[unisog] Email clients enabling Phishing links: the new enemy

marchany at vt.edu marchany at vt.edu
Mon Jul 7 22:45:00 GMT 2008

The classic conflict between security process vs. business process:

1. Security process - 
	a. no clickable links embedded in emails to prevent phish style attacks. 
	b. OR allow clickable links but include warning that clicking on the link
           from the email is a SERIOUS security risk

2. Business process - Our biggest complaint from the university community 
regarding our e-billing email notifications is the lack of a url indicating 
exactly where
they go to do what they need to do. We send the emails in plain text and 
instead of hyperlinks, we inserted urls that the recipient could cut and paste 
into their browsers as they choose. We did this to avoid phish attacks.

3. Email clients (mozilla, exchange, etc.)  will recognize the plaintext 
designation as urls and render them "click-able".

4. Solution?
	a. allow email clients to create clickable links and prevent us from
	   an effective phish attack solution: cut the link from the email &
	   paste it in the URL field of the browser.
	b. No clickable links from emails.
	c. provide instructions on how to disable email client programs from
	   "smart formatting" emails.

How are you guy dealing with this scenario?

	-Randy Marchany
	VA Tech IT Security Office

More information about the unisog mailing list