2016-08-03

The Wrong Way to Embed Links in Emails

It's no surprise that many users are generally confused about computer and Internet security. One of the reasons is that the companies they deal with don't care enough about security and therefore force users to do insecure things in order to use their services. A very good and very vexing example of this is links embedded in emails that businesses send to their customers.

Over the weekend I had to use BCAA's roadside assistance service. The next day I received the following email asking me to give them feedback on the service. The service was excellent and I'd like to tell them that, but take a careful look at the email:

From: BCAA Customer Experience Team [mailto:BCAAQualityAssurance@hermes.responsetek.com]
Sent: Tuesday, August 2, 2016 06:21
To: Garland Sharratt
Subject: BCAA Roadside Assistance Quality Assurance Survey

Dear GARLAND SHARRATT,

Your participation and feedback are critical to helping us understand your needs. Please take a moment to share your experience during the interaction you recently had with BCAA’s Roadside Assistance and suggest ways in which we can serve you better.

The web link below will connect you to a short survey that will take less than five minutes to complete.

Click here to begin the survey.

On behalf of the BCAA Customer Experience team, thank you for taking the time to share your insight with us and helping us improve.


If you do not wish to participate in future email surveys from us, please
click here to unsubscribe.

Note: If you have difficulty with the survey link above, please copy the URL shown below and Paste it into your browser:
https://ecol-na3.responsetek.com/collection/Greeting.aspx?iguid=DETAILSMASKED&LangID=1&rt=1
Notice anything fishy?  All the links in the email -- one for the survey and another to unsubscribe -- (and even the sending email address) have a domain name of responsetek.com, not bcaa.com as I would expect for an email coming from BCAA. How do I know that this isn't a fishing email trying to get me to install malware hosted at responstek.com? I have to do some research before I can be somewhat sure that the links are safe.

I'm just using BCAA as an example; these days most of the business emails I get have third-party domain links -- especially for the link I most want to click, the unsubscribe link. No wonder users click links they shouldn't and get malware delivered to them.

What's the solution? There's nothing wrong with businesses using third-party services but they should do the tiny amount of work required to hide this from users. BCAA should have created one or two URLs on the bcaa.com website that redirect to the responsetek.com website, and embedded those bcaa.com URLs in the email.

So a link embedded in the email looking something like
https://bcaa.com/redirect/dest=responsetek.com&iguid=DETAILSMASKED&LangID=1&rt=1
would send my browser to
https://ecol-na3.responsetek.com/collection/Greeting.aspx?iguid=DETAILSMASKED&LangID=1&rt=1

With all links in the email going to bcaa.com, a domain I trust, I wouldn't have to worry (nearly as much) that it's a fishing email. If all businesses did this with their emails it would be a big step toward reducing user confusion around security and, eventually, reducing incidents of malware attacks.

. o O o .