and use that to send more specific phishing mails in the future.

Also, this personalization might make the link itself more "dangerous". Imagine you open a link, forget about it, and later return to the tab. That tab now shows a Google log in page. You might be less suspicious if this log-in page already shows your correct email address entered. This doesn't just apply to the email address itself: Maybe the spammer (automatically) guessed your name or your company from the email, or found further information about you in a data leak, or maybe they sent mails linking to a fake corporate login page only to people from your company in the first place. The more information about you someone has, the more likely it is that he can make you enter a password or download some malware.

*By the way, this can also occur when the mail client is configured to automatically download and show images embedded in the email: This can immediately tell a spammer that the email was opened, even before any link is clicked.