[unisog] Email clients enabling Phishing links: the new enemy

Chris Edwards chris at eng.gla.ac.uk
Tue Jul 8 15:48:24 GMT 2008

Randy Marchany wrote:

| How are you guy dealing with this scenario?

(1) Attempting to educate users not to click links in unexpected emails

(2) Not including links in our own emails, at least where sensitive info 
(ie. password) will be asked for.  Instead, we give written instructions 
like "goto the campus homepage, then click IT Services, then...etc".

Clearly, (2) does not in itself make anyone any safer.  But it avoids 
undoing the good work achived by (1).

Not ideal.  I fully agree this is a problem area!

And Paul FM wrote:

| Unfortunately, the more you protect users - the less
| prepared they will be when that protection fails.

So true.  Best to strike a balance.

| If you want to avoid sending links - why not an message system where it
| simply sends them an e-mail that they have something new on the messaging
| system and they have ONE url (which they have bookmarked and is not 

The bookmarks idea is interesting.  For ages, our general anti-phishing 
advice has said:

 "Don't click on links in emails, and instead carefully type the URL of 
  your bank etc, by hand.  Or better still, use your bookmarks facility".

But some people have suggested javascript can probably modify bookmarks, 
so you could be in deep trouble after browsing a compromised website etc.

I'd be interested in any thoughts on how much of a risk this really is.

Chris Edwards
IT Security, Computing Service
University of Glasgow, charity number SC004401

More information about the unisog mailing list