Hovering (over links) is your best secret weapon!

Hidden text, also known as zero font, allows a malicious email to bypass email security platforms by using invisible characters in between the letters of an email. They are often used to establish the legitimacy of emails. Read on to find out how to protect yourself from falling victim.

At times, it feels as if we could start every week with this sentence: “There’s a new tactic being used by cybercriminals to trick unsuspecting victims.” And the sophistication level of the new tactics is off the charts. So, what are we dealing with as of late? Well, where should we start…

Hidden text is now becoming more commonplace as a tactic to bypass email security platforms.

The hacker now has established your trust with this seemingly legitimate email address, because you don’t see the hidden text, and you believe the sender is who they seem to be. In a recent attack that was uncovered by Cofense, messages were being sent that appeared to be from the company’s technical support team and ultimately their email service. Any explanation followed about messages being unprocessed and in need of review. To put a sense of urgency on reviewing them, there was a time limit established. “They appear to be legitimate but will be deleted if not reviewed within three days” – or some version of that.

laptop on login screen

As an employee, who may even be working remotely, you know the importance of doing your job well despite the circumstances, so you aren’t going to jeopardize anything by being careless. If you get a link from what appears to be an individual or department within your company, you click so you can get your job done. And you don’t stop there. You continue to click and enter your credentials on what appears to be your company page. But it isn’t. It is a page that has been created to replicate your company’s page nearly identically. And even has a fake login page that will continue to allow you to log in and navigate throughout the site which STILL contains additional false fronts.

How can you beat this system? Training. Ongoing training is the top way to keep your team education on how to know safe cyber practices. In this case, hovering over the links of the email address might not have worked – BUT, hovering over the link that was there to ‘verify the messages’ would have indicated a false page.

Imagine walking into a hotel room. You flip on every single switch to see what it does, what it turns on. You can think of email links in the same way. Hover over every single link to ensure it is legitimate and where it is coming from.

We can’t emphasize this enough. Training, training, training. Hover, hover, hover. There are many ways that you can protect your business from cybercrime, but this is a good place to start. If you want to ensure you have COMPLETE protection, let’s get together for a discussion and review of what you have in place, and how we might be able to help.


We are a proud partner of HIPAA Secure Now!, a company of HIPAA experts dedicated to helping medical entities stay compliant and keeping their data safe.  Thank you HIPAA Secure Now! (www.HIPAAsecurenow.com) for the contents of this article.


Want more cybersecurity tips to help keep your business safe & secure? Sign up for our email newsletter and have new articles & tips delivered straight to your inbox monthly.

Posted in
Tracy Hardin

Tracy Hardin

Tracy Hardin is President and founder of Next Century Technologies in Lexington, KY. She has a bachelor's degree in computer science from the University of Kentucky and has earned certifications from Novell, Cisco and CompTIA. Her specialties in the field of IT are network design and security, project management and improving productivity through technology. She loves helping people by sharing her knowledge of tech.

Reader Interactions