Security Tip: Hover Over Links Before You Click

Security tip: hover over links before you click

When you hover over a link in Outlook or a web browser, a small window pops up to show you where the link really goes. If the real link doesn’t match the sender or doesn’t match what you expect, assume it is poisoned and don’t click it.

This is a basic security requirement for using a PC. Don’t click on links to websites unless you know exactly where you are going.

When you see a link in an email message or a web browser, there are two parts:

•   The part you see: the words describing the link (“YouTube”) or the web address (“http://www.youtube.com”)

•   The part you don’t see: the actual URL that the link leads to

Those two things can be different. Your lesson today is that it doesn’t matter what the words say. The only thing that matters is where the link really goes.

It’s one of the ways bad guys get you to bad websites. They create a link that looks safe if you don’t look under the hood.

Let’s look at an example. Today I got a message from Wells Fargo in my mailbox.

Sample Wells Fargo email message with Sign In link

Looks good, right? There’s a link in step 1 to sign in to my Wells Fargo account.

When your mouse pauses on top of a link in Outlook, a small window appears above the link showing you the real destination.

Here’s what it looks like when I hover over the link with my mouse without clicking.

Security - example with legitimate link

Here’s a close-up of the link.

Security - example with legitimate link

The link leads to connect.wellsfargoemail.com. Okay, that looks legitimate. It’s not wellsfargo.com but it looks like a domain name that belongs to Wells Fargo. I clicked and saw the new Wells Fargo portal. (Not very impressive.)

But now let’s look at another copy of the same message that appears to be identical on its face – literally identical. In this copy, hovering over the Sign In link looks like this.

Security - example with link to obvious poisoned website

Here’s a close-up of that link.

Security - example with link to obvious poisoned website

See why you should look before you click? If that was a real phishing message, I would probably be taken to a site run by bad guys that appears to be an exact copy of the Wells Fargo login page. If I put in my credentials, the bad guys would be in my Wells Fargo account within seconds transferring money and stealing my identity.

If you get in the habit of looking at links before you click, you will not fall for messages from bad guys that appear to be legitimate on their face. I created that phony copy of the Wells Fargo message in about two minutes, using the original message and changing the link under the hood. The bad guys work much harder and with more creativity.

A web browser displays the real destination for a link in the lower left when you hover over it. It looks like this in Internet Explorer, Chrome, and Firefox.

Security - hover over links in a web browser

There are a few rules that will help you avoid clicking on links to poisoned websites.

•  When you hover over a link and the real destination is numbers instead of a domain name (e.g. “http://52.26.192.148”), don’t trust it. Every legitimate link will have a domain name instead of just an IP address.

•  If the real destination ends with a code for a foreign country (e.g. .ru for Russia or .cn for China) instead of .com, be suspicious – unless you expect to be going to a website in a foreign country.

•  If it’s obvious that the real destination does not match what you expect, don’t click. Most bad guys set up links with odd domain names that feel wrong as soon as you look at them.

Paranoia should be your first principle when you’re online on your computer. If you have any question in your mind about whether a link is authentic, don’t click.

But don’t get paralyzed. There are links that don’t appear to match what you expect but are actually completely safe.

Two examples.

•  Affiliate links are used for marketing by many websites. Your click leads to the marketing outfit tracking the clicks, then takes you to the site you expected. On the Bruceb Favorites page, the link for Dell Small Business does not lead to http://www.dell.com. Instead, it leads to http://www.jdoqocy.com/click-7481476-10473419. That’s an affiliate link. If you click on it, you will be safely taken to Dell after your click is registered. If you buy your computer after clicking the link, Dell will give me a pony. Click the link! Click the link!

•  Tracking links are used in many email newsletters and marketing messages. If you hover over a link in a Bruceb News email newsletter, the link will go first to Mad Mimi, the company that sends the email, so it can register the number of clicks and I can learn how wildly popular the articles are. It’s common and safe.

If you trust the source, trust the links.

As always, I want everyone to study the Rules for Computer Safety. And be careful out there!