Links inside of Emails - The good, the bad and the ugly...
So I was listening to the following podcast and it began discussing a question about links inside of emails. I have pasted from the transcribed notes the discussion below. Thanks Steve and Leo for the great podcast.
GIBSON RESEARCH CORPORATION http://www.GRC.com/ SERIES: Security Now! EPISODE: #494 DATE: February 10, 2015 TITLE: Listener Feedback #206 SPEAKERS: Steve Gibson & Leo Laporte SOURCE FILE: http://media.GRC.com/sn/SN-494.mp3 FILE ARCHIVE: http://www.GRC.com/securitynow.htm
"...LEO: Justin Aborn in Boston. He wants to know how to be sure about emailed links. He wants to know how whether to click on them: My bank just emailed me a clickable link. I'm 99.9% sure it's truly them, but I navigate to their site by hand, rather than click on the emailed link. To check the fit of my tinfoil hat, what do you recommend as the minimum procedure to confidently click an emailed URL? It would be a lot more convenient if we could just click on them.
Below is a quick proof-of-concept showing an HTML page that has a link with an onclick event that will manipulate the link as it is clicked. If it was in an html page by itself the link would be manipulated and take you to google.com verses grc.com. So for this example I emailed the page to myself.
I used php and an email relay to send the message with the link to my Outlook client. Then the email showed up and I was able to click the link, however, due to the way outlook renders the HTML email the script tag and the onclick element is not recognized.
As more research can be done certain HTML is blocked because of the way mail clients render the html. http://www.outlook-apps.com/html-ignored-by-outlook/
Another issue with webmail clients is the way they will redirect to links. This makes it more difficult to see where you are actually going. For example here is the screenshot of the above email opened in outlook web access. As you hover over the link it is somewhat masqueraded by the mail client itself.
While we are discussing issues. On mobile devices as you hover over links they do not give an indication of where they are going before you click on them. Again emphasizing your point of not clicking on links in emails.
As I have told people not to click on links in emails, the user then returns to his computer and looks at his emails and notices 80% or more have links inside of them, most of which they need to conduct business.
What is the best strategy to educate people to not click on links? Is that even a strategy?
I have found educating people about phishing emails is a layered approach containing but not limited to the following steps:
1. Consider who the email is from, is it someone you know.
2. What is the content of the email?
3. Are you expecting the email
4. Is the information in the email expected from the source you received it?
5. If the information is important can I call or text them as an out-of-band authentication of the email
6. Is the grammar in the email expected.
7. Showing them phishing emails and what to look for.
8. Test, Test, and Retest phishing employees to verify they understand the concepts you are teaching and enforcing.
A few thoughts that I had on the podcast as I listened to the last question and answer session.