"Mike, I just clicked something I shouldn't have. The email said FedEx had a package for me. I clicked the tracking link. Now my phone's slow."

I asked him to hand me the phone. The link he'd tapped wasn't FedEx. It went to a domain ending in .click - a real giveaway - and the page it opened was already gone by the time we looked. The scam page had done what it needed to do in the moment of the tap, and then closed up shop.

His phone was fine. His email account, on the other hand, had spent the last hour automatically sending the same fake FedEx email to everyone in his contacts.

He didn't get hacked because he was careless. He got hacked because nobody ever showed him a habit that takes three seconds and would have caught it: hover over the link before tapping. Look at where it actually goes. Then decide whether to click.

This is the most useful habit. It's free, it works on every device, and once it's a habit you don't even notice yourself doing it.

What "hovering" actually does

Every link in an email has two parts: the words you see, and the address those words point to. They don't have to match. The link can read "Click here to track your package" while pointing to http://malware-delivery.click. The blue underlined text is just decoration. The actual destination is hidden underneath.

Hovering — or long-pressing on a phone — reveals the actual destination without clicking. You see where the link goes before you commit. Three seconds. No software. No subscription. The single highest-value email habit you'll ever build.

How to do it on each device

On a Windows or Mac computer, in any email program: rest your mouse pointer on the link without clicking. After about half a second, the real address appears either in a small tooltip near your cursor or — more reliably — in the bottom-left corner of your browser or email window. Look there. That's where the link actually goes.

On an iPhone or iPad, in the Mail app or Gmail app: press and hold the link without lifting your finger. After about a second, a preview window pops up showing the real URL at the top, plus a thumbnail of the page. Look at the URL, then either tap "Hide preview" or release outside the link to cancel safely. Don't tap "Open."

On an Android phone, in Gmail or Outlook: press and hold the link. A menu appears showing the real URL near the top. Read it, then tap "Cancel" or close the menu without choosing anything.

The first time you try this, it'll feel awkward. By the third or fourth time, it's habit. Within a week, you won't think about it.

What you're looking for

A real link goes to a familiar, short domain you'd recognize. A real Amazon link goes to amazon.com or a sub-page like amazon.com/orders/xxxxxx. A real Apple link goes to apple.com. A real bank link goes to your bank's actual domain — the one printed on the back of your debit card.

A fake link looks wrong in one of three ways.

The first way: extra words stuck onto the brand name. Something like amaz0n.billing.support-track.net. To find the real owner of any URL, look for the part right before the first single slash. In that example it's support-track.net. Whoever owns support-track.net controls the link — not Amazon. The word "amaz0n-billing" is just camouflage glued to the front.

Similarly: the brand name appears as a subdomain in front of an unfamiliar domain. Something like apple.com.account-verify.online. Read the URL right to left. The actual owner is the chunk just before the last single slash, working backward : account-verify.online in this case. Apple is just a decoy word in the address.

The third way: weird endings. The familiar ones are .com, .org, .net, .gov, .edu Endings like .click, .online, .store, are technically real, but they're cheap, popular with scammers, and almost never used by major brands. If you see one of those endings on a link claiming to be from Microsoft or your bank, treat it as fake until proven otherwise.

The shortened-link curveball

Sometimes a link looks like bit.ly/xyz987 or tinyurl.com/123abc. These are real link-shortening services. Legitimate emails sometimes use them but a bank, Microsoft, Apple, or PayPal will almost never send you a shortened link in an account-related email. If a "your account is locked" email asks you to click a bit.ly link, that alone is enough to stop and not click.

If you're curious where a shortened link actually points, you can paste it into a tool like unshorten.it (in your browser, not by clicking anything) to reveal the real destination. But it's almost always faster to just delete the email and go to the company's website yourself.

When the link looks legit but the email is still off

A clean-looking URL doesn't make an email real. Sometimes scammers compromise a legitimate website and use it as a launching pad — so even a .com you recognize could be hosting something hostile. Always combine the hover check with the rest of your judgment: was I expecting this? Does the sender's address match? Does the timing make sense?

The safest fallback is always the same: don't use the link. Type the company's address into your browser yourself. Log in to your real account. If there's a real problem, you'll see it there. If there isn't, the email is fake.

A tiny exercise tonight

Open your inbox. Find any email — junk, real, doesn't matter. Hover over a link in it without clicking. Notice where the URL appears on your device. Now do it again with a different email. That's it. That's the whole habit.

The next time something arrives that makes your heart rate jump — a fake invoice, a "your account is locked" email, a delivery notice you weren't expecting — your thumb will already know to hover before it taps. The pause is the protection.

That's the week.

To get my weekly newsletter, and sometimes cool downloads, subscribe.