See here „Hacking the <a> tag in 100 characters“ what Bilawal Hameed found out:
A short while ago, I discovered that JavaScript allows you to change the <a> href after you click on it. It may not seem that serious at first glance, but rest assured, it can trick customers into giving in their details to fraudsters.
Thx, to @_funkyboy for the tweet pointing to this flaw.