Home / Blogs

Phish-Proofing URLs in Email?

For those who’ve been living in an e-mail free cave for the past year, phishing has become a huge problem for banks. Every day I get dozens of urgent messages from a wide variety of banks telling me that I’d better confirm my account info pronto. Early bank phishes were pretty clumsy, but the crooks have gotten better at it and current phishes can look very authentic. See this archive of recent phishes at antiphishing.org for some examples.

A very common trick is the fake link, in which the link you think you’re clicking on isn’t the one you’re really clicking on, like this:


The link looks like it’s to bigbank.com, but really it’s to a fake web site at badguy.com.

Several people have been floating proposals to extend authentication schemes to the URLs in a mail message. A sender might declare that all of links in it are to its own domain, e.g., if the sender is bigbank.com, all of the links have to be to bigbank.com or maybe www.bigbank.com. Current path authentication schemes don’t handle this, but it wouldn’t be too hard to retrofit into SPF. Signature schemes wouldn’t need any changes other than for the software that signs the mail to check the mail first and not sign it if it contains nasty stuff.

The hardest part of implementing this is for the banks to adjust the way that they send their mail. I get a fair amount of bank mail, notices that a credit card bill is available, confirming that I’ve made a change to an account, or that a deposit account has gone above or below a specified amount. Remarkably few of those messages come from anywhere you might recognize. More often than not they come from a service bureau that handles the function for the bank, not from the bank itself. (I passed some of these messages around to experience spam-fighting friends, most of whom couldn’t tell whether they were real.)

So the question is, is it worth the effort to make all of the senders and URLs match up? At this point, my feeling is probably not. If we’re going to use message signatures, it doesn’t matter what’s in the message so long as you trust the signer.

By John Levine, Author, Consultant & Speaker

Filed Under


Suresh Ramasubramanian  –  Apr 19, 2005 1:32 AM

Given all the phishing fears around, a lot of people are not very inclined to trust any email at all that says its from a bank.

Some banks deal with it in different ways ..

1. My wife has a citibank account, and her statement (the only email they’re supposed to send her) is in a pdf that has a unique password that’s assigned to her.  Phishers would have to already have phish data about a card before generating that password so it is not likely they’d go to the time and expense of phishing there

2. My bank (hsbc) just doesnt send email - they have a closed webmail interface on their ebanking site, where just two entities can send email that each other can see - hsbc support staff through their ticketing system, and me. Works just fine for me, I’d say.

The Famous Brett Watson  –  Apr 19, 2005 2:16 AM

On the matter of HSBC, that would explain the tactic used in the latest HSBC-phish I received.

“You did not read our internal security message that have been dispatched last week. You have received an important internal message from our bank concerning your account status. You got this email due to the fact that all other ways of contacting you were either not specified or did not reach you. We strongly advise you to review the message as soon as possible. [...bogus link…]”

Suresh Ramasubramanian  –  Apr 19, 2005 2:47 AM

oh - hsbc also has this prominent banner on their homepage that warns you not to click on URLs you get in email ..

hmm.. this time they have a link to a short tutorial on basic internet security linked from there.

take a look at https://www.ebank.hsbc.com.hk to see what i mean.  its a javascript link so i cant post the url here :(

Daniel R. Tobias  –  Apr 19, 2005 3:21 PM

Some banks (Citibank is a good example) don’t help the situation, since they insist on using a whole profusion of silly-marketing-gimmick domain names instead of logical subdomains of their main domain; this means that customers can never be entirely sure which links are legitimate.  If they were all in citibank.com, you’d know they’re real, but instead you have to know that they also use citi.com, citicards.com, a bunch of other citi[something] domains, and also some less-obvious ones like (I think) accountonline.com.

Larry Seltzer  –  Apr 22, 2005 4:10 PM

First, for the best banking phish you’ve ever seen read this page: http://www.antiphishing.org/phishing_archive/04-19-05_BOA/04-19-05_BOA.html

It seems to me that MUAs and e-mail-aware security programs like A/V should be in the business of looking for HTML links where the body of the link is an HTML link that doesn’t agree with the actual target. Not hard at all to write. I ought to nag Microsoft to put it in to Outlook Express pronto.

Daniel Golding  –  Apr 23, 2005 3:17 AM

Banks should simply not include links in their communications. If a bank or other institution must communicate via unencrypted email, they should simply say “visit our secure website for a message”, with no link at all. If we have online banking we already know how to find the bank’s website, don’t we?

Also, isn’t it high time that all online banking users received SecurID’s when they open their accounts? The price per unit is extremely low now, and it seems like a reasonable precaution.

Justin Bajko  –  Apr 26, 2005 7:58 PM

Agreed regarding the comment about bank customers receiving SecurID tokens. Identity management is a subject that is most often sorely overlooked in the financial sector when it comes to it’s customers. Almost every person I know that works for a bank in a technical capacity carries a SecurID token, so the infrastructre is obviously in place. Why not extend it to the customers?

Also, banks require that users have browsers capable of encryption, so, why not require that they have e-mail clients that are equally capable? Signed and encrypted e-mail would go a long way to thwart this stuff, if you ask me, and the process to install a personal certificate is really not that complicated.

Alec Berry  –  Apr 27, 2005 3:59 PM

Is this necessary? I have installed ClamAV and Spamassassin on our mail server, the few phishing attempts that make it through Clam get stopped by the URL lookups in Spamassassin.

I do like the idea of SecureIDs, however. How about using the fancy microchip that’s embedded in my bank card?

Suresh Ramasubramanian  –  Apr 27, 2005 4:01 PM

So you think email is the only channel phishes are sent over? :)

Alec Berry  –  Apr 27, 2005 4:06 PM

No, but that is what the article is about. I’m not sure what other types of phishing channels you are referring to… hacking the bank’s home page is a different technical issue (has that been done yet?).

Doug Otis  –  May 1, 2005 11:31 PM

I agree that simply trusting the signature would be a way banks could prevent phishing.  Currently S/MIME is readily available, but a major OS manufacturer’s prevalent use of ?pretty? names rather than showing the mailbox address (which indicates the key selected) greatly weakens this solution.  DomainKeys also looks interesting in respect to offering real sender protections.  At least with a signature scheme, if there is a breach in security, there are fewer places that problems could occur.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API