You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please display the actual destination of every link directly at the link (e.g. above or beside the link text), not only on hover or long-press, and visually flag the destination in red when the destination's host does not match the hostname named in the visible link text.
Generic call-to-action text names no hostname, so there is simply nothing to mismatch there; the value is that the real destination is still shown in plain sight.
This closes the link-text-mismatch gap that authenticated phishing exploits — e.g. the Jan 2026 SendGrid campaign, whose mail passed SPF/DKIM/DMARC yet pointed "Manage preferences" at a credential-harvesting page.
Ideally offer a graduated policy (full URL / domain-only / external-links-only) so the UX cost is configurable.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Please display the actual destination of every link directly at the link (e.g. above or beside the link text), not only on hover or long-press, and visually flag the destination in red when the destination's host does not match the hostname named in the visible link text.
Generic call-to-action text names no hostname, so there is simply nothing to mismatch there; the value is that the real destination is still shown in plain sight.
This closes the link-text-mismatch gap that authenticated phishing exploits — e.g. the Jan 2026 SendGrid campaign, whose mail passed SPF/DKIM/DMARC yet pointed "Manage preferences" at a credential-harvesting page.
Ideally offer a graduated policy (full URL / domain-only / external-links-only) so the UX cost is configurable.
A free, open-source reference implementation exists — Reveal URLs (https://www.reveal-urls.eu/ , source https://codeberg.org/magentron/reveal-urls) — and the full rationale, trade-offs and alternatives are documented at:
https://www.phpfreelance.co.uk/blog/email-link-phishing-your-app-should-always-show-the-url.html
Beta Was this translation helpful? Give feedback.
All reactions