Isn’t this a potential security threat? I mean, scammers can use this technique to put a link in an email. When you mouseover it, it says bank.com, but when you click, it goes to their website?
I am a web developer in an industry that sends a large amount of email, so I have some experience.
In most mail (web-based and desktop) javascript is stripped out so the fake rollover is not possible (This is true of all web-based mail that I have seen, and all desktop apps I have seen - but as there are so many, I cannot say for sure. You are safe with gmail, hotmail, yahoo, and other large and well-known web-based clients)
On a website, assuming javascript is enabled, it is possible to do what you have seen, quite easily.
If you are nervous, all modern browsers have the facility to turn off javascript.
Hmm so maybe what they’d have to do is have a link to a survey on a legitimate website, then use JS on that to the phishing site. It’s easy to spoof email from headers, and I think some people only check links when they mouseover, not the final website.