Skip to main content
Link Security Settings

Understand how URLs are checked to ensure they are safe to reduce the risk of teammates clicking malicious links.

Andrea Nagel avatar
Written by Andrea Nagel
Updated this week

Checking conversation links

When you hover over URLs in the Inbox (e.g. inbound or outbound conversations and teammate notes), you will see a tooltip appear that gives a URL preview. This is especially helpful for hyperlinked text and images.

If you click on an untrusted link, you'll see the following warning screen:

To reduce risk around clicking malicious links that may be hidden in conversations in the Inbox, we recommend you always take a moment to check the URL to confirm it is something you would expect to see and it seems safe.

This includes links that have been:

  • Sent by Teammates through any channel

  • Sent by Fin

  • Sent through Bot/Workflows

  • Added to Notes

  • Sent in side Conversations

  • Added to Ticket comments

To read more about how to spot phishing attempts, we recommend reading this short guide from the Center for Internet Security (CIS).

Malicious links

Intercom scans incoming links for malicious content.

If you click a malicious link from the Inbox, you will see a different warning screen appear:

Similar to the untrusted link warning, this screen will allow you to continue to the potentially malicious site by checking the Accept risk box and clicking the Open link button.

Enhanced inbound link scanning

Go to Settings > Workspace > Security and click on Links to update your link security settings. 👇

This granular control ensures you can define your own risk tolerance, significantly enhancing phishing prevention and Inbox security by:

  • Trusting specific domains or URLs to bypass external or malicious link warnings.

  • Blocking domains or URLs, preventing access and displaying a blocked warning screen when attempted.

Links that are trusted won't show any (untrusted, malicious or blocked) warnings.

The following domains are trusted by default:

You can add your own domains by selecting Add policy and entering the domain, then mark it as blocked/trusted and click Save policy.

When adding security policies, be aware that:

  • We don’t automatically validate domains, so any errors (e.g. spelling mistakes) won’t be proactively flagged.

  • We do automatically check to confirm the domain is in the right format.

  • To mark subdomains as trusted, use an asterisk as a placeholder like this: *.example.com

  • You can add "localhost" as a trusted domain.

Managing link warnings

Link warnings are active by default unless you have explicitly chosen to deactivate them.

By configuring your trusted domains, you can reduce how often your teammates see link warnings; only showing them on domains you don’t know and don’t trust. However, you may still wish to deactivate link warnings, e.g. if you have your own security measures in place that reduce the risk of teammates clicking potentially malicious links.

Teammates with permission to manage Security settings can disable these warnings in the Attachments and Links section in Security settings. When you disable link warnings you’ll see your name and the timestamp recorded in the Settings page and activity logs.

Blocked domains

Teammates with the “Can manage general and security settings” permission can also block domains, subdomains or specific URLs from within your Workspace Security settings.

Clicking on a link to a blocked domain/URL will show a “blocked” screen.

This screen does not offer an option to accept the risk and continue, and the block policy must be removed from the Workspace Security settings to re-enable the link.


💡Tip

Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts


Did this answer your question?