Offical email should never include links (unless it's signed, but what is?), the potential for trouble is just too great. I had this exact same problem back in 2003 from a financial company. I wrote them a serious email telling them just how dangerous it is to teach your users that it's OK to click on links that don't even go to your domain in random emails. I even showed them how easily I could create a phishing site.
The person who organised the email drop clearly got some hassle over it and sent me a response personally, but clearly still did not understand the problem.
I guess here Evernote figured any instructions they sent would have resulted in a link being sent anyway, so why not just send the link and ensure a higher shot off compliance.
They seemed to have forgotten about phishing.
Some sites have taken to including in such emails account information that presumably only the company would know (such as part of the account number) along with the name. I know of at least one bank that does this. The idea, of course, is that the user can then verify that it must be coming from the company.
This can be reassuring when the email is legit, but the problem is that it requires the user to remember for subsequent emails that such information should be present. So, if a phishing attack comes, will the user stop and think, "hey, where is the personal account info?" Some will, but many won't. I mean, if a user can't be trusted to follow a simple set of instructions (thus needing links), then how can he be expected to remember the security policies of every company for which he is a customer?
Not to mention that most email has roughly the same security level as a postcard. There are a lot of personal details that I wouldn't want written on a postcard.
Not to mention the fact that lots of 'personal information' is not in fact private, e.g. date of birth (one of my financial accounts uses date of birth), mothers maiden name, social security number, etc.
True that. I often think of how many services ask for the same info as "security questions". By definition, if there's a "standard" set of such questions, it's not secure.
The person who organised the email drop clearly got some hassle over it and sent me a response personally, but clearly still did not understand the problem.