There are several ways to look at a link (both in email and on webpages) before you click on it to make sure it is what it claims to be.
There are several ways to hide where links go as well. But the good news is, the most common approaches are the simplest to detect.
So let’s go about disrobing those cloaked links.
Become a Patron of Ask Leo! and go ad-free!
The anatomy of a link
First, a little refresher on what a link really is. There are two parts: the part you see, and the part you don’t. For example, if I give you this link:
The part you see is “Ask Leo!“. The part you don’t see is the URL that link takes you to, called the target: “https://askleo.com“. To get just a little geeky for a moment, that link is actually encoded in HTML like this:
<a href="https://askleo.com">Ask Leo!</a>
In HTML, you can see exactly how both parts, seen and unseen, are encoded.
Now take a look at this example:
That looks like a link to eBay, doesn’t it? Here’s how it’s really encoded:
The part you see is “www.ebay.com“, but the target you don’t see is something else entirely … it’s “http://buyleoalatte.com“. So when you click on that example link that looks like it’ll take you to eBay, it will instead take you to buyleoalatte.com.
This is a fundamental component of phishing: making it look like you’re going one place when instead you’re taken somewhere else entirely: usually (though not with our example) with malicious intent, to a site that looks just like the one we expect, except that it’s not.
Hovering your mouse pointer over a questionable link is one way to determine its validity. All that means is you move the mouse pointer over the link, but don’t click.
Using the example above:
Using Google Chrome, I’ve moved the mouse pointer over the “www.ebay.com” link, at which point Chrome changes the mouse pointer to a pointing finger. The target is displayed in the lower left of Chrome’s window.
Most browsers show you the target of the link somewhere near the bottom of the window.
In this case, you can see that my mouse pointer is hovering over the link that says “www.ebay.com”, but Chrome is showing you the URL you’ll really be taken to: buyleoalatte.com.
This isn’t just about webpages and web browsers. Email often contains links, and that’s where a lot of these scams happen.
If you view your email in a web browser — say by visiting outlook.com or gmail.com — everything I’ve described above should work for the links displayed in messages. If you’re using an email program, like Thunderbird, Microsoft Office’s Outlook, or others, most behave just like web browsers: if you hover the mouse over a suspect link, somewhere it’ll display the true destination of the link — most likely in the status line at the bottom of the email program’s window.
Another excellent approach to validating a suspicious link is to use copy/paste.
Rather than just hovering over it, right click on the link you’re uncertain of.
Now, right-click on the address bar in your browser.
Click Paste (not “Paste and go”, if that’s available) to paste in whatever was copied.
You can now see what was pasted. This is the true target or destination: the part you normally don’t see, and the site you would have been taken to had you blindly clicked the link.
In this example, it’s fairly obvious this link wasn’t going to take you to eBay at all, but to some other site.
After pasting, if it’s a link you want to go to, just press Enter. If not, press ESC and it’ll be erased from the address bar.
You can, if you prefer, paste that URL wherever you like. Pasting it into Notepad is one common option, so that you can see exactly what the destination truly is without risking accidentally going there in the browser.
Dealing with mismatches
All this is to get you information from which you can make a decision. It doesn’t mean that every time things don’t match it’s a scam or something nefarious.
Here’s one example of my own:
That looks like a link to the Amazon Kindle, and if you click on it, that’s exactly where you’ll land: the Kindle product page on Amazon.com.
However, if you hover over that link using the techniques we’ve discussed here, you’ll see it actually goes to “https://go.askleo.com/kindle“.
So what’s the deal?
If you’ve ever used a service like tinyurl.com or bit.ly to make an excessively long URL into something shorter, this is the same idea. I have my own private equivalent of a bit.ly. In these cases, there’s a database that maps a short URL or token (like “kindle” in my case) to the original longer URL.
When you go to the shorter URL, the service automatically and transparently redirects you to the longer destination URL.
So in this case, these two are identical:
Hover over each and you’ll see that they’re quite different, but click through and you’ll end up at the same place.
I point all this out because it’s extremely common to do this, particularly in newsletters and other legitimate marketing mails. Links are often routed through third-party services, not just for shortening. Additional uses include:
- Counting clicks. For example, I can tell that in the last 30 days that “kindle” link has been clicked on five times. This lets me know how popular it is.
- Adding information such as affiliate codes. The links above include my Amazon affiliate code, which tells Amazon where the link came from. Should you purchase a Kindle, I’ll get a small reward. (More about this in my affiliate disclosure.)
- Tracking clicks. More than just counting, information can be used to track which links were clicked on by whom. This is most common in the email newsletter business, where redirection links — such as the ubiquitous clicks.aweber.com provided by my email service — can determine which recipients clicked on which link, or who opened a newsletter.
It’s not always easy to tell what is or is not a legitimate link or an attempt to fool you. I’d claim, though, that majority of the time it’s not hard.
Suspicious signs include:
- Obvious misdirection. If the “part you see” looks like a URL or domain name like “www.ebay.com”, then the destination, the “part you don’t see”, should probably match.
- Links to IP addresses. If the destination is an IP address (something that has only numbers like this: http://18.104.22.168), don’t trust it. Legitimate sites always have names in text.
- Links to foreign domains. With all due respect to the legitimate businesses in those countries, destination links to domains that end in “.ru”, “.cn” (Russia and China, respectively), and others should be suspect. Certainly if you don’t expect to be taken to a website in a foreign country, this should raise a red flag.
There are others, but those are the most common.
And again, any one of those doesn’t mean the link is a scam, it just means that it fits the characteristics of links that are. It means you should pay a little more attention before clicking through.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,