Phishing using plain-text emails

Phishing is typically done using HTML that lets someone hide a malicious link in an email disguised as a legitimate link.

To circumvent this, companies started sending plain text emails when talking about sensitive matters such as account security and personal information.

The (valid) reasoning behind this decision was that, since the mails were only made up of text, there wouldn’t be any links to click on. They could thus start educating their users to never click on links in emails when about to enter personal information. Instead, they would invite them to manually select the portion of text that corresponds to the URL they’re asked to follow, and paste it in their browser’s address bar.

Such instructions are easy to follow, and shouldn’t lead to any surprise – or so you’d think.

Very interesting article. The big surprise to me was when I actually dragged my cursor to hand-copy a URL, then pasted it into my browser and a completely different text string appeared. I get it, and I should know better, but I was still completely surprised by the result.

Worth a read.



  • marcintosh

    Fascinating, so simple and so effective. It seems like there’s a easy check to catch it, tho. If the display text is a URL and it doesn’t match the href URL, red flag it. Someone at Google could probably add that to Gmail on their lunch hour.

    • G

      On your Mac, highlight the link, right click and the dictionary will reveal the true url.

      • marcintosh

        I was suggesting a server-side solution so these types of e-mails would register as spam and never hit the inbox.

  • http://www.thegraphicmac.com/ JimD

    When you paste the URL in your browser URL box, you can plainly see that the pasted URL does not match the copied URL. You would have to be a complete internet n00b to not catch this.

    • marcintosh

      Complete internet n00b is the target audience for scams like these.