How to drive your mouse

…or: A Cautionary Tail in Three Parts

Whoa down, there, friend!

Don’t click that thing just yet.

Checking out what you’re about to click on is one of the best strategies you have to protect yourself from all the cyber-nasties out there.

Sure, you have backups, updates, and antivirus all in place (You do have those setup, right?!?), but if you don’t click in the first place, you don’t need to rely on those other layers of protection.

“But how can I tell what’s bad?” I hear you ask.

Ah, there’s the rub.

I. Hover-n-read

The first strategy I want you to learn is the “hover-n-read.”

Move the mouse over the link, but don’t click it just yet. Instead, look in the bottom-left corner of your browser window. Look for the address that the link points to.

Does it seem legit? Does it point to the site you want to go to?

Here are three practice links. Hover over each one, look for the address in the bottom-left corner of your browser window, and decide if you oughtta click or not. (This is just practice. Click if you want, but make sure you come back!)

Did you see those recipes in the last link? Doesn’t that third one look delicious? Yum!

II. Be suspicious

This is the next thing I need you to do: act a little paranoid.

Did you catch the bottom link in the list up there? See what I did?

There’s no guarantee that the link destination is the same as the link text.

I also added a little “social pressure” to encourage you to click my last link. I used fear (in this case, fear of “missing out”) to drag you by your lizard brain back to my link.

These are two favorite techniques of hackers who are trying to get you to click on Bad Things: They camouflage their links, and they try to influence you to click on something you might not otherwise open.

III. Check with the source

Okay, so now you’re paranoid and checking the destination of all your links (sorry/not sorry), but what if you get an unanticipated attachment in your email? From a trusted source (a friend, your bank, your mom…)? Boldly labeled “IMPORTANT” or “This is so funny! HAHAHAHA!” or “OMG! Can you believe this?!?”

What if it’s from your accountant and labeled “Please verify and sign this document”?

Tough call?

Not at all!

Imma teach you how to perform an “Out-of-band information transaction verification.”


Pick up the phone and call whomever sent the thing.

“Hi! How are you?

“Yup, me, too.

“Hey, I’m got an attachment from you, and AJ says I need to be paranoid about stuff like that. Is it a legit thing?

“Okay, cool.

“Thanks! Have a good day!”

Easy-peasy, right?

The idea is you use a separate communication channel (sourced with independent information) to confirm the legitimacy of the original item.

Puttin’ it all together

Here’s what I want your new workflow to look like when you come across a link you don’t implicitly trust (do any of those exist?):

  1. Hover over it and check the destination. Look good?
  2. Be a little paranoid. Is someone trying to pressure you into doing something? This can be subtle…
  3. Independently confirm the legitimacy of links and attachments (especially in emails) with the sender.