Never click links from emails - Is it even possible?

Big Dan

EQ Forum Moderator
"Never click links in emails" is sage advice we all hear frequently from the security conscious but it just doesn't work out that way. The whole internet works on the basis of linking from page to page the act of clicking on a link is so ingrained in surfers that we click links without second thought.

I frequently see legitimate emails with links for me to update my account or payment information. If internet marketers or companies we deal with don't follow security advice and pepper us with links the next time it might be a phishing email with a mock site stealing the information.

The problem is I really don't see an easy way to overcome our predisposition to linking in emails. Ideally the company would write "Please login to Pogo's website to update your credit card details" people on a whole are lazy and likely won't actually go up to the address bar and type in pogo.com and go through the process of logging in.

Perhaps middle ground would be to email the customer with a link to the site's main page advising them that there is something which needs their attention then once logged in a notification system would direct them where to go. That's still a long trail of breadcrumbs for most people to follow.

1&1 a hosting & domain registrar who's business practices I generally despise does something good with email notices. Anything they email you gets copied into a 'customer messaging center' of sorts. When you login it's right there on top of your dashboard waiting for you to click through. It's not perfect but I've trained myself to delete any email I get from them and just login to the site to see what they want.

What's the answer? A 3rd party authentication system, no links in business correspondence at all, or should the onus be put on already overburdened email providers to block phishing emails?
 

EQ Admin

EQ Forum Admin
Staff member
I couldn't click a link in my email since I was using only pine for reading my email until about 2 years ago. I'd have to arrow down and click enter and it would ask if I really wanted to go to the site. I use Gmail now and they're good about getting spam into my spam folder where I'll never see it. I generally don't click email links. To help me make sure a link is OK I'll hover over links and verify they're going where they say they're going. Big red box warnings when an email client sees the text http:/ my-bank but really links to http:// some-hacked-site.cn/bank/phishing.html are nice. Companies not putting any links at all and simply saying please go to out web page and click update account info in the top right works too. There are other things going on in the background with email such as SPF and domain keys that combine info in the email headers (that users generally don't see) and information in DNS about expected sending servers that allow incoming mail servers to help determine if an email is legit or not. Some ISP's force you to login before you can send an email but that doesn't stop you from getting your account login stolen and some spammer using your smtp-auth account for spamming. The core of the issue boils down to the smtp protocol was designed at a time when all hosts on the "internet" were trusted. A major rewrite/replacement with security in mind needs to happen someday.
 

Big Dan

EQ Forum Moderator
Yeah Facebook should impose restrictions on what app devs can ask you to install. To many people get infected with BS under the guise of getting more coins or some other carp.
 
Top