A practical example of why HTML e-mail is a bad idea

Viewing e-mail messages without rendering HTML formatted content can be a simple, easy, and effective security technique.

I received a phishing e-mail the other day, and it reminded me why I use mutt as my mail user agent.
The headers and text of the email look like this:

Delivered-To: unknown
    Envelope-to: me@example.com
    Delivery-date: Wed, 11 Feb 2009 09:45:07 -0700
    Reply-To:
    From: "service@paypal.com"
    Subject: Account Expired ! Please renew your account !
    Date: Wed, 11 Feb 2009 11:48:20 -0500
    X-Priority: 1
    X-MSMail-Priority: High
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Bcc:
    X-OriginalArrivalTime: 11 Feb 2009 16:45:05.0698 (UTC)

    FILETIME=[17964020:01C98C68]
    X-user: ::::0.0.0.0:host.example.net::::::

    

    
    
    
    
    

    
    Dear Member,

    

    Your PayPal account has expired. 

    You must renew it immediately or your account will be closed. 

    If you intend to use this service in the future, you must take action at once!
 

To continue click
    here, login to your PayPal account and follow the steps.

    

Thank you for using PayPal!

    The PayPal Team

    

    Please do not reply
    to this email. This mailbox is not monitored and you will not receive a respons.
    For assistence, log in to your PayPal

    account and click the Help link located in the top right corner of any PayPal
    page.

    

    PayPal Email ID PP3573
    

    

Obviously, I have changed all the domain names and IP addresses (other than PayPal's domain name) to protect my privacy and to protect any of you from accidentally visiting a phishing site. I don't want my readers getting infected because of my articles, after all.
The highlighted snippet contains a link. If you look at it closely, you'll notice that's not a PayPal URL in the link--something you wouldn't necessarily notice if you viewed the e-mail with HTML rendered, which would just look like this:

This isn't exactly the cleverest phishing attempt in the world. It contains spelling errors, and targets something that most security-aware people will immediately recognize as a common subject of phishing e-mail messages. A more well thought out attempt might fool someone who doesn't habitually look at the plain text of e-mail, however.
In general, legitimate e-mail messages with HTML formatting come with a plain text version as well these days. When signing up for mailing lists and other mass-notifications, it is almost always possible to choose whether you get e-mail in plain text or HTML form. The exceptions are almost always phishing e-mail.
Some people may get more HTML formatted e-mail than others, of course, but for most of us there really isn't any need to render HTML for all e-mail messages. In my case, in fact, HTML formatting is a very accurate predictor that an e-mail I receive is unwanted, and I use HTML formatting as part of my spam filtering criteria.
In my list of basic e-mail security tips from almost a year ago, I mentioned that one should avoid letting HTML render in your e-mail client. Take this as an object lesson in the kind of threat HTML e-mail can present.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.