Haven't they heard of phishing?

I received an Email from my health insurance provider. A few days before, I had used the "Contact Us" section of their website to send them a question about my account.

At a quick glance, the Email seems unremarkable. But instead of a response to my question, it contains instructions to decrypt my message, which involves opening the HTML attachment as a first step (red flag #1). Normally, I don't open any HTML attachment from unknown sources, to avoid validating my address to spammers, but this one should be fine, right? I look at the From: header, it looks legitimate, but of course it could have been forged (red flag #2). Then I expand to full header view, and the set of Received headers supports the From: identity. The earlier Received headers could have been doctored, but I trust the one added by Sun's MX gateway. After all, I've been anticipating an Email from them, so I decide it's ok to proceed.

When I click on the attachment, Mail.app prompts Are you sure you want to open the application "securedoc.html"? Could this be a trojan horse disguised as an HTML file? I examine the source of the Email, and find that the MIME Content-Type field of the HTML attachment was mislabeled as "application/octet-stream" rather than "text/html" (red flag #3), so there's no foul play here. I drag the HTML icon over to Safari and it opens.

According to the instructions provided, once I open the HTML file I should get two choices. Either click on the "open" button and an applet will be downloaded and installed to my C: drive, or click on the "here" link and my browser will open the secure email without any applet downloading. Since I'm on a Mac, I don't have a C: drive, and I prefer (just in case this indeed is a trojan horse) not to install any applet, I look for the "here" link. But there is none (red flag #4). Left with no other choice, I click on the "open" button.

Fortunately, this correctly initiates the process of key retrieval from the insurance provider and message decryption. I'm glad it didn't ask for my membership number and password, which would've raised another red flag or two. Below the response, an underlined heading says "Original Message Excluded" (red flag #5). The footer/signature has only three words, "PostX Secured Email," which is the technology behind all this.

Although the response provides the information I asked for, so many red flags went up in my head, I can't help but wonder if they had run this process by a messaging consultant. Regardless, here's some free advice:

  • Solution to #1: Don't ask or expect your recipients to open any attachment or URL, until you have built confidence with them.
  • Solution to #2: Sign your messages with a certificate to prove your identity.
  • Solution to #3: Label your MIME fields correctly, it's unprofessional not to do so.
  • Solution to #4: Make sure you provide instruction that matches actual experience precisely.
  • Solution to #5: Include the original message (where applicable), ideally before you ask for user action.

Come to think of it, these suggestions can help any Email marketer wanting to distinguish themselves from phishers/spammers.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

I currently live in San Francisco Bay Area. For the past seven years, I have been designing and building messaging solutions for Sun.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today