Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How to Hover Over a Link to Check It’s Not a Scam

Scammers try to fool you.

When it comes to links on webpages and HTML email, what you see is not always where you go. Hovering over a link is an important technique to look before you leap.
Hovering over a link.
Hovering over a link. (Screenshot: askleo.com)
Question: Could you please describe or take us through the process of “hovering over” a URL or link in such a way that supposedly ‘reveals’ its true source or identity. I have tried it but nothing happens… the URL’s clothing invariably remains implacably and firmly in place, covering the naked body lurking beneath.

There are several ways to hide where links go. But the good news is, the most common approaches are the simplest to detect. There are several ways to look at a link (both in email and on webpages) before you click on it to make sure it is what it claims to be.

So let’s go about disrobing those cloaked links.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Links can lie

What you see isn’t always where you’ll end up. Hover your mouse pointer over a link to see its true destination (usually shown at the bottom of your browser window). If it looks weird or doesn’t match, don’t click. Copy/paste if you’re unsure. Always look before you click, especially in email.

The anatomy of a link

First, a little refresher on what a link is. There are two parts: the part you see and the part you don’t. For example, if I give you this link:

Ask Leo!

The part you see is “Ask Leo!“. The part you don’t see is the URL the link will take you to, called the target: “https://askleo.com“. To get a little geeky for a moment, that link is encoded in HTML. It looks like this:

<a href="https://askleo.com">Ask Leo!</a>

In HTML, you can see exactly how both parts, seen and unseen, are encoded.

Now take a look at this example:

www.ebay.com

That looks like a link to eBay, doesn’t it? Here’s how it’s really encoded:

<a href="http://buyleoalatte.com">www.ebay.com</a>

The part you see is “www.ebay.com“, but the target you don’t see is something else entirely: “http://buyleoalatte.com“. When you click on it, it looks like it’ll take you to eBay, but it will instead take you to buyleoalatte.com.

This is a basic component of phishing: making it look like you’re going to one place when instead you’re taken somewhere else entirely. Usually (though not with our example) it’s with malicious intent, taking you to a site that looks just like the one you expect but is not.

Hovering

Hovering your mouse pointer over a questionable link is one way to determine its validity. All that means is you move the mouse pointer over the link but don’t click.

Using the example above:

Hovering over a link.
Hovering over a link. Click for larger image. (Screenshot: askleo.com)

In the Edge browser, I’ve moved the mouse pointer over the “www.ebay.com” link. When I do, Edge changes the mouse pointer to a pointing finger and displays the target link in the lower left of the window.

Most browsers show you the target of the link somewhere near the bottom of the window. Sometimes it appears as a pop-up or tooltip.

You can see that my mouse pointer is hovering over the link that says “www.ebay.com”, but Edge is showing you the URL you’ll really be taken to: buyleoalatte.com.

This isn’t just about webpages and web browsers. Email often contains links, and that’s where a lot of scams happen.

If you view your email in a web browser — say by visiting outlook.com or gmail.com — everything I’ve described above should work for the links displayed in messages. If you’re using an email program like Thunderbird, Microsoft Office’s Outlook, or others, most behave just like web browsers: if you hover the mouse over a link, somewhere it’ll display the true destination of the link — most likely in the status line at the bottom of the email program’s window.

Copy/Paste

Another excellent approach to validating a suspicious link is to use copy/paste.

Rather than just hovering over it, right-click on the link you’re uncertain of.

Copying the destination link to the clipboard.
Copying the destination link to the clipboard. Click for larger image. (Screenshot: askleo.com)

In the resulting pop-up menu, click on “Copy link” (or its equivalent) in your browser or email program. This copies the target — the part you don’t see — to the clipboard.

Now, right-click on the address bar in your browser.

Pasting a link in to the address bar.
Pasting a link into the address bar. Click for larger image. (Screenshot: askleo.com)

Click Paste (not “Paste and go”, if that’s available) to paste whatever was copied. Don’t hit the Enter key, which will take you to the webpage; just read the target link.

Link pasted into an address bar.
Link pasted into an address bar. Click for larger image. (Screenshot: askleo.com)

You can now see what was pasted. This is the true target or destination: the part you normally don’t see and the site you would have been taken to had you blindly clicked the original link. In this example, it’s fairly obvious this link wasn’t going to take you to eBay at all, but to some other site.

  • If it’s a link you want to go to, press Enter and you’ll go there.
  • If not, press ESC and it’ll be erased from the address bar.

You can, if you prefer, paste that URL wherever you like. Pasting it into Notepad is one option. That way, you can see exactly what the destination is without risking accidentally going there in the browser.

Dealing with mismatches

All this is to get you information from which you can make a decision. It doesn’t mean that every time things don’t match it’s a scam or something nefarious.

Here’s one example of my own:

Amazon Kindle

That looks like a link to the Amazon Kindle, and if you click on it, that’s exactly where you’ll land: the Kindle product page on Amazon.com.

