Are "disavow" links in email confirmation a good or bad pattern?
Looking for opinions, or even better, research, from the community.
In an email answer-back for account creation, you frequently have an opt-in link to confirm it was really the controller of the email address signing up for a service.
But in the case of a typo, or malicious sign-up, I've seen both "If you didn't create this account, just ignore this email" and I've seen "If you didn't create this account, click *this* link to let us know."
In the negative case, which is more common? I'm of the opinion that "click this link to deny" just trains users to click on links in emails they aren't expecting, which is good for phishers, but bad for us. I prefer the "just ignore this email" approach, as more secure.
But having a discussion with a coworker, they said that "click this link to disavow" is a common pattern.
This is the “Inevitability of ‘the Click’” ... nature of humans
The nitty-gritty is an enterprise must assume endpoints and servers are going to be compromised by this kind of traps. The enterprise should be surprised when endpoints and servers are not compromised. Organizations must layer its defenses so that the endpoints most likely to be compromised first are not the most critical ones.
You never know where a link will take you, regardless of what it's worded as. Most attacks on organizations' IT Infrastructures begin with end- users inadvertently introducing malware onto systems by clicking on links.
Let's assume you receive an email supposed to have come from the bank you have an account with, and stating: Your credit card XXXX-XXXX-XXXX-5420 was just used to make an online purchase of 2500 USD. (If you didn't make this purchase, click here to notify us)
In such a situation, you should react by immediately checking your account balance to see if there have been any deductions, calling the bank to ascertain the same, and taking further actions. You definitely should not click on the link...
From an IT Security perspective, you should inform end-users to avoid opening links, and also take measures to ensure that the impact of them doing so is limited, such as disabling links on an email gateway, securing all end-points with a protection system, etc. --- unless your organization is willing to rely solely on its employees' judgement in such matters...