Links in emails should be treated with suspicion - so webpages should be findable from My GiffGaff

snozboz

I received an email about this issue:

https://community.giffgaff.com/t5/Announcements/We-ve-recently-identified-a-billing-issue-here-s-how-we-re/td-p/22060487

which asked me to click on a link in the email. This link took me to a webpage that asked me for personal information. There was no way of finding that webpage from "My GiffGaff" or the GiffGaff homepage, so I was forced to click on that link in the email.

In this case, it turned out to be legitimate - I contacted an agent to check, and they said the email was legitimate, though I still had to click on the link in the email because, as the agent said:

"we'll be able to identify you as one of the members that were affected by this issue"

Surely, if I'd logged in with my GiffGaff credentials, this would have proved this? Though maybe the email in this case went to people, not only who weren't using GiffGaff anymore (like me), but had actually deleted their online GiffGaff account. Anyway...

Emails are extremely easy to fake. Webpages are extremely easy to fake (and make look like legitimate ones). Links in emails are extremely easy to fake and change so they point to fake webpages. Once you're on a webpage that "looks" legitimate and has the padlock icon in the address bar etc, it's very easy to give your personal information to scammers and fraudsters etc. We as end-users are often told to be vigilant for spam and scams and fraudulent emails etc - yet if companies like GiffGaff send us emails that function in the same way as scams, how are we to know the difference? We become trained by GiffGaff and others to do what the scammers want - trust on appearance, click on links in emails, enter our personal information etc. Having to get in touch with an agent (which is what I did to check) isn't quick or convenient, and the need to do so could be avoided.

For instance, in this case, the email from GiffGaff could have asked me to login to "My GiffGaff" and follow the link there - instead of giving me a link to click in the email itself.

It's not just GiffGaff who do this, but as it was GiffGaff this time I thought I'd say something because they might actually listen (unlike my bank!).

So my "idea" is - that all webpages mentioned in emails should be findable from the GiffGaff homepage or "My GiffGaff" and shouldn't depend on customers clicking on links in emails.

As I rarely visit this forum, please would someone else follow this up and post it as an "idea" once it has been debated and refined here.

k89bpa

You can easily check whether an email is genuine or not by looking at the sender information.

Most clients and almost all email services will have a visual indication that the email comes from the reported sender, and is legitimate.

If you wish to make extra sure, view the headers of the email and look for the SPF and DKIM headers, if both say pass the from header is a domain you recognize, you're good to go.

But yeah, things, not just this, should be made a lot easier to find.

richardski

Unfortunately e-mail is a text medium that evolved with no security at all. The from field is meaningless as any spoof from e-mail identification can use inserted into it. Only checking the actual headers will give an indication from where the e-mail MAY have come.

Do not open up emails as HTML. This requires the web browser to execute code to generate text and pictures. If this HTML code is malicious it will be executed compromising your system.

Always open all e-mails as text which will expose any hidden URL links in the body of the e-mail. Carefully analyse these links before you agree to convert it to HTML and display any pictures which could also carry malicious code.

Just because an e-mail comes from your friends or a reputable business does not mean it is safe as they could have been previously compromised.

Always use plain text e-mails as it is a lot safer.

Richard

freedmaniac

@snozboz

I think that you make a valid point here.

Why not post in in the Ideas Lab yourself?

revjonty

snozboz wrote:

<snip>

So my "idea" is - that all webpages mentioned in emails should be findable from the GiffGaff homepage or "My GiffGaff" and shouldn't depend on customers clicking on links in emails.

As I rarely visit this forum, please would someone else follow this up and post it as an "idea" once it has been debated and refined here.

I see no real need to debate this, it should be a no brainer. As to whether or not customers should check, it shouldn't be necessary for the customer to have the knowledge to check, the company should be using best practices such as this in the first place.

I will happily submit this idea into labs @snozboz the text I've highlighted in bold sums it up nicely.

revjonty

Submitted.

I will link it here if and when it gets approved to be voted on.