← All Tips/PHISHING
PHISHING

Hover Before You Click

Links are masks. Hover over every link to see the ACTUAL destination in the bottom corner of your browser.

Hyperlinks Are Not What They Appear

A hyperlink displays one thing and goes somewhere else. That's the fundamental design. Attackers exploit this constantly.

<a href="https://evil-phishing-site.com/steal">Click here to verify your PayPal account</a>

The user reads "Click here to verify your PayPal account." The link actually goes to evil-phishing-site.com. They have no way to know without looking at the underlying URL.

This is the foundation of most phishing attacks.

The Hover Technique

Before clicking any link in email, chat, or on a web page:

  1. Move your cursor over the link without clicking
  2. Look at the bottom-left corner of your browser window
  3. The real destination URL appears there

If the URL you see doesn't match where you expect to go, don't click.

On mobile: Long-press a link to preview the URL before opening it.

What to Look For

Legitimate domain: The actual domain (the part just before .com/.org/etc) matches who the link claims to be from.

  • ✅ paypal.com/verify
  • ❌ paypal.verify-account.com (the domain is verify-account.com, not paypal.com)
  • ❌ paypa1.com (the 'l' is a '1')
  • ❌ paypal.com.phishing-site.net (the domain is phishing-site.net)

URL shorteners: bit.ly, tinyurl.com, t.co — these mask the real destination. Use a URL expander (unshorten.it) before clicking.

Unicode look-alike characters: Attackers use characters from other alphabets that look identical to English letters. "аpple.com" with a Cyrillic 'а' looks exactly like "apple.com" to the human eye. Your browser may or may not flag this.

Advanced Inspection

For suspicious emails, look at the full email headers (see our Return-Path tip). For suspicious links, you can:

  1. Copy the link (right-click → Copy Link Address) and paste it into a text editor to read the raw URL before visiting
  2. Use VirusTotal URL scanner (virustotal.com) to check a URL against 80+ security engines before visiting
  3. Use a sandbox like Any.run or Browserling to open suspicious URLs in an isolated environment

The Mindset Shift

Treat every unsolicited link as potentially dangerous until proven otherwise. This includes:

  • Links in emails you didn't expect
  • Links from "friends" in chat (their account may be compromised)
  • Links posted in Discord, Slack, or forums
  • QR codes in physical spaces (print-over attacks exist)

Hover. Read. Verify. Then click.

Get your site properly hardened.

The Voice of Cash delivers professional security audits and hands-on implementation.

Speak to a Specialist →
← Previous
Scrub Your Photos
Next →
The 3-2-1 Backup Rule