I’ve dealt with a couple of companies that try to plug the general lack of security in email by using a “secure email” service. The way this works is:
- The company sends you an email with a link to a third-party or co-branded website, asking you to click on it in order to read important information about your financial/insurance/whatever account. (Or better yet, the third party site sends you the mail on the company’s behalf.)
- You click on the link and open the site in your web browser.
- You register for the site (which usually involves entering your name, choosing a password, and possibly entering other personal detail like a reminder question.)
- You log into the site and actually read the message.
Can you see what the problem is?
That’s right: Steps 1-3 are exactly what you see in a phishing attack. Only in a phishing attack, the third-party site is a fake that’s trying to collect account information (like your login and password) or personal information (like your SSN).
So while they may be solving the immediate problem of “someone might intercept this message,” they’re perpetuating a broader problem by training people to fall for phishing attacks.
Sadly, this is not new.