However, if you hover over that link using the techniques we’ve discussed here, you’ll see it actually goes to “https://go.askleo.com/kindle“.

So what’s the deal?

If you’ve ever used a service like tinyurl.com or bit.ly to make an excessively long URL into something shorter, this is the same idea. I have a private equivalent of a bit.ly. In these cases, there’s a database that maps a short URL or token (like “kindle”, in my case) to the original, longer URL.

When you click on the shorter URL, the service automatically and transparently redirects you to the longer destination URL.

So in this case, these two are identical:

Amazon Kindle
Amazon Kindle

Hover over each and you’ll see that they’re quite different, but click through and you’ll end up at the same place.

I point all this out because it’s extremely common, particularly in newsletters and other legitimate marketing emails. Links are often routed through third-party services, not just for shortening. Additional uses include:

  • Counting clicks. For example, I can tell that “kindle” link has been clicked on 12 times in the last seven days. This lets me know how popular it is.
  • Adding information such as affiliate codes. The links above include my Amazon affiliate code, which tells Amazon where the link came from. If you purchase a Kindle, I’ll get a small reward. (More about this in my affiliate disclosure.)
  • Tracking clicks. This information can track who clicked on which links. This is most common in the email newsletter business, where redirection links can determine which recipients clicked on which link or who opened a newsletter.

So how do I know what’s legitimate?

It’s not always easy to tell what is or is not a legitimate link or an attempt to fool you. I’d claim, though, that most of the time, it’s not hard.

Suspicious signs include:

  • Obvious misdirection. If the “part you see” looks like a URL or domain name like “www.ebay.com”, then the destination, the “part you don’t see”, should probably match.
  • Links to IP addresses. If the destination is an IP address (something that has only numbers like this: http://67.227.211.203), don’t trust it. Legitimate sites always have names in text.
  • Links to foreign domains. With all due respect to the legitimate businesses in those countries, destination links to domains that end in “.ru”, “.cn” (Russia and China, respectively), and others should be suspect. Certainly, if you don’t expect to be taken to a website in a foreign country, this should raise a red flag.

There are others, but those are the most common.

And again, any one of those doesn’t mean the link is a scam; it just means that it fits the characteristics of links that are. It means you should pay a little more attention before clicking through.

Do this

Look before you click. Hover over the link, or copy/paste it somewhere so you can confirm it will take you where you expect. Only when you’re certain it’s safe should you click.

Hover over this link: subscribe to Confident Computing, and then click through! My weekly newsletter is all about less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

13 comments on “How to Hover Over a Link to Check It’s Not a Scam”

    • No, that’s a great question! It … varies. Sometimes long-pressing a link will, instead, show you where it goes. Or offer you a copy option so you can paste it elsewhere before going to it. If there’s still a mouse pointer (as there might be on a touchscreen laptop or tablet) you can often move the pointer over the link without clicking on it as well.

      Reply
  1. O.K., two things:

    (1) On a Kindle (how serendipitous! — I’m using a Year-2016, 6th-Generation Amazon Kindle Fire HD8), the equivalent action to a “hover,” is to “hold” on a link (i.e., place your finger or stylus on the link, don’t move, and wait a few seconds). A “pop-up” menu, similar to this article’s second illustration, should appear, except that above all the available options, in a slightly smaller font, will be the link’s actual target.

    (2) Leo, you used a link of:

    https://www.amazon.com/dp/B07FKR6KXF?tag=askleo-20

    Please be informed that Amazon also has their own link abbreviator! The “short form” for the above link, is:

    amzn.com/B07FKR6KXF

    The only two disadvantages I’m aware of are (a) the target is not “https,” and (b) the target is not “AmazonSmile.”

    But it most surely does take you directly to whatever product the ASIN represents!

    Reply
  2. Is it possible (on a Windows 11 PC) to completely disable the “display URL when hovering over hyperlink” in websites? I am frustrated because the URL is always displayed over the horizontal scroll bar at the bottom of browser window making it difficult to navigate around websites, especially those that contain many ads and popups. For some reason, this has become a problem in both Microsoft Edge and Chrome only in the past couple months.

    Reply
  3. I remember being able to click on a link in Thunderbird (email), and a box would popup saying do you want to go to the (actual) destination or the links apparent destination (the cloaked link which forwards you on to the true destination) – for example it says its going to YouTube but it goes via their email marketing service provider first then redirects to YouTube, so they can scrape the marketing click information. In other words, an option popped up to click on going to the true destination direct rather than via their marketing link.

    I no longer seem to be given that option, possibly because I updated Thunderbird to the latest generation and maybe it was a plugin that I was using but I can’t seem to find one.. When I click on a link it just goes to straight the redirect via the marketing provider.

    Are there tools that perform this same function, easily, that is, as I believe there are websites where you can enter the link and it will tell you the true destination… but that’s a few extra steps.

    Thanks for your help.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.