The conflicting messages we get pertaining to online security are confusing to the casual user.
First they say, "Never click on a link in your email!", and I agree with that recommendation.
But then, every business sends out emails to their users with links to click on.
If you don’t want us to click email links then don’t use email links yourself. What ever happened to "be the change you want to see in the world"?
While I understand the thought processes of the businesses wanting to provide the best convenience to their customers, they completely contradict the mantra of their own security teams and encourage their customers to violate best security practices. They are setting up the same scenario that hackers create in their phishing attempts, thereby encouraging their customer’s behavior to be that which their own security teams tell them to avoid.
That would be like telling your kids "never take candy from strangers" and then sending them out to go trick-or-treating. Crazy, right?
There should be a complete reprogramming of the public’s mind where we are all shocked if we see a link in an email. Banks, especially, should NEVER include links to their sites. Email links should remind us of a black van that says "free candy" on the side.
Shame on the banks and businesses for using links.
Password Managers To The Rescue
When you see a link in your email, what should you do? The best option for going to any site which you must log in to is to use a password manager and store the correct link in each entry. When you want to go to a website such as your bank’s site, you can just open the password manager, type in the bank’s name, and that entry is loaded. From there you can click on that link and you know it’s not a phishing link.
Additionally, when you land on the correct page, you will see the indicator showing a match to the URL on your current page, such as this:
If you go to a site that you think is, for example, your bank’s site, and your password manager isn’t showing a little number indicating the matching entry count, you know not to enter your password because you’re not in the right place.
Additionally, if you use a password manager, you’ll never manually enter your password anyway so it would be impossible for your password manager to enter the credentials into a site that doesn’t match the saved URL.
Final Thoughts
If you own a company, or if you’re the one deciding on email content to send to your customers, don’t be a hypocrite and don’t bait your customers into reinforcing bad behaviors.