Lesson 4.1

Hover, Copy, Never Click

10 minutes

The rule in forensics is simple: extract information from a link without engaging it. Clicking commits you to whatever’s waiting on the other side — a tracking pixel, a drive-by download, a credential harvester, a malware payload. Hovering and copying are free. They give you the URL without giving the attacker any of your signals back. This lesson is about the three cheap, reversible ways to interrogate a link, and the one behavioral habit that has to become automatic.

The Three Safe Interactions

There are three ways to pull a URL out of a message without visiting it. Learn all three — different clients and devices each favour a different one.

Hover

Desktop only. Move your mouse cursor over the link and do not click. The real URL appears either in your browser’s status bar (lower-left corner) or in the mail client’s own preview tooltip that follows your pointer. What shows up here is the actual href of the link — the URL the click would send you to — not the text displayed inside the link. A link that says www.paypal.com will reveal its real destination here.

Works on desktop and mobile, which is its advantage. On desktop, right-click the link and choose “Copy link address” (Chrome/Edge), “Copy Link” (Safari), or “Copy Link Location” (Firefox). On mobile, long-press the link and choose “Copy link”. The URL goes into your clipboard without your browser ever navigating to it. You can then paste it into a plain text file and examine it at your leisure.

Inspect (Dev Tools)

Advanced, and worth learning for cases where hover and copy are giving you conflicting or unclear results. In a web mail client like Gmail or Outlook Web, right-click the link and choose Inspect. The browser’s developer tools open and highlight the <a> element. The href="..." attribute shows the literal URL that the browser will follow — not a tooltip, not a preview, the actual value from the page’s HTML.

Why Hover Can Lie

Hover is a starting point, not proof. A link can say it goes to paypal.com, the tooltip can say it goes to paypal.com, and the click can still send you somewhere else entirely. Several tricks make this possible. JavaScript event handlers (onclick, onmousedown) can intercept the click and redirect you to a different URL than the one in the href. HTML <meta> refreshes and server-side 30x redirects can bounce you through a chain of hosts — the hover only shows you the first hop. URL-shortener services (bit.ly, tinyurl, t.co) deliberately hide the destination behind an opaque short code, so the hover reveals nothing useful. And many mail clients render a “safe links” wrapper around every URL, which means the hover shows you a Microsoft or Google scanning URL rather than the underlying destination.

The practical takeaway: hover gives you a first look, not a verdict. When the stakes matter, copy the URL and examine it on its own — in a plain text file, in an unshortener, or in a sandbox (Lesson 4.3).

Building the Habit

Here is the one behavioral habit this course asks you to hard-wire: when you receive any message with a link, your muscle memory should be to hover before you think. Not to click. Not to delete. Not even to read the body carefully. Hover first.

We rarely ask for reflex-level habits in this course, because most forensics is deliberate and slow. This one is different — attackers design the entire phishing experience around the split-second “just click it and see” impulse. Urgent subject lines. Familiar logos. A single prominent button. The whole UI exists to get your cursor moving before your brain catches up. The only countermeasure that works at that speed is a stronger reflex going the other way. Hover. Then think.

You were told to "check if the link looks right." Links ARE designed to look right. The question is whether the link you see and the link you'd visit are the same URL.

Mobile Caveat

Mobile makes all of this harder. There is no hover on a touchscreen. Long-press to copy is your only built-in option, and even that sometimes triggers a navigation on older browsers or misbehaving apps. If you can’t safely copy a link on mobile — or you’re not confident you can — screenshot the message and investigate later from desktop. Do not click on mobile thinking, “I’ll just see where it goes and come back.” That’s the attacker’s best-case scenario: a small screen, a distracted user, a thumb already hovering over the button.

Investigation is not a mobile-first activity. Treat the phone as a capture device and the desktop as the lab.

Key Takeaways

  1. Three safe ways to pull a URL from a link: hover (desktop only), copy link (desktop and mobile), inspect (web mail clients, advanced).
  2. Hover is a starting point, not proof — JavaScript, redirects, and URL shorteners can all make it lie.
  3. Build the reflex: hover before you think. Phishing UI is engineered to exploit the click impulse; the only countermeasure is a stronger habit in the other direction.
  4. On mobile, long-press to copy — and if in doubt, screenshot and investigate from desktop. Don’t click “just to see.”