The clever attackers use Javascript to display something different for the hover and when you click, or use chains of links and/or link shorteners and who knows where those go, or use — as recently arose with a bogus electronicfrontierfoundation domain used for spearphishing — legitimate-looking domains that aren't.
Use a plugin blocker. Or remove Adobe Flash Player. YouTube doesn't need it anymore, and it's a common source of vulnerabilities. Remove Oracle Java, or minimally disable the web start on all but the site(s) you really need to use Java with.
In general, "Spyware" and "Adware" and such are present on your system. That usually happens if you've installed the stuff — possibly as part of cracked software, some toolbar, or a package that's been "wrapped" as part of a download site — or if somebody else has had physical access, or if some network-accessible component of OS X has had a vulnerability.
Also ensure Gatekeeper is set to allow signed apps and App Store apps.
Don't install anything you didn't go looking for, and only install from the original source and not from a download site or aggregator.
Cracked software and torrented software often intendsto crack your local security, too.
Etc...
The difficulty encountered with OS X, Windows and other platforms — and with web browsers and the rest — is that end-user are often not familiar with computer security, but are increasingly expected to be, and are increasingly expected to manage their own systems and access and backups. IT has gotten vastly simpler and in ways I never expected, but it's still not simple. Both the attacks and the defensive recommendations are evolving, too. Tools like Xprotect and Gatekeeper might help, but it's just as easy to load some anti-malware tool that can end up making the system unstable or — as has happened — opens up additional paths for remote attacks.