On Sun, Feb 12, 2012 at 04:44:13AM -0500, Vinny Abello wrote:
All recent email clients I've come across give you anti-phishing warnings in one way or another if the URL does not match the actual link.
Which is great, but doesn't help you if the URL and the link are: http://firstnationalbank.example.com because a significant number of users will only see "firstnationalbank" and ".com". That's why I recommend that banks et.al. don't put *any* URLs in their messages. If they make this an explicit policy and pound it into the heads of their customers that ANY message containing a URL is not from them, and that they should always use their bookmarks to get to the bank's site, then they're training their customers to be phish-resistant. ---rsk