Hovering on links to see where it leads? It’s not as safe as you think.

Dan Ong Chew Seng
4 min readNov 23, 2021
Photo by JJ Ying on Unsplash

It’s the dreadful Monday again, you pull yourself to your computer and open your email. Ding, comes a new email from what appears to be from your bank, telling you your account is compromised and requires your immediate attention. But you’ve been through enough scam awareness webinars to be wary, you know to look out for obvious signs like poor english, typos or even weird links like www.my-dbs-online.net.

However, as you hover your cursor over the link in the email, it appears to be legit, linking you directly to https://www.dbs.com.sg. Thinking it’s probably safe, you click on the link and log into your account. The very next day, you realized your bank balance is wiped clean. You’ve fallen victim to what I like to call a “distant-cousin” of clickjacking attack.

Such a scenario seem improbable, and it is. Modern email clients are sophiscated enough to prevent such attacks. But this technique can be used on any website to disguise a malicious link as a legit one (think a phishing page link disguised as your bank).

Mechanism of Attack

Screen capture of the demo of the Clickjacking attack

This kind of attack is made possible by intercepting the Javascript onClick event on the Anchor link, and calling:


to cancel the default behavior of clicking on a link (i.e. redirecting the user to the location stated in href which is what you saw in the browser link preview). Subsequently, Javascript can be used to redirect the user to the malicious link.


If the user is not paying attention, he/she may not notice the difference in the URL of the resulting page that loads.

Sample Code


As mentioned in the introduction, this technique won’t work on most modern email clients including your iPhone mail app, Gmail, Outlook, etc. It requires Javascript to work, which is not supported on almost all clients, with the exception of a few of them.

Of course, this technique can and is actually used for legitimate purposes. In one of my projects, I use it to capture clicks on a search result page for historical/usage statistics but still allow users to see the original URL when hovered instead of having them see a long proxy url like:


Potential Mitigations

Check, check, and check.

The most obvious way you can prevent falling victim to such an attack will be to always double and triple check the URL of the resulting page after clicking on a link, to make sure that you’re actually in the right place. Additionally, also look out for the green [since 2018, major browsers had been phasing out the bright green icon and defaulted to a less prominent color] lock icon that signifies that your connection is secure and authentic, not spoofed by someone else.

Check that you’re in the right place, and the connection is secure.

Anti-phishing browser extensions

Another way you can keep yourself safe, is to install browser extensions that monitors your activity and warn you of any dangerous sites with a big, red warning sign that you can never miss. So even if you’re redirected to a malicious site, you will know for sure.

Big, red WOT warning screen

One such browser extension is WOT (Web of Trust), that is available for both Google Chrome and Firefox.

Disable Javascript

Last but not least, the most extreme measure will be to disable Javascript on your browser or install an extension like NoScript to prevent script execution on some sites. But in the modern Web 2.0 world, disabling Javascript is a definite no-go as that will completely break most sites you visit on a daily basis.


It may sound like a stretch and implausible, but gullible and people who are less tech-savvy may end up falling victim. It is always good to have awareness of such techniques, be it to counter malicious actors, or if you’re a developer, to employ it in your next project (legitimately, of course).



Dan Ong Chew Seng

Full stack software engineer; the only way to not be replaced by robots, is to be the architect of said robots.