Helping people with computers... one answer at a time.
When it comes to links on web pages and HTML mail, what you see is not always where you go. Hovering over a link is one way to look before you leap.
Could you please describe, or rather, take us through the process of "hovering over" a URL or link in such a way that supposedly 'reveals' its true source or identity. I have tried it but nothing happens ... the URLs' clothing invariably remains implacably and firmly in place, covering the naked body lurking beneath.
There are several ways to look at a link, both in email and on web pages, before you click on it to make sure it is what it claims to be.
There are several ways to hide where links go as well. But the good news is that the most common approaches are the simplest to detect.
So let's go about disrobing those cloaked links.
First a little refresher on what a link really is. There are two parts: the part you see, and the part you don't. For example, if I give you this link:
The part you see is "Ask Leo!". The part you don't see is the URL that link takes you to: "http://ask-leo.com". To get just a little geeky for a moment, that link is actually encoded in HTML like so:
<a href="http://ask-leo.com">Ask Leo!</a>
There you can see exactly how both parts, seen and unseen, are encoded.
Now take a look at this example:
That looks like a link to eBay, doesn't it? Here's how it's really encoded:
The part you see is "www.ebay.com", but the part you don't see is something else entirely ... it's "http://buyleoalatte.com". So when you click on that example link that looks like it'll take you to eBay, it will instead take you to buyleoalatte.com.
It's a fundamental component of phishing: making it look like you're going one place when instead you're taken somewhere else entirely.
Hovering your mouse pointer over a questionable link is one way to determine its validity.
Move the mouse pointer over the link, but don't click. In Internet Explorer you should see something like this:
Internet Explorer, and Firefox for that matter, will show you the target of the link in the status bar at the bottom of its window. In this case you can see that my mouse pointer is hovering over the link that says "www.ebay.com", but IE is showing you the URL that you'll really be taken to: http://buyleoalatte.com.
This isn't just about web pages and web browsers either. Email can of course be formatted using HTML, and that's where a lot of these scams happen. Fortunately most email programs behave exactly like the web browsers do: if you hove the mouse over a suspect link somewhere it'll display the true destination of the link, most likely in the status line at the bottom of the email program's window.
Another excellent approach to validating a suspicious link is to use copy/paste.
Here's that same fragment which I forwarded to myself as an HTML email, viewed in Outlook Express:
Here I've right-clicked on the link. One of the options is Copy Shortcut. In other programs, including browsers, that might instead be Copy Link Location or something similar. The important point is that this copies the destination - the part you don't see - to the clipboard.
Then you can right click on the address bar in your browser:
And then click on Paste to paste in whatever was copied:
Here you can see what was pasted was the true destination, the part you normally don't see. At this point it's fairly obvious that this link wasn't going to take you to eBay at all, but some other site.
After pasting, if it's a link you want to go to, just press Enter. If not, press ESC and it'll be erased from the address bar.
You can paste that URL wherever you like, by the way. Pasting it into notepad is one common option so that you can see exactly what the destination truly is without risking accidentally going there in the browser.
Are all mismatches bad?
Most assuredly not.
All this is to get you information from which you can make a decision, but it actually doesn't mean that every time things don't match it's a scam or something nefarious.
Here's one example of my own:
That looks like a link to the Amazon Kindle, and in fact if you click on it that's exactly where you'll land: the Kindle product page on Amazon.com. However if you hover over that link as we've discussed here, it actually goes to "http://ask-leo.com/d-kindle". So what's the deal?
If you've ever used a service like tinyurl.com or snipurl.com to make an excessively long URL into something shorter than you can email, this is the same idea. I have my own private equivalent of a snipurl. In all these cases there's a database that maps a short URL or token to the original longer one. When you go to the shorter URL, the service automatically and transparently redirects you to the longer destination URL.
So in my case, these two are identical:
Hover over each and you'll see that they're quite different, but click through and you'll see you end up at the same place.
I point all this out because it's extremely common to do this, particularly in newsletters and other legitimate marketing mails. Links are often routed through third party services, not just for shortening, but also for tracking. For example, I can tell you that as I'm writing this yesterday 6 people clicked on my Kindle link elsewhere on Ask Leo!. That tells me how popular the link is. Similarly I can tell you that over 1,000 people clicked on my links to TweakUI in the last week.
So how can you tell what's legitimate?
It's not always easy, but certainly the majority of the time it actually is. I'd be suspect of things like:
Obvious misdirection - if the "part you see" looks like a URL or domain name like "www.ebay.com", then the destination, the "part you don't see", should match.
Links to IP addresses - if the destination is an IP address, something that has only numbers like this: http://18.104.22.168, then don't trust it. Legitimate sites will always have actual textual domain names.
Links to foreign domains - with all due respect to the legitimate businesses in those countries, destination links to domains that end in ".ru", ".cn", (Russia and China, respectively) and so forth should be suspect. Certainly if you don't expect to be taken to a web site in a foreign country, then this should raise a red flag.
There are others, but those are by far the most common.
And again, any one of those doesn't mean that the link is a scam, it just means that it fits the characteristics of links that are. It means that you should pay a little more attention before clicking through.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.