Today we’re going to be talking about a very useful skill for staying safe online: hovering links to see where they lead, before you click on them.
Let’s start with an example of when you might use this skill. In our most recent phishing attempt, the Help Desk Phishing Attempt, the sender placed a link in the email with the text “H E R E.” The link claimed to lead to new terms and conditions for Vassar’s email system. The text of the link doesn’t give us any hints where the link might lead, and so if we didn’t recognize this was a phishing attempt we might have clicked on the link. Let’s take a look at the url of where the link was really leading:
That’s definitely not Vassar terms and conditions! It looks like it might be leading to an automotive store or company in Australia, but we can’t even know if that’s true. All we can tell is that this link is definitely not leading where it claims, and that it looks suspicious, so we definitely shouldn’t click on it.
But how do we know where the link is leading if we don’t click on it? That’s where hovering over a link comes in.
Note: To use this tip, you’ll have to be on a desktop computer or laptop. If you’re trying to figure out where a suspicious link is leading, you should pull up the email or source the link is in on your personal computer or use one of the college computers such as in the College Center or the Library.
To find out where a link is leading without clicking on it, all you have to do is hover over it with your mouse and check the bottom left corner of your screen. On almost all browsers and operating systems, when you do this there will be the text of the url in a very similar format to the image above. Unfortunately, sometimes the text is quite small, but you hopefully will be able to make out if the link seems legitimate or not. Make sure when you hover over the link, you don’t accidentally click on it!
While sometimes it’s very obvious that a link is not leading where it claims (like something that says it’s going to take you to a Vassar page but actually goes to amazon.com), other times it can be more subtle. Here’s some things to look out for:
– typos, like vasar.edu instead of vassar.edu
– incorrect domains, like vassar.com instead of .edu or another country’s domain
– things that just don’t make sense, like the above example of the word automotive in something that claims to be email terms and conditions
– lots of random letters and numbers
– a more legit name appearing after / in the url, like the /vassar.edu above (this is an attempt to trick you into believing the link is real and to establish trust)
While there are other ways to detect suspicious links, like right clicking and copying and pasting the link into a notes document to see where it leads, this is one of the easiest and safest methods. Sometimes realizing a link doesn’t lead where it claims to can be the last clue that something is a phishing attempt. While you should always be looking out for other hints, like we talk about on the Phishing Tips page, this is a useful tool to protect you from phishing and other dangerous links online. And remember, if you don’t know where a link is leading, you should never click on it, and you should never provide information to any forms that these suspicious links lead to!
