Those "Helpful" Emails that Big Tech Firms Send

I’m keenly aware of email security when it comes to protecting myself and my company from incoming nasties. We run a couple tiers of anti-spamming and anti-virus screening on the incoming side, and then I make sure we all follow a policy of “if I don’t recognize it, delete it” without opening the (potentially) offending message. I’m really careful about screening incoming emails based on where they are from and why they were sent. My basic litmus test is whether I know the person and whether I expect to hear from the person and whether the subject line makes sense in the present context? If not, we delete, with prejudice.

So yes, I’m really careful about incoming messages—because I know what they can and often do contain.

But what were they thinking? Allow me to explain…

In the past month, I’ve received a couple emails that—to me—were just way over the top in terms of intent vs. result. The first was from a big software manufacture (I won’t pick on them by name) in Redmond. The subject of the message was “Security for Home Computer Users: How to recognize ‘spoofed’ Web sites,” and the message contained perfectly useful information on how to avoid falling into common phishing-type traps.

The second such message came from a big green credit card company that we all know. The message, with a subject line of “SecuritySnapshots: Reducing the Risk of Identity Theft” provided guidance from their security department on how to protect you (the customer) from identity theft.

Now, all of this was good sound advice from the two companies. And make no mistake about it, I get a lot of this sort of email—we all do—but these messages really jumped off the screen at me as being especially and profoundly ill-advised.

Why? Let me count the reasons… They were unsigned. They were HTML only. And to exacerbate matters, each of them contained links to their respective security pages and contact points.

I’m willing to believe—indeed hope—that the emails were otherwise legitimate. They probably were. Well, they looked legitimate. Hmm, come to think of it, perhaps they weren’t legitimate. I don’t know.

That’s the real problem. As a security professional of several (ahem) years, I have no way of knowing if the messages were legitimate or not. Lord only knows what their other customers thought about the emails. The very thing that the messages were trying to help protect against for their respective customers is completely destroyed simply because of the way they delivered the messages. (And that, Alannis, is ironic.)

What on earth were they thinking?

I spend a lot of time riding my mountain bike around the trails in my neighborhood. On an almost daily basis, I encounter deer, foxes, rabbits, and even the occasional snake, among other creatures. I wouldn’t dream of doing anything that would encourage them to think of me as anything but dangerous. Not because I am dangerous to them—I’m not—but because I would be crushed if they developed even an iota of trust in humanity that later lead to their demise at the hand (or trigger) of someone who is dangerous to them.

We’ve got to start treating emails in the same way that those deer ought to think of humans: pure evil, to protect yourself from at all costs. Perhaps that’s more than a little melodramatic, but you get the point I hope.

Until and unless we start treating all emails as potentially dangerous unless proven otherwise, we’ve got to think of them as toxic. Digital signatures can go a long way to help us establish that the message we’re looking at really came from where it purports to come from. They do nothing to help ensure the content itself will be correct, not dangerous, etc., but they’re a good starting point, and they completely eliminate the threat posed by spoofing emails that contain deliberately malicious links, attachments, etc.

Companies that use email to communicate with their customers have got to do better. I’d go so far as to say that not signing those emails is tantamount to negligence. Perhaps those of you with backgrounds in the law will object to my choice of words, but at the very least, unsigned customer communications are downright foolhardy. All they do is teach your customers to trust the untrustable.

I, for one, sure expect more from reputable companies.