Please Stop Already—Links in HTML Emails Considered E-V-I-L

Phishy or Not?

OK, what's wrong with this picture... you receive an unsolicited email from a financial institute with whom you have a prior existing business relationship. The email sounds very official and has none of the usual sloppy spelling or grammatical errors that are the usual tip-offs to most phishing attempts. (Thank God that the most of the idiots constructing these phishing attempts to exploit the naïve don't know how to use spelling and grammar checkers in their word processing software! ;-)

However, the email is also written in HTML¹ and it obfuscates the URL they wish you to visit with the ubiquitous “Click here to activate your account” link. Furthermore, it states that once you login with your user name and password, you will be requested to enter your Social Security Number. So the email is starting to smell somewhat phishy to me.

This particular email was purportedly from Morgan Stanley Smith Barney. (I'm sorry, but they deserved to be called out and shamed by this!) Naturally, I checked out the 'Received' email headers and note that they in fact do come from Citigroup, who indeed now owns MSSB. (I had to run a whois on a few of the domains I wasn't sure about, but in the end the all the domains listed in the Received headers checked out as being associated with Citigroup.)

Still, I wasn't about to just hand over my SSN without being a bit more cautious. After all, one never knows if Citigroup introduced a recent misconfigured open mail relay somewhere that some phisher was trying to exploit. So I send the email with all email headers to our company spam police. After several hours, they got back to me and assured me that the email was legitimate and that it had to do with the conversion of Qwest shares to CenturyLink shares,which I thought it might and was why I didn't completely dismiss the email outright.

Do As We Say, Not As We Do

So here is the issue. Financial institution of all kinds—whether it be banks, broker agencies, credit card companies, etc.—are constantly reminding their patrons to “not click on links from suspicious emails that appear to come from us”. If anything, they tell you to manually enter their URL into your browser's Location / Address bar. They tell us not to provide our SSN or user names and passwords to such sites. But then they turn right around and send their own customers out HTML emails with obfuscated links asking them to do the very thing that they spent several earlier emails and newsletters repeatedly educating their users not to do.

I ask you, is this practice not insane? While I'm focusing on financial institutes here because of the MSSB email from them today, they are by no means the only culprit. I've seen this very same practice done by Microsoft in some of their emails. In fact, I'm sure that I've seen one or two that were security related emails (in HTML naturally, even though I've signed up for the plain text variety) to their subscribers where in one paragraph they warn you about clicking on links provided in suspicious emails and a few paragraphs latter they are advertising a link where you can click on it to download some free Microsoft software like Silverlight or Security Essentials or Windows Defender. And often those links are redirected through some 3rd party mass email distribution company—just for that extra secure feeling I guess.

Argh!!! Please stop it already! Don't the people composing these emails out realize that they are reinforcing the very practice that they claim to be trying to educate users to stop doing? Oh, the irony of it all. Are they trying to lampoon themselves?

So please don't be telling me how we ought to require that regular users be better educated about security matters so as to make the rest of us all safer if this is the best that we have to offer in user education. Some have gone as far as suggesting that ordinary citizens be required to get some sort of license before they are allowed to connect to the Internet. Yea, right. Like we're doing such an excellent job educating folks now. This is like politicians talking out of both sides of their mouth at once. We can't have it both ways, so let's get our own house in order first before we start pointing out how clueless everyone else is. Perhaps, just perhaps, its been because we've been sending them mixed messages.

Let me hear your rants and/or reactions on this topic and thanks for your time.
-kevin
_________________
1. Eye candy is way more important than security, because after all, who wouldn't leave their bank or broker if they didn't send out slick looking emails. Sigh...