Tuesday, 12 February 2013

Email rewards links and phishing

The practice of sending emails with rewards program offers waiting to be "activated" by clicking a link in email is setting a bad precedent. If we are expecting lots of these things (I typically receive three or four per week from Woolworths) then people will get into the habit of blindly scrolling down and clicking the link, because it's the fastest, easiest, least-intrusive way of getting all you can from a rewards program. Why would you *not* activate an offer like that? Even if you think you won't use it, since it costs nothing but offers something in return, it's infinite value for money. You might as well just click them all automatically.

That's where phishing can start. A scammer constructs an email exactly like the rewards ones, but directs the link to a malware site that does a drive-by download of whatever they like. Woolworths is making that easier, and I think that's a bad idea.

Mokalus of Borg

PS - Most security checklists start at number 1 with "Never click a link in email. Ever."
PPS - And number 2 is "No, seriously. Never."

No comments: