Why is "hovering over" a link in an email considered safe? Or is it harmful?

One of my employers told us that if we receive a suspicious email with links, we have to hover over the link (to check that it is not spoofed) before clicking it.

When you mouseover a link, the value of the href attribute is displayed in the status bar. Since this is the link target, it can give you an idea about where the link is going.

would someone be able to spoof this action and try to do something funny?

Generally, yes. The actual link target can be "spoofed" using Javascript: It is quite common for websites to exchange the href value with another link as soon as the user clicks on it. For example, you can observe this when visiting Google search results. When you mouseover one of the links, it will be displayed as https://security.stackexchange.com/... but as soon as you click it, that event is captured and you visit an intermediate site first (https://www.google.com/url?...) which redirects you to the actual target.

But any well-designed (web-based) mail client will not execute any JS in HTML e-mails. Active script content in e-mails is dangerous - not only because it potentially results in an XSS flaw in the mail client but because it can also be used to run JS-based exploits against the browser or simply inform the sender that you have opened the mail.

So, if your mail client disallows JS in e-mails - which it most likely does - then the link displayed on mouseover is indeed the correct link target. But you should be aware of other attempts to deceive you, such as homograph attacks or an overly long URL that disguises the actual target domain. It's not as easy to analyze an URL in the status bar as it is from looking at it in the address bar. In a more advanced attack, the attacker could also have compromised a legitimate site beforehand (e.g. through a persistend XSS flaw) and you won't be able to tell from the link at all that the site now actually hosts dangerous content.


This could only be achieved with JavaScript. You can set the link to anything, and then write an onclick action that sends the user somewhere else:

<a href="http://example.com" onclick="window.location = 'http://www.google.com';return false;">click</a>

But if you allow JavaScript to be executed by your browser based email client, you are vulnerable to persistent XSS, which means that you have bigger problems.

As an aside, telling users to do [inconvenient thing] will almost never work as security mechanism. A better solution would be to strip out all a tags and substitute the actual link instead.