Well something finally got my goat enough to cause me to sit down and write a blog post. Maybe it will become my muse and get me to writing again.
Today I received an email from one of the banks that I have an account with. It was a marketing email wanting me to sign up for electronic billing for those companies who offered it.
It’s not a bad idea except for the fact that if I don’t have the physical bill sitting on my desk I forget about it and end up being late with my payment. Still electronic billing has it’s merits. It saves money, paper, trash, etc….
What got me though was the email was filled with links.
“Click here to sign up.”
“View our list of billers”
“Click here to …..”
Of course my first thought was that it was a phishing email but it wasn’t. I did my research and testing and it’s all legitimate. This bothers me for a couple of reasons.
First, it’s just plain bad practice for a Financial Institution to send out email with links in them that take you to a log in page. It teaches users to “trust” that the message really came from the bank and it’s OK to click on the link and put in your credentials.
Secondly, when we are trying to teach users good internet and email habits this goes against our teaching. It’s hard enough to teach them but especially when they are getting mixed messages.
The Third thing that bothered me was that the links were not apparent that they were going to the bank when you viewed the URL. They were redirected from a 3rd party marketing site. So now you have users who receive an email from their bank that has links in it that go to a different site than the link shows.
Hmmmm, sounds an awful lot like what the phishers do doesn’t it?
Of course since it worked the way it was supposed to this time the users are getting numb to the danger. So when they do get a phishing email why won’t they trust it since the bank is teaching them to trust emails that come from them?
I’m hoping that this was done without any IS oversight and/or approval. I know that often marketing departments have the freedom to do such things without running it by security and I hope that is what happened.
If it was approved by security I have a real problem. Enough so that I may have to close my account. If they let things such as this get by then who knows what else they are letting by that may really cause me problems.
Cross-posted From AndyITGuy