[149703] in North American Network Operators' Group
Re: Dear RIPE: Please don't encourage phishing
daemon@ATHENA.MIT.EDU (Rich Kulawiec)
Sun Feb 12 13:20:15 2012
Date: Sun, 12 Feb 2012 13:19:10 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: nanog@nanog.org
In-Reply-To: <4F3789ED.2030708@abellohome.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Feb 12, 2012 at 04:44:13AM -0500, Vinny Abello wrote:
> All recent email clients I've come across give you anti-phishing
> warnings in one way or another if the URL does not match the actual link.
Which is great, but doesn't help you if the URL and the link are:
http://firstnationalbank.example.com
because a significant number of users will only see "firstnationalbank"
and ".com".
That's why I recommend that banks et.al. don't put *any* URLs in their
messages. If they make this an explicit policy and pound it into the
heads of their customers that ANY message containing a URL is not from
them, and that they should always use their bookmarks to get to the
bank's site, then they're training their customers to be phish-resistant.
---rsk
