[jvatic]

In addition to countless other oversights, setTimeout would not work as you suggested in the post as the page would be unloaded before it ever executed. And, as others have already mentioned, there are numerous other ways to accomplish the exact same effect with 'more legitimate' methods (e.g. event.preventDefault(); window.location = ...).

Various browsers such as Chrome will warn/block you from visiting known malicious sites, but it comes down to being aware of where you are before entering personal information.

I think a better proposal might be getting browsers to warn users if the url they are visiting is sufficiently different from the original href attribute (i.e. different host). Something like this could easily be done with a browser extension (and could handle more cases such as preventDefault + window.location = ...).