Can JavaScript be used to display fake URLS when you mouseover links?

I suspect some websites, like Google, use something like this. When you mouseover search results, the link shown at the bottom is the address of the website, but the actual link you click on is a redirect through google.com. You can observe this when Google doesn’t load properly, and clicking on the links doesn’t work, even though the URL is shown at the bottom, or you see a Google address instead. This is what it looks like when it doesn’t work:
https://lh5.googleusercontent.com/-42hulERCyow/UEWuzZFufzI/AAAAAAABCjQ/Y2kbJwo8RI8/s800/js%25201.png
And normally:
https://lh3.googleusercontent.com/-UQxMJlk1ol0/UEWuzSL0k-I/AAAAAAABCjU/N_4OTq2H21I/s800/js%25202.png

Isn’t this a potential security threat? I mean, scammers can use this technique to put a link in an email. When you mouseover it, it says bank.com, but when you click, it goes to their website?

I am a web developer in an industry that sends a large amount of email, so I have some experience.

In most mail (web-based and desktop) javascript is stripped out so the fake rollover is not possible (This is true of all web-based mail that I have seen, and all desktop apps I have seen - but as there are so many, I cannot say for sure. You are safe with gmail, hotmail, yahoo, and other large and well-known web-based clients)

On a website, assuming javascript is enabled, it is possible to do what you have seen, quite easily.

If you are nervous, all modern browsers have the facility to turn off javascript.

Hmm so maybe what they’d have to do is have a link to a survey on a legitimate website, then use JS on that to the phishing site. It’s easy to spoof email from headers, and I think some people only check links when they mouseover, not the final website.