Preventing phishing attacks like what happened with The Onion

Tonight I read The Onion's account of how they were hacked by the Syrian Electronic Army through phishing. You can find the write-up here.


This got me thinking: there is a simple way that some phishing attacks could be easily detected and prevented by email web apps and clients.

The email client can check the text of the hyperlink vs. the actual hyperlink destination. If there is a mismatch, then the email client would flag the text somehow and warn the end-user of the mismatch.

For example, the email client can check whether actually links there (it doesn't in this case - it links to The Onion), and make the link unclickable until the user confirms that they really want to go to URL that's embedded in the HTML code.

That won't prevent phishing attacks that simply say "Click here", but it's at least a first line of defense for situations like what happened to the employees at The Onion, where a seemingly legitimate web address ( was written expressly to fool the user into thinking it was a harmless link.