Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How to Hover Over a Link to Check its Validity

//
Could you please describe or take us through the process of “hovering over” a URL or link in such a way that supposedly ‘reveals’ its true source or identity. I have tried it but nothing happens … the URL’s clothing invariably remains implacably and firmly in place, covering the naked body lurking beneath.

There are several ways to look at a link (both in email and on webpages) before you click on it to make sure it is what it claims to be.

There are several ways to hide where links go as well. But the good news is, the most common approaches are the simplest to detect.

So let’s go about disrobing those cloaked links.

Become a Patron of Ask Leo! and go ad-free!

The anatomy of a link

First, a little refresher on what a link really is. There are two parts: the part you see, and the part you don’t. For example, if I give you this link:

Ask Leo!

The part you see is “Ask Leo!“. The part you don’t see is the URL that link takes you to, called the target: “https://askleo.com“. To get just a little geeky for a moment, that link is actually encoded in HTML like this:

<a href="https://askleo.com">Ask Leo!</a>

In HTML, you can see exactly how both parts, seen and unseen, are encoded.

Now take a look at this example:

www.ebay.com

That looks like a link to eBay, doesn’t it? Here’s how it’s really encoded:

<a href="http://buyleoalatte.com">www.ebay.com</a>

The part you see is “www.ebay.com“, but the target you don’t see is something else entirely … it’s “http://buyleoalatte.com“. So when you click on that example link that looks like it’ll take you to eBay, it will instead take you to buyleoalatte.com.

This is a fundamental component of phishing: making it look like you’re going one place when instead you’re taken somewhere else entirely: usually (though not with our example) with malicious intent, to a site that looks just like the one we expect, except that it’s not.

Hovering

Hovering your mouse pointer over a questionable link is one way to determine its validity. All that means is you move the mouse pointer over the link, but don’t click.

Using the example above:

An example of hovering a mouse pointer
An example of hovering a mouse pointer. (Click for larger image.)

Using Google Chrome, I’ve moved the mouse pointer over the “www.ebay.com” link, at which point Chrome changes the mouse pointer to a pointing finger. The target is displayed in the lower left of Chrome’s window.

Most browsers show you the target of the link somewhere near the bottom of the window.

In this case, you can see that my mouse pointer is hovering over the link that says “www.ebay.com”, but Chrome is showing you the URL you’ll really be taken to: buyleoalatte.com.

This isn’t just about webpages and web browsers. Email often contains links, and that’s where a lot of these scams happen.

If you view your email in a web browser — say by visiting outlook.com or gmail.com — everything I’ve described above should work for the links displayed in messages. If you’re using an email program, like Thunderbird, Microsoft Office’s Outlook, or others, most behave just like web browsers: if you hover the mouse over a suspect link, somewhere it’ll display the true destination of the link — most likely in the status line at the bottom of the email program’s window.

Copy/Paste

Another excellent approach to validating a suspicious link is to use copy/paste.

Rather than just hovering over it, right click on the link you’re uncertain of.

Copying the target link address
Copying the target link address.

In the resulting pop-up menu, click on “Copy link address”, or the equivalent in your browser or email program. This copies the target — the part you don’t see — to the clipboard.

Now, right-click on the address bar in your browser.

Right click on the address bar
Right-click on the address bar. (Click for larger image.)

Click Paste (not “Paste and go”, if that’s available) to paste in whatever was copied.

Target URL pasted into the address bar
Target URL pasted into the address bar.

You can now see what was pasted. This is the true target or destination: the part you normally don’t see, and the site you would have been taken to had you blindly clicked the link.

In this example, it’s fairly obvious this link wasn’t going to take you to eBay at all, but to some other site.

After pasting, if it’s a link you want to go to, just press Enter. If not, press ESC and it’ll be erased from the address bar.

You can, if you prefer, paste that URL wherever you like. Pasting it into Notepad is one common option, so that you can see exactly what the destination truly is without risking accidentally going there in the browser.

Dealing with mismatches

All this is to get you information from which you can make a decision. It doesn’t mean that every time things don’t match it’s a scam or something nefarious.

Here’s one example of my own:

Amazon Kindle

That looks like a link to the Amazon Kindle, and if you click on it, that’s exactly where you’ll land: the Kindle product page on Amazon.com.

However, if you hover over that link using the techniques we’ve discussed here, you’ll see it actually goes to “https://go.askleo.com/kindle“.

So what’s the deal?

If you’ve ever used a service like tinyurl.com or bit.ly to make an excessively long URL into something shorter, this is the same idea. I have my own private equivalent of a bit.ly. In these cases, there’s a database that maps a short URL or token (like “kindle” in my case) to the original longer URL.

When you go to the shorter URL, the service automatically and transparently redirects you to the longer destination URL.

So in this case, these two are identical:

Amazon Kindle
Amazon Kindle

Hover over each and you’ll see that they’re quite different, but click through and you’ll end up at the same place.

I point all this out because it’s extremely common to do this, particularly in newsletters and other legitimate marketing mails. Links are often routed through third-party services, not just for shortening. Additional uses include:

  • Counting clicks. For example, I can tell that in the last 30 days that “kindle” link has been clicked on five times. This lets me know how popular it is.
  • Adding information such as affiliate codes. The links above include my Amazon affiliate code, which tells Amazon where the link came from. Should you purchase a Kindle, I’ll get a small reward. (More about this in my affiliate disclosure.)
  • Tracking clicks. More than just counting, information can be used to track which links were clicked on by whom. This is most common in the email newsletter business, where redirection links — such as the ubiquitous clicks.aweber.com provided by my email service — can determine which recipients clicked on which link, or who opened a newsletter.

What’s legitimate?

It’s not always easy to tell what is or is not a legitimate link or an attempt to fool you. I’d claim, though, that majority of the time it’s not hard.

Suspicious signs include:

  • Obvious misdirection. If the “part you see” looks like a URL or domain name like “www.ebay.com”, then the destination, the “part you don’t see”, should probably match.
  • Links to IP addresses. If the destination is an IP address (something that has only numbers like this: http://67.227.211.203), don’t trust it. Legitimate sites always have names in text.
  • Links to foreign domains. With all due respect to the legitimate businesses in those countries, destination links to domains that end in “.ru”, “.cn” (Russia and China, respectively), and others should be suspect. Certainly if you don’t expect to be taken to a website in a foreign country, this should raise a red flag.

There are others, but those are the most common.

And again, any one of those doesn’t mean the link is a scam, it just means that it fits the characteristics of links that are. It means you should pay a little more attention before clicking through.

Video Narration

4 comments on “How to Hover Over a Link to Check its Validity”

  1. Just remember, the information displayed in the status bar when hovering can be replaced with JavaScript. For example, it’s possible to have “www.ebay.com” appear in the status bar while hovering, yet still go to the phisher’s site.

    Using the right-click and “copy shortcut”, “copy link location”, or whatever your browser calls it, is more accurate.

    Reply
  2. Absolutely.

    The good news is that it’s rarely used, and if in email many email clients don’t
    run the javascript, rendering that technique useless.

    But you’re quite right, it can be done.

    Leo

    Reply
  3. Another red flag is when the “part you don’t see” ends with an executable file such as “card.exe”. This is the case with a Hallmark e-card phishing email that’s been appearing in my inbox for several months. Basically, never click on a URL that ends in “.exe”.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.