Step 4: Reveal the Sender's Website Address

The purpose of this document is to show how to mouse over buttons in the body of an email to reveal the name of the sender’s website which is typically present in spams and phishes. In this phish, the button is Keep the same password.

Why is the sender’s website name useful?
By comparing the purported sender’s name, email address and website name, you’ll be able to see how consistent they are. If inconsistent, the email is suspicious.

The purported sender in our sample email is Server Administrator, presumably the administrator at where Jane Doe has her email. The sender is asking to continue with (her) current password by clicking on the Keep the same password button.

When the Keep the same password button is clicked, the recipient will go to the sender’s website which will ask for the recipient’s email password.
Server Administrator

To reveal the button’s website address, mouse over the Keep the same password button. You may need to click the downward facing arrow. Several seconds later, the sender’s website address will appear. The website server address ends with the first / after https://. In this phish, the phisher’s website address is The remainder of the address is used by the phisher to identify the recipient’s email address

Because the sender’s email address,, the button’s website address bear no resemblance to, and because this email exhibits all the traits described in Step 1, we know that this email is a phish.

Now mouse over a button in a spam, then in a phish.

Using any or all four of these steps should suffice to confirm or allay suspicions about the sender’s legitimacy.

Introduction To Who Sent This Email
Step 1: Spot Spam and Phishes By Appearance and Tone
Step 2: Look for Red Flags
Step 3: Reveal the Sender’s Email Address