For years, we’ve been giving people advice to avoid clicking on links in phishing emails. At one time, that was possible because the bad guys were inept. They had spelling errors, weird URLs, stupid-looking logos, ham-handed come-ons, and worse. If you took a moment to inspect the emails, you could tell it was fake. Those days are gone. Nowadays, the bad guys hire the best copywriters and designers so that even professionals would be hard-pressed to tell the fake from the real.
So, why do we persist in telling people to avoid clicking on phishing emails? How exactly do they do that?
The answer to this problem is exceedingly simple. Stop sending links in your emails that ask people to log in. It’s fine to send out marketing emails with URLs that don’t demand an ID and password. They can go to your website by directly typing your URL or by Googling, and you can provide an area on your home page that lets them log in and carry out whatever action is required–safely.
Then our advice to people gets much simpler. Never log into any website when you got there by clicking a link in an email. Ever.
I know that many companies have already taken this step, but I have seen several emails that make this mistake recently and we just need to treat our customers better than that. Are you still putting account links in your emails? Why?
