Why Phishing Will Remain Lucrative For The Foreseeable Future

Today I received a message that purports to be from Discover regarding a 5% cashback program on gas purchases on that card. (For the non-American readers, Discover is a credit card widely used in the U.S.). The e-mail had a couple of links to click, both of which were disabled by Outlook since the e-mail was classified as junk mailĀ 

The e-mail contains no information to verify that it is indeed from Discover. The links are disabled for security reasons by Internet Explorer and Microsoft Outlook. In fact, there is not even a plain-text link in the e-mail that you can copy and paste. You would have to know to view the source code for the e-mail to see the URL. If you go to the site that is linked to in the e-mail you find that it does not use HTTPS, but plain HTTP. That site eventually forwards you to the "Account Center" which presents a logon page that is plain HTTP, although the form gets submitted to an HTTPS site. In other words, you cannot verify the identity of the site you are submitting your logon password to, even though it will actually go encrypted across the wire. Once you log on, assuming you trust the site enough to do that, there is no mention of this offer. In short, there is no way I could find to to verify the authenticity of this e-mail.

In this day and age of credit card spoofing, how is a customer supposed to verify that the mail received is actually from Discover when there is no information on how to do so, and the security verifiers are hidden? This is sad, given how many fake messages of this nature most of us get every day. One would hope that credit card companies would start making it easier and more obvious to verify that what they are sending is indeed legitimate.