Security on the internet is hard. Really hard. Trying to help people understand how to make good security decisions, and avoid bad ones, is a whole field of ongoing research. There are lots of open questions, lots of things that reasonable people disagree on.

But there are also things that everyone agrees on. For example, that when people get emails that tell them to log in to some random web site they've never heard of and enter their username and password, they shouldn't do it, and anything that helps steer people away from doing that is a win for security.

Which is why the email I got today is, for lack of a better word, appalling:

Dear My Verizon User,

We have launched a completely new My Verizon website (http://www.myverizon.com), with improved security, easier access to all our services, and richer features.

[...]

To make this change happen, please sign in to My Verizon with your Verizon Email (verizon.net) user ID.

Seriously, Verizon? Why not just come out and say “Hey Verizon customer! You should go to a site you've never heard of, and give it your verizon.net password! You can trust it, because it has ‘verizon’ in the name, so clearly it's legit. I mean, it's not like hackers could easily get any number of domains (or subdomains) that have the word verizon in them. No way. Besides, this email says it's from Verizon, and everyone knows you can't lie in email!”

This email is so bad that I actually assumed that it couldn't possibly be legit, and was in fact a very polished phishing attempt. It was only when I actually looked up the domain owner, and then visited and saw that it redirects to verizon.com, that I could actual believe the horrible truth. (And consider for a moment: they are ultimately using verzion.com anyway, but still decided to tell people to go to another domain.)

On behalf of internet users everywhere, and especially those of us who have ever tried to help teach people what is and isn't safe online: Shame on you. Whoever is responsible for that email going out to your customers should—and I say this in absolute seriousness—be fired.