Dear victim,
Please click on www.google.com to go to Google.
Sincerely,
Not a scammer

Above is an example of a not very convincing phishing email. However, observe that the hyperlink the sheep (victim) is supposed to click on appears to genuinely point to Google. When hovered over, it actually says it will go to Google.com. However, clicking on it results in completely different behavior.

This is because the hyperlink is also linked to JavaScript code that always returns false. That false return disables the hyperlink capability and instead runs only what is in the JavaScript. Naive users don't see the JavaScript. Note while the JavaScript keeps us on the same page, it could just as easily jump us to a phish website.

Users are protected from this in two ways. First, most email systems disable JavaScript by default. Note this can be re-enabled. Second, the URL in the navigation bar tells you what the URL of the site is. This URL can be changed (e.g., by using history.pushState), but modern browsers inhibit the excessive modification of the URL.