Chris Adams

In 2005, Adam Shostack wrote Don't Use Email Like a Stupid Person:

Dealing with the phishing problem is so simple that I can't see how to found a company to do it. Here it is, in 4 steps:

1. No HTML email. HTML email opens all sorts of possibilities for hiding things. Train your users to expect short and simple messages.
2. No links in email. Always refer to the bookmark you encourage users to create from their paper statements.
3. All your websites must belong to you, and show up under your domain. Do not train users to treat other URLs as yours. If you train users that you send them to sites with names like "cb.pharmphr33.supersecure.com," then you shouldn't be surprised that they don't get worried when they are phished there.
4. Fire people who violate these rules. Give a substantial finders fee to the first person who reports the violation. Give the money to both employees/whistleblowers and customers.

(I'd add "Drop $100 and get an S/MIME certificate so you can tell people not to trust unsigned email")

At the tail end of 2007, every financial institution I do business with routinely and grossly violates these rules with the exception of the Caltech credit union. Is anyone surprised at the rise in phishing when a major insurance company trains its customers to think links like http://ztfsb.net/zt40/c5.php?UNIV/462726/277515/H/N/V/https://customer.security–naïve.example.com/login/login.aspx are safe to click on?