I guess here Evernote figured any instructions they sent would have resulted in a link being sent anyway, so why not just send the link and ensure a higher shot off compliance.
They seemed to have forgotten about phishing.
Some sites have taken to including in such emails account information that presumably only the company would know (such as part of the account number) along with the name. I know of at least one bank that does this. The idea, of course, is that the user can then verify that it must be coming from the company.
This can be reassuring when the email is legit, but the problem is that it requires the user to remember for subsequent emails that such information should be present. So, if a phishing attack comes, will the user stop and think, "hey, where is the personal account info?" Some will, but many won't. I mean, if a user can't be trusted to follow a simple set of instructions (thus needing links), then how can he be expected to remember the security policies of every company for which he is a customer?
Not to mention that most email has roughly the same security level as a postcard. There are a lot of personal details that I wouldn't want written on a postcard.
Not to mention the fact that lots of 'personal information' is not in fact private, e.g. date of birth (one of my financial accounts uses date of birth), mothers maiden name, social security number, etc.
True that. I often think of how many services ask for the same info as "security questions". By definition, if there's a "standard" set of such questions, it's not secure.
They seemed to have forgotten about phishing.
Some sites have taken to including in such emails account information that presumably only the company would know (such as part of the account number) along with the name. I know of at least one bank that does this. The idea, of course, is that the user can then verify that it must be coming from the company.
This can be reassuring when the email is legit, but the problem is that it requires the user to remember for subsequent emails that such information should be present. So, if a phishing attack comes, will the user stop and think, "hey, where is the personal account info?" Some will, but many won't. I mean, if a user can't be trusted to follow a simple set of instructions (thus needing links), then how can he be expected to remember the security policies of every company for which he is a customer?