…they’re already training up their user base for you.  Here’s how you’d want your email to look:

ups_expiration_email1

Yeah, it’s a legitimate email.  It appears that after a year of inactivity, the “My UPS” service will disable/deactivate/expire/do-something to your account.  Are they trying to save a row’s worth of space in their database?  I don’t know.

The problem is that every time you send a legitimate email to your users asking them to update or log into an account, you’re conditioning them, and not in a good way.  Users who may normally be suspicious (and rightfully so) of emails asking them to update their account will be less cautious if it is known to them that the service normally sends out that kind of mail.  Phishers can cash in on this familiarity by mimic’ing real “update your account” messages, instead of having to make official-looking ones up out of thin air.

This is why myspace/facebook phishers are so successful.  You already get tons of legitimate email from them.  It’s easy to craft an evil one that slips right in with the rest.

In this case, UPS has made a wise decision in not directly including a link in the “simply log in to My UPS…” text.  This may condition users into going to the UPS site on their own to log in, rather than trusting wherever a link would send them.  However, with all of the other links in the email, an additional link to log in added by a phisher would not look out of place.

In conclusion: don’t help the phishers out by negatively training users in this way, especially without good reason.  It would probably be better to either keep the accounts around indefinitely, or delete them quietly.  After all, I’m obviously not getting a lot of use out of this one.

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

   
© 2012 McGrew Security Suffusion theme by Sayontan Sinha