Phishing is typically done using HTML that lets someone hide a malicious link in an email disguised as a legitimate link.

To circumvent this, companies started sending plain text emails when talking about sensitive matters such as account security and personal information.

The (valid) reasoning behind this decision was that, since the mails were only made up of text, there wouldn’t be any links to click on. They could thus start educating their users to never click on links in emails when about to enter personal information. Instead, they would invite them to manually select the portion of text that corresponds to the URL they’re asked to follow, and paste it in their browser’s address bar.

Such instructions are easy to follow, and shouldn’t lead to any surprise – or so you’d think.

Very interesting article. The big surprise to me was when I actually dragged my cursor to hand-copy a URL, then pasted it into my browser and a completely different text string appeared. I get it, and I should know better, but I was still completely surprised by the result.

Worth a read.