A little while ago I received my normal monthly email statement alert from my local credit union. This statement had 2 well meaning links included in the text, ugg.

This credit union had recently changed their statement alerts to NOT include a link directly to a page where you could log in and see your statement. Great, they must know about phishing and are changing things up!

Ah, but then just a few lines down, they include a link to a Statement FAQ page. So I clicked on that, and sure enough, I am taken to a statement FAQ page, and right there on the left is a place to signin to online banking! Whoa, this looks exactly like would a sophisticated phisher would do.

And then further down, is another link, this time to get Adobe Acrobat Reader. Who knows where this link may take me. A fake adobe site? where I can download a fake Acrobat? chock full of viruses and trojans and keyboard loggers and vnc servers and other nasties?

That’s right folks, it’s not even safe to include a link to Adobe for little old Acrobat Reader.

The bottom line Mr. Financial Institution, do not, ever, even if you think it’s ok, even if it’s really important, even if there is no harm, include a link in an email you send out. There is always a way for a phisher to do that same thing and cause all sorts of grief. In fact, if you do it once, the phisher will do it over and over.

This entry was posted on Wednesday, August 29th, 2007 at 6:55 am and is filed under phishing, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.