Free Enterprise Security Advice Could Save Thousands in Customer Care Costs

When your company has to notify its customers about a change to online security procedures and decides to use email as part of that notification, make sure that the email message does NOT contain any deceptive URLs. Otherwise the email may confuse a lot of customers who end up contacting your company, putting a dent in the customer service budget and thus the bottom line.

Before you say something like "My company would never use a deceptive URL" be sure you know what deceptive URLs are and how they arise, because they can seem innocent enough. Indeed, I have seen them slip under the quality control radar at big companies like Bank of America and Countrywide that do at least have quality control. Typically a deceptive URL is created by or within html email. Here is an example:








Note that I edited the screen shot above to obscure the name of the company that sent this particular message (about new security measures) and my own email address is also edited to something bogus.

Basically this part of the email is inviting recipients to log in to the company web site. The URL of the site is spelled out rather than just being a click here type link. People often spell out links in order to make it clear to the user where the link leads. In text-only email a URL has to be spelled out in order to work (in most email clients). But the above message is html and so the link text is actually within an href=URL tag. This means that the apparent URL can be different from the actual URL in the link, a fact that phishing scams have been exploiting for years. For example, you might see a link to www.paypal.com in a message that appears to be from PayPal, but in fact the link leads to:
http://202.78.2.22/.paypal/secure/login/webcsr/cmd=_login-submit/index.htm
or
http://0x44.0xec.0xb3.0xd0/www.paypal.com/index.htm
both of which are bogus web sites that are in no way connected with the real PayPal.

How do you know where a link goes before you click it? One way is to view the source code of the message, something that is easy enough to do in most email clients (in Eudora, for example, you just right click anywhere within the message and select "View Source"). However, viewing email source, while easy, is laborious, and so a good email client will reveal the URL of a link when you put your mouse pointer over it, then warn you if the link you are about to click is deceptive (i.e. does not match the text of the link). Eudora has this capability and provides further detail like this:
And here you see the problem this poses for an otherwise legitimate company. Good old Countrytom wants you to go to a special page at countrytom.com, but presumably did not want to put that great big [but genuine] URL in the text of the email. So they obscured it but in so doing set off the deceptive URL alarm. As email clients and web browsers get more aggressive in the fight against phishing this sort of thing is likely going to show up more often, thereby confusing more customers. And everyone in enterprise-land knows that more confused customers = increased customer service burden.

So what is the solution. Here is the real money tip in this free security advice: use a simple URL. Could it be that simple? Yes. There is no reason, other than a lack of imagination, for Countrytom to use that great big long URL for a response to email. Sure, marketing would like to track where responses are coming from, and IT might balk at some extra work with redirects and site structure, but a simple phrase and a few lines of code could fix that, as in any of these URLs that could easily appear in the text of the email AND the URL so as not to be branded as "deceptive" by the email client:
www.countrytom.com/confirm
www.countrytom.com/login112306
www.countrytom.com/112306
www.countrytom.com/no34

None of these strikes me as a turn-off for recipients and I bet they generate less customer confusion than the pesky but otherwise very helpful deceptive URL flag.

No comments:

Post a Comment